diff --git a/server/mergin/auth/models.py b/server/mergin/auth/models.py
index c16c21f6..b57631cb 100644
--- a/server/mergin/auth/models.py
+++ b/server/mergin/auth/models.py
@@ -6,6 +6,7 @@
 import datetime
 from typing import List, Optional
 import bcrypt
+import re
 from flask import current_app, request
 from sqlalchemy import or_, func, text
 
@@ -196,6 +197,10 @@ def generate_username(cls, email: str) -> Optional[str]:
         if not "@" in email:
             return
         username = email.split("@")[0].strip().lower()
+        # remove forbidden chars
+        username = re.sub(
+            r"[\@\#\$\%\^\&\*\(\)\{\}\[\]\?\'\"`,;\:\+\=\~\\\/\|\<\>]", "", username
+        )
         # check if we already do not have existing usernames
         suffix = db.session.execute(
             text(
diff --git a/server/mergin/tests/test_auth.py b/server/mergin/tests/test_auth.py
index 91027fb4..280626de 100644
--- a/server/mergin/tests/test_auth.py
+++ b/server/mergin/tests/test_auth.py
@@ -850,6 +850,9 @@ def test_username_generation(client):
     user = add_user("user25", "user")
     assert User.generate_username(user.email) == user.username + "1"
 
+    # generate username from email containing invalid chars for username, e.g. +
+    assert User.generate_username("tralala+test@example.com") == "tralalatest"
+
 
 def test_server_usage(client):
     """Test server usage endpoint"""