diff --git a/src/NPin.Web/NPinWebModule.cs b/src/NPin.Web/NPinWebModule.cs
index 68c1e21..6548d35 100644
--- a/src/NPin.Web/NPinWebModule.cs
+++ b/src/NPin.Web/NPinWebModule.cs
@@ -15,6 +15,7 @@ using NPin.Framework.AspNetCore.Microsoft.AspNetCore.Builder;
 using NPin.Framework.AspNetCore.Microsoft.Extensions.DependencyInjection;
 using NPin.Framework.TenantManagement.Application;
 using NPin.Framework.Upms.Application;
+using NPin.Framework.Upms.Domain.Authorization;
 using NPin.Framework.Upms.Domain.Shared.Consts;
 using NPin.Framework.Upms.Domain.Shared.Options;
 using NPin.SqlSugarCore;
@@ -249,13 +250,24 @@ public class NPinWebModule : AbpModule
     public override Task OnApplicationInitializationAsync(ApplicationInitializationContext context)
     {
         var app = context.GetApplicationBuilder();
-
+        var env = context.GetEnvironment();
+        
         app.UseRouting();
 
         // Cors
         app.UseCors(DefaultCorsPolicyName);
 
-        // TODO 无感Token refresh
+        // 非开发环境，开启限流
+        if (!env.IsDevelopment())
+        {
+            app.UseRateLimiter();
+        }
+        
+        // 无感Token刷新，先刷新再鉴权
+        app.UseRefreshToken();
+
+        // 鉴权
+        app.UseAuthentication();
 
         // 多租户
         app.UseMultiTenancy();
@@ -277,10 +289,10 @@ public class NPinWebModule : AbpModule
         // 授权
         app.UseAuthorization();
 
-        // 审计
+        // 审计日志
         app.UseAuditing();
 
-        // 日志
+        // 日志记录
         app.UseAbpSerilogEnrichers();
 
         // 终端节点