diff --git a/src/api/server_server.rs b/src/api/server_server.rs
index ec4bb955d20d87374bbdbfe8202a980731c18d9e..3a94a60f6b09daca13eb46698ebaca88de79c5e8 100644
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@@ -1165,6 +1165,22 @@ async fn create_join_event(
 		));
 	}
 
+	let state_key: OwnedUserId = serde_json::from_value(
+		value
+			.get("state_key")
+			.ok_or_else(|| Error::BadRequest(ErrorKind::InvalidParam, "PDU does not a state key"))?
+			.clone()
+			.into(),
+	)
+	.map_err(|_| Error::BadRequest(ErrorKind::BadJson, "State key is invalid or not a user ID"))?;
+
+	if state_key != sender {
+		return Err(Error::BadRequest(
+			ErrorKind::InvalidParam,
+			"State key does not match sender user",
+		));
+	}
+
 	ruma::signatures::hash_and_sign_event(
 		services().globals.server_name().as_str(),
 		services().globals.keypair(),