diff --git a/backend/app/core/verification/email/verificationService.py b/backend/app/core/verification/email/verificationService.py
index eb5636c..24cc626 100644
--- a/backend/app/core/verification/email/verificationService.py
+++ b/backend/app/core/verification/email/verificationService.py
@@ -19,6 +19,10 @@ LOGIN_CODE_EXPIRE_MINUTES = os.getenv("LOGIN_CODE_EXPIRE_MINUTES",5)
 # 同一邮箱发送验证码的冷却间隔（秒）
 CODE_SEND_COOLDOWN_SECONDS = os.getenv("CODE_SEND_COOLDOWN_SECONDS",60)
 
+CODE_VERIFICATE_ATTEMP_SECONDS = os.getenv("CODE_VERIFICATE_ATTEMP_SECONDS", 60)
+
+CODE_VERIFICATE_ATTEMP_COUNT = os.getenv("CODE_VERIFICATE_ATTEMP_COUNT", 10)
+
 class CodeExpiredError(Exception):
     """code has been expired"""
     pass
@@ -62,8 +66,13 @@ class EmailVerificationService:
     
     def verify_code(self,email: str, code: str, purpose: VerificationPurpose):
         email = email.lower()
+        key = f"verification:attempts:{purpose.value.lower()}:{email}"
         code_hash = hash_verification_code(code)
 
+        attempts = self.repo.incr(key, int(CODE_VERIFICATE_ATTEMP_SECONDS))
+        if attempts > int(CODE_VERIFICATE_ATTEMP_COUNT):
+            raise TooManyCodeRequestsError("Too many attempts")
+
         stored = self.repo.compare_and_consume(email, purpose, code_hash)
 
         if stored == False: