diff --git a/conduwuit-example.toml b/conduwuit-example.toml
index fcf8b6f2..80a62fba 100644
--- a/conduwuit-example.toml
+++ b/conduwuit-example.toml
@@ -26,7 +26,7 @@
 # Generally, copying this exactly should be enough. (Currently, conduwuit doesn't
 # support batched key requests, so this list should only contain Synapse
 # servers.) Defaults to `matrix.org`
-#trusted_servers = ["matrix.org"]
+# trusted_servers = ["matrix.org"]
 
 
 
@@ -111,16 +111,17 @@ ip_range_denylist = [
 # For private homeservers, this is best at false.
 allow_guest_registration = false
 
-# Vector list of servers that conduwuit will refuse to download remote media from
-#prevent_media_downloads_from = ["example.com", "example.local"]
+# Vector list of servers that conduwuit will refuse to download remote media from.
+# No default.
+# prevent_media_downloads_from = ["example.com", "example.local"]
 
 # Enables open registration. If set to false, no users can register on this
-# server (unless a token is configured).
-# If set to true, users can register with no form of 2nd step only if you set
+# server.
+# If set to true without a token configured, users can register with no form of 2nd-
+# step only if you set
 # `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` to
-# in your config. If you would like
-# registration only via token reg, please set this to *false* and configure the
-# `registration_token` key.
+# true in your config. If you would like
+# registration only via token reg, please configure the `registration_token` key.
 allow_registration = false
 # Please note that an open registration homeserver with no second-step verification
 # is highly prone to abuse and potential defederation by homeservers, including
@@ -132,8 +133,14 @@ allow_registration = false
 registration_token = "change this token for something specific to your server"
 
 # controls whether federation is allowed or not
+# defaults to false
 allow_federation = true
 
+# controls whether users are allowed to create rooms.
+# appservices and admins are always allowed to create rooms
+# defaults to true
+# allow_room_creation = true
+
 # Set this to true to allow your server's public room directory to be federated.
 # Set this to false to protect against /publicRooms spiders, but will forbid external users
 # from viewing your server's public room directory. If federation is disabled entirely
diff --git a/src/api/client_server/account.rs b/src/api/client_server/account.rs
index 71580d7a..9ba82a58 100644
--- a/src/api/client_server/account.rs
+++ b/src/api/client_server/account.rs
@@ -74,11 +74,8 @@ pub async fn get_register_available_route(
 /// - Creates a new account and populates it with default account data
 /// - If `inhibit_login` is false: Creates a device and returns device id and access_token
 pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<register::v3::Response> {
-    if !services().globals.allow_registration()
-        && !body.from_appservice
-        && services().globals.config.registration_token.is_none()
-    {
-        info!("Registration disabled, no reg token configured, rejecting registration attempt for username {:?}", body.username);
+    if !services().globals.allow_registration() && !body.from_appservice {
+        info!("Registration disabled and request not from known appservice, rejecting registration attempt for username {:?}", body.username);
         return Err(Error::BadRequest(
             ErrorKind::Forbidden,
             "Registration has been disabled.",
@@ -89,10 +86,10 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
 
     if is_guest
         && (!services().globals.allow_guest_registration()
-            || (!services().globals.allow_registration()
+            || (services().globals.allow_registration()
                 && services().globals.config.registration_token.is_some()))
     {
-        info!("Guest registration disabled / registration disabled with token configured, rejecting guest registration, initial device name: {:?}", body.initial_device_display_name);
+        info!("Guest registration disabled / registration enabled with token configured, rejecting guest registration, initial device name: {:?}", body.initial_device_display_name);
         return Err(Error::BadRequest(
             ErrorKind::GuestAccessForbidden,
             "Guest registration is disabled.",
@@ -144,21 +141,35 @@ pub async fn register_route(body: Ruma<register::v3::Request>) -> Result<registe
     };
 
     // UIAA
-    let mut uiaainfo = UiaaInfo {
-        flows: vec![AuthFlow {
-            stages: if services().globals.config.registration_token.is_some() {
-                vec![AuthType::RegistrationToken]
-            } else {
-                vec![AuthType::Dummy]
-            },
-        }],
-        completed: Vec::new(),
-        params: Default::default(),
-        session: None,
-        auth_error: None,
-    };
+    let mut uiaainfo;
+    let skip_auth;
+    if services().globals.config.registration_token.is_some() {
+        // Registration token required
+        uiaainfo = UiaaInfo {
+            flows: vec![AuthFlow {
+                stages: vec![AuthType::RegistrationToken],
+            }],
+            completed: Vec::new(),
+            params: Default::default(),
+            session: None,
+            auth_error: None,
+        };
+        skip_auth = body.from_appservice;
+    } else {
+        // No registration token necessary, but clients must still go through the flow
+        uiaainfo = UiaaInfo {
+            flows: vec![AuthFlow {
+                stages: vec![AuthType::Dummy],
+            }],
+            completed: Vec::new(),
+            params: Default::default(),
+            session: None,
+            auth_error: None,
+        };
+        skip_auth = body.from_appservice || is_guest;
+    }
 
-    if !body.from_appservice && !is_guest {
+    if !skip_auth {
         if let Some(auth) = &body.auth {
             let (worked, uiaainfo) = services().uiaa.try_auth(
                 &UserId::parse_with_server_name("", services().globals.server_name())
diff --git a/src/main.rs b/src/main.rs
index b2282253..38339206 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -155,9 +155,10 @@ async fn main() {
 
     if config.allow_registration
         && !config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
+        && config.registration_token.is_none()
     {
-        error!("!! You have `allow_registration` enabled in your config which means you are allowing ANYONE to register on your conduwuit instance without any 2nd-step (e.g. registration token).\n
-        If this is not the intended behaviour, please disable `allow_registration` and set a registration token.\n
+        error!("!! You have `allow_registration` enabled without a token configured in your config which means you are allowing ANYONE to register on your conduwuit instance without any 2nd-step (e.g. registration token).\n
+        If this is not the intended behaviour, please set a registration token with the `registration_token` config option.\n
         For security and safety reasons, conduwuit will shut down. If you are extra sure this is the desired behaviour you want, please set the following config option to true:
         `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`");
         return;
@@ -165,9 +166,10 @@ async fn main() {
 
     if config.allow_registration
         && config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
+        && config.registration_token.is_none()
     {
-        warn!("Open registration is enabled via setting `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` and `allow_registration` to true. You are expected to be aware of the risks now.\n
-        If this is not the desired behaviour, please disable `allow_registration` and set a registration token.");
+        warn!("Open registration is enabled via setting `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` and `allow_registration` to true without a registration token configured. You are expected to be aware of the risks now.\n
+        If this is not the desired behaviour, please set a registration token.");
     }
 
     if config.allow_outgoing_presence {