diff --git a/src/db/schema.ts b/src/db/schema.ts
index 26f442b..efed535 100644
--- a/src/db/schema.ts
+++ b/src/db/schema.ts
@@ -26,6 +26,16 @@ export const invites = pgTable('invites', {
   createdAt: timestamp('created_at').defaultNow().notNull(),
 });
 
+// Password reset tokens
+export const passwordResetTokens = pgTable('password_reset_tokens', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  userId: text('user_id').references(() => users.id, { onDelete: 'cascade' }).notNull(),
+  token: text('token').notNull().unique(),
+  expiresAt: timestamp('expires_at').notNull(),
+  usedAt: timestamp('used_at'),
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+});
+
 // User profile (additional settings beyond BetterAuth)
 export const userProfiles = pgTable('user_profiles', {
   id: uuid('id').primaryKey().defaultRandom(),
diff --git a/src/index.ts b/src/index.ts
index 47a9cc4..5496e2e 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -23,7 +23,13 @@ const app = new Elysia()
   // Health check
   .get('/health', () => ({ status: 'ok', timestamp: new Date().toISOString() }))
   
-  // BetterAuth routes (login, register, etc.)
+  // Block open signup — registration is invite-only
+  .post('/api/auth/sign-up/email', ({ set }) => {
+    set.status = 403;
+    return { error: 'Registration is invite-only. Please use an invite link.' };
+  })
+  
+  // BetterAuth routes (login, session, etc.)
   .all('/api/auth/*', async ({ request }) => {
     return auth.handler(request);
   })