diff --git a/src/Budget.Api/Program.cs b/src/Budget.Api/Program.cs
index e53b3a4..feb4fc5 100644
--- a/src/Budget.Api/Program.cs
+++ b/src/Budget.Api/Program.cs
@@ -171,12 +171,14 @@ using (var scope = app.Services.CreateScope())
 app.UseForwardedHeaders();
 app.UseMiddleware<ErrorHandlingMiddleware>();
 
-app.UseRateLimiter();
-
 app.UseDefaultFiles();
 app.UseStaticFiles();
 
+// Authentication must run before the rate limiter so limiter partitions can
+// read the validated "sub" claim; otherwise every authenticated request falls
+// back to the per-IP bucket (auth-hardening-review.md, finding B-1).
 app.UseAuthentication();
+app.UseRateLimiter();
 app.UseAuthorization();
 
 app.MapControllers();