diff --git a/README.md b/README.md
index 757a0b51..30c6aac9 100644
--- a/README.md
+++ b/README.md
@@ -81,6 +81,7 @@ Edit the default configuration of the server by adding options to your **laravel
 | `apiOriginAllow`   | `{}`                 | Configuration to allow API be accessed over CORS. [Example](#cross-domain-access-to-api) |
 | `authEndpoint`     | `/broadcasting/auth` | The route that authenticates private channels  |
 | `authHost`         | `http://localhost`   | The host of the server that authenticates private and presence channels  |
+| `maxConcurrentAuthRequests`         | `null`   | Max number of concurrent auth requests, null -> unlimited   |
 | `database`         | `redis`              | Database used to store data that should persist, like presence channel members. Options are currently `redis` and `sqlite` |
 | `databaseConfig`   |  `{}`                | Configurations for the different database drivers [Example](#database) |
 | `devMode`          | `false`              | Adds additional logging for development purposes |
@@ -101,6 +102,7 @@ file, the following options can be overridden:
 - `authHost`: `LARAVEL_ECHO_SERVER_AUTH_HOST` *Note*: This option will fall back to the `LARAVEL_ECHO_SERVER_HOST` option as the default if that is set in the .env file.
 - `host`: `LARAVEL_ECHO_SERVER_HOST`
 - `port`: `LARAVEL_ECHO_SERVER_PORT`
+- `maxConcurrentAuthRequests`: `LARAVEL_ECHO_MAX_CONCURRENT_AUTH_REQUESTS`
 - `devMode`: `LARAVEL_ECHO_SERVER_DEBUG`
 - `databaseConfig.redis.host`: `LARAVEL_ECHO_SERVER_REDIS_HOST`
 - `databaseConfig.redis.port`: `LARAVEL_ECHO_SERVER_REDIS_PORT`
diff --git a/package-lock.json b/package-lock.json
index 4af64c6d..9ebb7f9a 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -199,6 +199,11 @@
         }
       }
     },
+    "bottleneck": {
+      "version": "2.19.5",
+      "resolved": "https://registry.npmjs.org/bottleneck/-/bottleneck-2.19.5.tgz",
+      "integrity": "sha512-VHiNCbI1lKdl44tGrhNfU3lup0Tj/ZBMJB5/2ZbNXRCPuRCO7ed2mgcK4r17y+KB2EfuYuRaVlwNbAeaWGSpbw=="
+    },
     "bytes": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.0.tgz",
@@ -1253,7 +1258,7 @@
       "dependencies": {
         "ms": {
           "version": "2.0.0",
-          "resolved": false,
+          "resolved": "",
           "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
         },
         "socket.io-parser": {
diff --git a/package.json b/package.json
index 335d2528..959ff9e5 100644
--- a/package.json
+++ b/package.json
@@ -22,6 +22,7 @@
     "prepublish": "npm run build"
   },
   "dependencies": {
+    "bottleneck": "^2.19.5",
     "colors": "^1.4.0",
     "dotenv": "^8.2.0",
     "express": "^4.17.1",
diff --git a/src/channels/private-channel.ts b/src/channels/private-channel.ts
index 35c030cc..9dccc7b6 100644
--- a/src/channels/private-channel.ts
+++ b/src/channels/private-channel.ts
@@ -2,6 +2,7 @@ let request = require('request');
 let url = require('url');
 import { Channel } from './channel';
 import { Log } from './../log';
+let Bottleneck = require('bottleneck');
 
 export class PrivateChannel {
     /**
@@ -9,6 +10,9 @@ export class PrivateChannel {
      */
     constructor(private options: any) {
         this.request = request;
+        this.limiter = new Bottleneck({
+            maxConcurrent: options.maxConcurrentAuthRequests
+        });
     }
 
     /**
@@ -16,6 +20,11 @@ export class PrivateChannel {
      */
     private request: any;
 
+    /**
+     * Limiter.
+     */
+    private limiter: any;
+
     /**
      * Send authentication request to application server.
      */
@@ -31,7 +40,7 @@ export class PrivateChannel {
             Log.info(`[${new Date().toISOString()}] - Sending auth request to: ${options.url}\n`);
         }
 
-        return this.serverRequest(socket, options);
+        return this.limiter.schedule(() => this.serverRequest(socket, options));
     }
 
     /**
diff --git a/src/cli/cli.ts b/src/cli/cli.ts
index ec12f200..e656c2b9 100644
--- a/src/cli/cli.ts
+++ b/src/cli/cli.ts
@@ -31,6 +31,7 @@ export class Cli {
         LARAVEL_ECHO_SERVER_DEBUG: "devMode",
         LARAVEL_ECHO_SERVER_HOST: "host",
         LARAVEL_ECHO_SERVER_PORT: "port",
+        LARAVEL_ECHO_MAX_CONCURRENT_AUTH_REQUESTS: "maxConcurrentAuthRequests",
         LARAVEL_ECHO_SERVER_REDIS_HOST: "databaseConfig.redis.host",
         LARAVEL_ECHO_SERVER_REDIS_PORT: "databaseConfig.redis.port",
         LARAVEL_ECHO_SERVER_REDIS_PASSWORD: "databaseConfig.redis.password",
diff --git a/src/echo-server.ts b/src/echo-server.ts
index 069335c2..f442b5ce 100644
--- a/src/echo-server.ts
+++ b/src/echo-server.ts
@@ -17,6 +17,7 @@ export class EchoServer {
     public defaultOptions: any = {
         authHost: 'http://localhost',
         authEndpoint: '/broadcasting/auth',
+        maxConcurrentAuthRequests: null,
         clients: [],
         database: 'redis',
         databaseConfig: {