diff --git a/src/routes/idaa/(idaa)/+layout.svelte b/src/routes/idaa/(idaa)/+layout.svelte
index 76c9ea40..cde4d444 100644
--- a/src/routes/idaa/(idaa)/+layout.svelte
+++ b/src/routes/idaa/(idaa)/+layout.svelte
@@ -111,11 +111,13 @@ $effect(() => {
  * Verifies a Novi UUID against the Novi API and sets permissions accordingly.
  * "All or nothing" — if no API key is configured or the call fails, access is denied.
  * Called from within untrack(), so store writes here will not trigger reactive loops.
+ * On a 429 rate-limit response, waits 10 seconds and retries once before failing.
  */
 async function verify_novi_uuid(
     uuid: string,
     api_key: string | null,
-    api_root_url: string
+    api_root_url: string,
+    is_retry: boolean = false
 ) {
     console.log(`IDAA Layout: Starting Novi UUID verification for ${uuid}...`);
     if (!api_key) {
@@ -138,6 +140,16 @@ async function verify_novi_uuid(
             headers
         });
 
+        if (response.status === 429) {
+            if (is_retry) {
+                throw new Error(`Novi API rate limited for UUID ${uuid} (retry also failed)`);
+            }
+            console.warn(`IDAA Layout: Novi API rate limited (429) for ${uuid}. Retrying in 10s...`);
+            await new Promise<void>((resolve) => setTimeout(resolve, 10_000));
+            await verify_novi_uuid(uuid, api_key, api_root_url, true);
+            return;
+        }
+
         if (!response.ok) {
             throw new Error(`Novi API returned ${response.status} for UUID ${uuid}`);
         }