diff --git a/app/src/forms/form/formMetadata/routes.js b/app/src/forms/form/formMetadata/routes.js
index a5171de17..8c9f556ec 100644
--- a/app/src/forms/form/formMetadata/routes.js
+++ b/app/src/forms/form/formMetadata/routes.js
@@ -1,11 +1,13 @@
 const routes = require('express').Router();
 const { currentUser, hasFormPermissions } = require('../../auth/middleware/userAccess');
+const rateLimiter = require('../../common/middleware').apiKeyRateLimiter;
 const validateParameter = require('../../common/middleware/validateParameter');
 const P = require('../../common/constants').Permissions;
 
 const controller = require('./controller');
 
 routes.use(currentUser);
+routes.use(rateLimiter);
 
 routes.param('formId', validateParameter.validateFormId);
 
diff --git a/app/tests/unit/forms/form/formMetadata/routes.spec.js b/app/tests/unit/forms/form/formMetadata/routes.spec.js
index 3dc080f85..966438e58 100644
--- a/app/tests/unit/forms/form/formMetadata/routes.spec.js
+++ b/app/tests/unit/forms/form/formMetadata/routes.spec.js
@@ -73,7 +73,7 @@ describe(`${basePath}/:formId/formMetadata`, () => {
     expect(apiAccess).toBeCalledTimes(0);
     expect(controller.delete).toBeCalledTimes(1);
     expect(hasFormPermissionsMock).toBeCalledTimes(1);
-    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(0);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(1);
     expect(userAccess.currentUser).toBeCalledTimes(1);
     expect(validateParameter.validateFormId).toBeCalledTimes(1);
   });
@@ -88,7 +88,7 @@ describe(`${basePath}/:formId/formMetadata`, () => {
     expect(apiAccess).toBeCalledTimes(0);
     expect(controller.read).toBeCalledTimes(1);
     expect(hasFormPermissionsMock).toBeCalledTimes(1);
-    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(0);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(1);
     expect(userAccess.currentUser).toBeCalledTimes(1);
     expect(validateParameter.validateFormId).toBeCalledTimes(1);
   });
@@ -103,7 +103,7 @@ describe(`${basePath}/:formId/formMetadata`, () => {
     expect(apiAccess).toBeCalledTimes(0);
     expect(controller.create).toBeCalledTimes(1);
     expect(hasFormPermissionsMock).toBeCalledTimes(1);
-    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(0);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(1);
     expect(userAccess.currentUser).toBeCalledTimes(1);
     expect(validateParameter.validateFormId).toBeCalledTimes(1);
   });
@@ -118,7 +118,7 @@ describe(`${basePath}/:formId/formMetadata`, () => {
     expect(apiAccess).toBeCalledTimes(0);
     expect(controller.update).toBeCalledTimes(1);
     expect(hasFormPermissionsMock).toBeCalledTimes(1);
-    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(0);
+    expect(rateLimiter.apiKeyRateLimiter).toBeCalledTimes(1);
     expect(userAccess.currentUser).toBeCalledTimes(1);
     expect(validateParameter.validateFormId).toBeCalledTimes(1);
   });