diff --git a/lib/tunnelbroker/use-peer-to-peer-message-handler.js b/lib/tunnelbroker/use-peer-to-peer-message-handler.js
--- a/lib/tunnelbroker/use-peer-to-peer-message-handler.js
+++ b/lib/tunnelbroker/use-peer-to-peer-message-handler.js
@@ -1,6 +1,7 @@
 // @flow
 
 import invariant from 'invariant';
+import _debounce from 'lodash/debounce.js';
 import _isEqual from 'lodash/fp/isEqual.js';
 import * as React from 'react';
 import uuid from 'uuid';
@@ -10,6 +11,7 @@
 import { invalidateTunnelbrokerDeviceTokenActionType } from '../actions/tunnelbroker-actions.js';
 import { logOutActionTypes, useBaseLogOut } from '../actions/user-actions.js';
 import {
+  type OlmDebugLog,
   useDebugLogs,
   useOlmDebugLogs,
 } from '../components/debug-logs-context.js';
@@ -27,11 +29,15 @@
 import { dmOperationSpecificationTypes } from '../shared/dm-ops/dm-op-types.js';
 import { useProcessDMOperation } from '../shared/dm-ops/process-dm-ops.js';
 import { IdentityClientContext } from '../shared/identity-client-context.js';
-import type { DeviceOlmInboundKeys } from '../types/identity-service-types.js';
+import type {
+  IdentityServiceClient,
+  DeviceOlmInboundKeys,
+} from '../types/identity-service-types';
 import {
   peerToPeerMessageTypes,
   type PeerToPeerMessage,
   type SenderInfo,
+  type RefreshKeyRequest,
 } from '../types/tunnelbroker/peer-to-peer-message-types.js';
 import {
   userActionsP2PMessageTypes,
@@ -451,26 +457,7 @@
           });
         }
       } else if (message.type === peerToPeerMessageTypes.REFRESH_KEY_REQUEST) {
-        let resultDescription = 'starting',
-          success = false;
-        try {
-          await olmAPI.initializeCryptoAccount();
-          resultDescription = 'getting OTKs';
-          const oneTimeKeys = await olmAPI.getOneTimeKeys(message.numberOfKeys);
-          resultDescription = 'uploading OTKs';
-          await identityClient.uploadOneTimeKeys(oneTimeKeys);
-          success = true;
-        } catch (e) {
-          resultDescription = `Error uploading one-time keys: ${
-            getMessageForException(e) ?? ''
-          }`;
-        } finally {
-          olmDebugLog({
-            operation: 'uploadOneTimeKeys',
-            success,
-            resultDescription,
-          });
-        }
+        await debouncedRefreshOneTimeKeys(message, identityClient, olmDebugLog);
       } else if (message.type === peerToPeerMessageTypes.DEVICE_LIST_UPDATED) {
         try {
           const result = await verifyAndGetDeviceList(
@@ -569,4 +556,36 @@
   );
 }
 
+const debouncedRefreshOneTimeKeys = _debounce(
+  async (
+    message: RefreshKeyRequest,
+    identityClient: IdentityServiceClient,
+    olmDebugLog: OlmDebugLog => mixed,
+  ) => {
+    const { olmAPI } = getConfig();
+    let resultDescription = 'starting',
+      success = false;
+    try {
+      await olmAPI.initializeCryptoAccount();
+      resultDescription = 'getting OTKs';
+      const oneTimeKeys = await olmAPI.getOneTimeKeys(message.numberOfKeys);
+      resultDescription = 'uploading OTKs';
+      await identityClient.uploadOneTimeKeys(oneTimeKeys);
+      success = true;
+    } catch (e) {
+      resultDescription = `Error uploading one-time keys: ${
+        getMessageForException(e) ?? ''
+      }`;
+    } finally {
+      olmDebugLog({
+        operation: 'uploadOneTimeKeys',
+        success,
+        resultDescription,
+      });
+    }
+  },
+  5000,
+  { leading: true, trailing: true },
+);
+
 export { usePeerToPeerMessageHandler, useHandleOlmMessageToDevice };