diff --git a/demo/payload.config.js b/demo/payload.config.js
index 5de7b31795..81926b49aa 100644
--- a/demo/payload.config.js
+++ b/demo/payload.config.js
@@ -105,6 +105,7 @@ module.exports = {
   rateLimit: {
     window: 15 * 60 * 100,
     max: 100,
+    skip: (req) => req.ip === '127.0.0.1',
   },
   localization: {
     locales: [
diff --git a/src/express/middleware/index.js b/src/express/middleware/index.js
index 5e3b895f7d..1a5f44e01e 100644
--- a/src/express/middleware/index.js
+++ b/src/express/middleware/index.js
@@ -14,6 +14,9 @@ const middleware = (payload) => [
   rateLimit({
     windowMs: payload.config.rateLimit.window,
     max: payload.config.rateLimit.max,
+    skip(req) {
+      return payload.config.rateLimit.whitelist.includes(req.ip);
+    },
   }),
   passport.initialize(),
   identifyAPI('REST'),
diff --git a/src/utilities/sanitizeConfig.js b/src/utilities/sanitizeConfig.js
index cfc441d133..314a63e0e5 100644
--- a/src/utilities/sanitizeConfig.js
+++ b/src/utilities/sanitizeConfig.js
@@ -46,6 +46,7 @@ const sanitizeConfig = (config) => {
   sanitizedConfig.rateLimit = config.rateLimit || {};
   sanitizedConfig.rateLimit.window = sanitizedConfig.rateLimit.window || 15 * 60 * 100; // 15min default
   sanitizedConfig.rateLimit.max = sanitizedConfig.rateLimit.max || 100;
+  sanitizedConfig.rateLimit.whitelist = sanitizedConfig.rateLimit.max || [];
 
   sanitizedConfig.components = { ...(config.components || {}) };
   sanitizedConfig.hooks = { ...(config.hooks || {}) };