diff --git a/.env-example b/.env-example
index b7320fe..4f60b96 100644
--- a/.env-example
+++ b/.env-example
@@ -5,3 +5,5 @@ SESSION_COOKIE_SECURE=1
 DATABASE_PATH=/app/data/fleetledger.db
 # Optional: Fernet key for encrypting management passwords (leave empty to disable)
 ENCRYPTION_KEY=
+# Allow self-registration after first admin (1 = allow, 0 = only admin-created)
+ALLOW_SELF_REGISTRATION=0
diff --git a/README.md b/README.md
index 57fe731..b3be38b 100644
--- a/README.md
+++ b/README.md
@@ -51,6 +51,7 @@ Self-hosted Übersicht für gemietete Server (VPS, Dedizierte, Storage, Managed)
 - `SESSION_COOKIE_SECURE` (default `1`): Auf `0` nur für lokale HTTP-Tests setzen, sonst `1` (HTTPS).
 - `DATABASE_PATH` (default `/app/data/fleetledger.db` im Docker-Image): Pfad zur SQLite-Datei. Lokal z. B. `./data/fleetledger.db`.
 - `ENCRYPTION_KEY` (optional): Fernet-Key für verschlüsselte Management-Passwörter. Leer lassen, wenn keine Speicherung gewünscht ist.
+- `ALLOW_SELF_REGISTRATION` (default `0`): `1` erlaubt neue Selbst-Registrierungen auch wenn schon ein Admin existiert; `0` = nur Admin darf weitere User anlegen.
 
 ## Sicherheitshinweise
 - Immer einen starken `SESSION_SECRET` verwenden; im Docker-Setup wird der Start verweigert, wenn ein Platzhalter genutzt wird.
diff --git a/app/main.py b/app/main.py
index f147597..4b0d7d4 100644
--- a/app/main.py
+++ b/app/main.py
@@ -43,6 +43,7 @@ if not SESSION_SECRET or SESSION_SECRET.startswith("CHANGE_ME"):
     )
 
 SESSION_COOKIE_SECURE = os.getenv("SESSION_COOKIE_SECURE", "1") != "0"
+ALLOW_SELF_REGISTRATION = os.getenv("ALLOW_SELF_REGISTRATION", "0") == "1"
 
 
 @app.middleware("http")
@@ -123,7 +124,11 @@ def register_form(
     If at least one user already exists, only admins may register new users.
     """
     user_count = len(session.exec(select(User)).all())
-    if user_count > 0 and (not current_user or not current_user.is_admin):
+    if (
+        user_count > 0
+        and not ALLOW_SELF_REGISTRATION
+        and (not current_user or not current_user.is_admin)
+    ):
         return RedirectResponse("/", status_code=303)
 
     csrf_token = ensure_csrf_token(request)
@@ -170,7 +175,11 @@ def register(
         )
 
     user_count = len(session.exec(select(User)).all())
-    if user_count > 0 and (not current_user or not current_user.is_admin):
+    if (
+        user_count > 0
+        and not ALLOW_SELF_REGISTRATION
+        and (not current_user or not current_user.is_admin)
+    ):
         return RedirectResponse("/", status_code=303)
 
     error = None
diff --git a/docker-compose.yml b/docker-compose.yml
index d1c8f44..f1ab2e1 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,6 +13,8 @@ services:
       - SESSION_COOKIE_SECURE=${SESSION_COOKIE_SECURE:-1}
       # Optional: encryption key for management passwords (Fernet key)
       - ENCRYPTION_KEY=${ENCRYPTION_KEY:-}
+      # Allow self-registration after first admin (1 = allow, 0 = only admin-created)
+      - ALLOW_SELF_REGISTRATION=${ALLOW_SELF_REGISTRATION:-0}
     volumes:
       - ./data:/app/data
     restart: unless-stopped