diff --git a/internal/api/mail.go b/internal/api/mail.go
index 5b31f4878..f7ce3d0c0 100644
--- a/internal/api/mail.go
+++ b/internal/api/mail.go
@@ -627,14 +627,17 @@ func (a *API) sendEmail(r *http.Request, tx *storage.Connection, u *models.User,
 		}
 	}
 
-	// apply rate limiting before the email is sent out
-	if ok := a.limiterOpts.Email.Allow(); !ok {
-		emailRateLimitCounter.Add(
-			ctx,
-			1,
-			metric.WithAttributeSet(attribute.NewSet(attribute.String("path", r.URL.Path))),
-		)
-		return EmailRateLimitExceeded
+	// TODO(km): Deprecate this behaviour - rate limits should still be applied to autoconfirm
+	if !config.Mailer.Autoconfirm {
+		// apply rate limiting before the email is sent out
+		if ok := a.limiterOpts.Email.Allow(); !ok {
+			emailRateLimitCounter.Add(
+				ctx,
+				1,
+				metric.WithAttributeSet(attribute.NewSet(attribute.String("path", r.URL.Path))),
+			)
+			return EmailRateLimitExceeded
+		}
 	}
 
 	if config.Hook.SendEmail.Enabled {
diff --git a/internal/api/phone.go b/internal/api/phone.go
index 7886210f6..f7a8fbda8 100644
--- a/internal/api/phone.go
+++ b/internal/api/phone.go
@@ -86,9 +86,12 @@ func (a *API) sendPhoneConfirmation(r *http.Request, tx *storage.Connection, use
 
 	// not using test OTPs
 	if otp == "" {
-		// apply rate limiting before the sms is sent out
-		if ok := a.limiterOpts.Phone.Allow(); !ok {
-			return "", tooManyRequestsError(ErrorCodeOverSMSSendRateLimit, "SMS rate limit exceeded")
+		// TODO(km): Deprecate this behaviour - rate limits should still be applied to autoconfirm
+		if !config.Sms.Autoconfirm {
+			// apply rate limiting before the sms is sent out
+			if ok := a.limiterOpts.Phone.Allow(); !ok {
+				return "", tooManyRequestsError(ErrorCodeOverSMSSendRateLimit, "SMS rate limit exceeded")
+			}
 		}
 		otp, err = crypto.GenerateOtp(config.Sms.OtpLength)
 		if err != nil {