diff --git a/api/src/core/api.js b/api/src/core/api.js
index 050825e2..80da5bcc 100644
--- a/api/src/core/api.js
+++ b/api/src/core/api.js
@@ -81,7 +81,7 @@ export const runAPI = (express, app, __dirname) => {
         handler: handleRateExceeded
     })
 
-    const apiLimiterStream = rateLimit({
+    const apiTunnelLimiter = rateLimit({
         windowMs: env.rateLimitWindow * 1000,
         max: env.rateLimitMax,
         standardHeaders: true,
@@ -105,8 +105,6 @@ export const runAPI = (express, app, __dirname) => {
         ...corsConfig,
     }));
 
-    app.use('/tunnel', apiLimiterStream);
-
     app.post('/', (req, res, next) => {
         if (!acceptRegex.test(req.header('Accept'))) {
             return fail(res, "error.api.header.accept");
@@ -231,7 +229,7 @@ export const runAPI = (express, app, __dirname) => {
         }
     })
 
-    app.get('/tunnel', (req, res) => {
+    app.get('/tunnel', apiTunnelLimiter, (req, res) => {
         const id = String(req.query.id);
         const exp = String(req.query.exp);
         const sig = String(req.query.sig);