diff --git a/src/http/app.ts b/src/http/app.ts
index 89d9eac..b10a06a 100644
--- a/src/http/app.ts
+++ b/src/http/app.ts
@@ -94,18 +94,11 @@ export function createApp(): Express {
     }),
   );
 
-  // ── 7. Modules that bypass the rate limiter (health probes) ──
-  // Mounted BEFORE globalLimiter so k8s probes are never throttled and
-  // /readyz can still report on Redis health when Redis is the thing
-  // that's failing.
-  for (const m of modules) {
-    if (m.bypassRateLimit) app.use(m.mountPath, m.router);
-  }
-
-  // ── 8. Global rate limit (Redis-backed) ──
-  app.use(globalLimiter);
-
-  // ── 9. Modules that need raw bodies (mounted BEFORE body parsers) ──
+  // ── 7. Modules that need raw bodies (mounted BEFORE body parsers) ──
+  // Better Auth's catch-all reads the raw request stream itself, so it MUST
+  // sit above the body parsers. It carries its own Redis brute-force limiter
+  // (authLimiter, in its router), so sitting above the global limiter here
+  // costs it no protection.
   for (const m of modules) {
     if (m.rawBody) app.use(m.mountPath, m.router);
   }