diff --git a/src/api/server_server.rs b/src/api/server_server.rs
index 9b3de669724f0aa22f6819fdb74dc9ab69441583..6c80ce93711afe54ccce77687690207169e486c2 100644
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@@ -1191,6 +1191,28 @@ async fn create_join_event(
 		));
 	}
 
+	let content = value
+		.get("content")
+		.ok_or_else(|| Error::BadRequest(ErrorKind::InvalidParam, "Join event does not a content key"))?
+		.as_object()
+		.ok_or_else(|| Error::BadRequest(ErrorKind::InvalidParam, "Join event content is empty or invalid"))?;
+
+	let membership: MembershipState = serde_json::from_value(
+		content
+			.get("membership")
+			.ok_or_else(|| Error::BadRequest(ErrorKind::InvalidParam, "Join event content does not have a membership"))?
+			.clone()
+			.into(),
+	)
+	.map_err(|_| Error::BadRequest(ErrorKind::BadJson, "Join event has an invalid membership"))?;
+
+	if membership != MembershipState::Join {
+		return Err(Error::BadRequest(
+			ErrorKind::InvalidParam,
+			"Not allowed to send a non-join event at a join endpoint",
+		));
+	}
+
 	// ACL check sender server name
 	let sender: OwnedUserId = serde_json::from_value(
 		value