diff --git a/crates/app/src/routes/api/v1/apps.rs b/crates/app/src/routes/api/v1/apps.rs
index cdcea02..c4e2809 100644
--- a/crates/app/src/routes/api/v1/apps.rs
+++ b/crates/app/src/routes/api/v1/apps.rs
@@ -9,7 +9,7 @@ use crate::{
 use axum::{Extension, Json, extract::Path, response::IntoResponse};
 use axum_extra::extract::CookieJar;
 use tetratto_core::model::{
-    apps::ThirdPartyApp,
+    apps::{AppQuota, ThirdPartyApp},
     oauth::{AuthGrant, PkceChallengeMethod},
     permissions::FinePermission,
     ApiReturn, Error,
@@ -202,6 +202,18 @@ pub async fn grant_request(
         return Json(Error::MiscError("This app already has a grant".to_string()).into());
     }
 
+    // check number of existing grants
+    if app.quota_status == AppQuota::Limited && app.grants >= 5 {
+        return Json(
+            Error::MiscError(
+                "This app has reached its limit. Tell the owner to apply for an extension"
+                    .to_string(),
+            )
+            .into(),
+        );
+    }
+
+    // ...
     let grant = AuthGrant {
         app: app.id,
         challenge: req.challenge,
diff --git a/crates/core/src/model/oauth.rs b/crates/core/src/model/oauth.rs
index 8218b05..438f5fd 100644
--- a/crates/core/src/model/oauth.rs
+++ b/crates/core/src/model/oauth.rs
@@ -38,7 +38,7 @@ pub enum PkceChallengeMethod {
 
 #[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)]
 pub enum AppScope {
-    /// Read the profile of other user's on behalf of the user.
+    /// Read the profile of other users on behalf of the user.
     UserReadProfiles,
     /// Read the user's profile (username, bio, etc).
     UserReadProfile,