diff --git a/src/routes/profile.js b/src/routes/profile.js
index 331adbe78..1fa62e668 100644
--- a/src/routes/profile.js
+++ b/src/routes/profile.js
@@ -1,6 +1,7 @@
 import assert from 'node:assert';
 import AuditSource from '../auditsource.js';
 import BoxError from '../boxerror.js';
+import constants from '../constants.js';
 import { HttpError } from '@cloudron/connect-lastmile';
 import { HttpSuccess } from '@cloudron/connect-lastmile';
 import oidcServer from '../oidcserver.js';
@@ -248,6 +249,8 @@ async function registerPasskey(req, res, next) {
     assert.strictEqual(typeof req.user, 'object');
     assert.strictEqual(typeof req.body, 'object');
 
+    if (constants.DEMO && req.user.username === constants.DEMO_USERNAME) return next(new HttpError(412, 'Not allowed in demo mode'));
+
     if (!req.body.credential || typeof req.body.credential !== 'object') return next(new HttpError(400, 'credential must be an object'));
     if (req.body.name && typeof req.body.name !== 'string') return next(new HttpError(400, 'name must be a string'));