David debugged: OTP rate-limit firing after just two requests on signup

A user reported being stuck at the OTP screen with a "too many OTP requests — try again in 900 seconds" error. David questioned whether the rate limit was working correctly:

he said he only tried requesting 2 OTPs because he said the first one failed. so it doesnt make any sense that hed even be rate limited. is going on?

The production investigation found the same phone number hit /phone-otp/send five times in under a minute before triggering the 429 — suggesting the frontend was auto-retrying silently on perceived failures before any OTP row was committed, causing the user to appear to be making duplicate requests without realising it. David's framing directed the investigation toward the retry behavior at the client rather than accepting the rate limit as legitimate.