diff --git a/routes/api.php b/routes/api.php
index 23d1b63..1c0e3fc 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -52,10 +52,12 @@ Route::prefix('webhooks')->group(function () {
 // });
 
 // ─────────────────────────────────────────────────────────────────────────────
-// Commerce Billing API (authenticated)
+// Commerce Billing API (authenticated + verified)
 // ─────────────────────────────────────────────────────────────────────────────
 
-Route::middleware('auth')->prefix('commerce')->group(function () {
+Route::middleware(['auth', 'verified'])->prefix('commerce')->group(function () {
+    // ── Read-only endpoints ──────────────────────────────────────────────
+
     // Billing overview
     Route::get('/billing', [CommerceController::class, 'billing'])
         ->name('api.commerce.billing');
@@ -74,21 +76,27 @@ Route::middleware('auth')->prefix('commerce')->group(function () {
     Route::get('/invoices/{invoice}/download', [CommerceController::class, 'downloadInvoice'])
         ->name('api.commerce.invoices.download');
 
-    // Subscription
+    // Subscription (read)
     Route::get('/subscription', [CommerceController::class, 'subscription'])
         ->name('api.commerce.subscription');
-    Route::post('/cancel', [CommerceController::class, 'cancelSubscription'])
-        ->name('api.commerce.cancel');
-    Route::post('/resume', [CommerceController::class, 'resumeSubscription'])
-        ->name('api.commerce.resume');
 
     // Usage
     Route::get('/usage', [CommerceController::class, 'usage'])
         ->name('api.commerce.usage');
 
-    // Plan changes
-    Route::post('/upgrade/preview', [CommerceController::class, 'previewUpgrade'])
-        ->name('api.commerce.upgrade.preview');
-    Route::post('/upgrade', [CommerceController::class, 'executeUpgrade'])
-        ->name('api.commerce.upgrade');
+    // ── State-changing endpoints (rate-limited) ──────────────────────────
+
+    Route::middleware('throttle:6,1')->group(function () {
+        // Subscription management
+        Route::post('/cancel', [CommerceController::class, 'cancelSubscription'])
+            ->name('api.commerce.cancel');
+        Route::post('/resume', [CommerceController::class, 'resumeSubscription'])
+            ->name('api.commerce.resume');
+
+        // Plan changes
+        Route::post('/upgrade/preview', [CommerceController::class, 'previewUpgrade'])
+            ->name('api.commerce.upgrade.preview');
+        Route::post('/upgrade', [CommerceController::class, 'executeUpgrade'])
+            ->name('api.commerce.upgrade');
+    });
 });