diff --git a/crates/cli/src/util.rs b/crates/cli/src/util.rs
index 3588b6895..70bffa3cd 100644
--- a/crates/cli/src/util.rs
+++ b/crates/cli/src/util.rs
@@ -211,6 +211,7 @@ pub fn site_config_from_config(
         password_login_enabled: password_config.enabled(),
         password_registration_enabled: password_config.enabled()
             && account_config.password_registration_enabled,
+        registration_token_required: account_config.registration_token_required,
         email_change_allowed: account_config.email_change_allowed,
         displayname_change_allowed: account_config.displayname_change_allowed,
         password_change_allowed: password_config.enabled()
diff --git a/crates/config/src/sections/account.rs b/crates/config/src/sections/account.rs
index 28733c7ef..a9d51afbb 100644
--- a/crates/config/src/sections/account.rs
+++ b/crates/config/src/sections/account.rs
@@ -72,6 +72,15 @@ pub struct AccountConfig {
     /// This has no effect if password login is disabled.
     #[serde(default = "default_false", skip_serializing_if = "is_default_false")]
     pub login_with_email_allowed: bool,
+
+    /// Whether registration tokens are required for password registrations.
+    /// Defaults to `false`.
+    ///
+    /// When enabled, users must provide a valid registration token during
+    /// password registration. This has no effect if password registration
+    /// is disabled.
+    #[serde(default = "default_false", skip_serializing_if = "is_default_false")]
+    pub registration_token_required: bool,
 }
 
 impl Default for AccountConfig {
@@ -84,6 +93,7 @@ impl Default for AccountConfig {
             password_recovery_enabled: default_false(),
             account_deactivation_allowed: default_true(),
             login_with_email_allowed: default_false(),
+            registration_token_required: default_false(),
         }
     }
 }
@@ -98,6 +108,7 @@ impl AccountConfig {
             && is_default_false(&self.password_recovery_enabled)
             && is_default_true(&self.account_deactivation_allowed)
             && is_default_false(&self.login_with_email_allowed)
+            && is_default_false(&self.registration_token_required)
     }
 }
 
diff --git a/crates/data-model/src/site_config.rs b/crates/data-model/src/site_config.rs
index de07a03c5..e9cf6ba0e 100644
--- a/crates/data-model/src/site_config.rs
+++ b/crates/data-model/src/site_config.rs
@@ -64,6 +64,9 @@ pub struct SiteConfig {
     /// Whether password registration is enabled.
     pub password_registration_enabled: bool,
 
+    /// Whether registration tokens are required for password registrations.
+    pub registration_token_required: bool,
+
     /// Whether users can change their email.
     pub email_change_allowed: bool,
 
diff --git a/crates/handlers/src/test_utils.rs b/crates/handlers/src/test_utils.rs
index cdbc981d1..81dbf1740 100644
--- a/crates/handlers/src/test_utils.rs
+++ b/crates/handlers/src/test_utils.rs
@@ -136,6 +136,7 @@ pub fn test_site_config() -> SiteConfig {
         imprint: None,
         password_login_enabled: true,
         password_registration_enabled: true,
+        registration_token_required: false,
         email_change_allowed: true,
         displayname_change_allowed: true,
         password_change_allowed: true,
diff --git a/docs/config.schema.json b/docs/config.schema.json
index 3bc0f407d..0e9fa0eb9 100644
--- a/docs/config.schema.json
+++ b/docs/config.schema.json
@@ -2533,6 +2533,10 @@
         "login_with_email_allowed": {
           "description": "Whether users can log in with their email address. Defaults to `false`.\n\nThis has no effect if password login is disabled.",
           "type": "boolean"
+        },
+        "registration_token_required": {
+          "description": "Whether registration tokens are required for password registrations. Defaults to `false`.\n\nWhen enabled, users must provide a valid registration token during password registration. This has no effect if password registration is disabled.",
+          "type": "boolean"
         }
       }
     },
diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md
index 2303e889e..c7eefa0a2 100644
--- a/docs/reference/configuration.md
+++ b/docs/reference/configuration.md
@@ -320,6 +320,14 @@ account:
   # Defaults to `false`.
   # This has no effect if password login is disabled.
   login_with_email_allowed: false
+
+  # Whether registration tokens are required for password registrations.
+  #
+  # Defaults to `false`.
+  #
+  # When enabled, users must provide a valid registration token during password
+  # registration. This has no effect if password registration is disabled.
+  registration_token_required: false
 ```
 
 ## `captcha`
@@ -712,7 +720,7 @@ upstream_oauth2:
       # Additional parameters to include in the authorization request
       #additional_authorization_parameters:
       #  foo: "bar"
-      
+
       # Whether the `login_hint` should be forwarded to the provider in the
       # authorization request.
       #forward_login_hint: false