diff --git a/pretalx_musicrate/templates/pretalx_musicrate/join.html b/pretalx_musicrate/templates/pretalx_musicrate/join.html
new file mode 100644
index 0000000..b397055
--- /dev/null
+++ b/pretalx_musicrate/templates/pretalx_musicrate/join.html
@@ -0,0 +1,11 @@
+{% extends "cfp/event/base.html" %}
+{% load i18n %}
+
+{% block content %}
+    <h1>{% translate "Join collective rating" %}</h1>
+    <hr>
+    <form method="post">
+        {% csrf_token %}
+        <button class="btn btn-success btn-lg btn-block" type="submit"{% if not token_valid %} disabled{% endif %}>{% translate "Join" %}</button>
+    </form>
+{% endblock %}
diff --git a/pretalx_musicrate/urls.py b/pretalx_musicrate/urls.py
index 3a9bf7e..e638c96 100644
--- a/pretalx_musicrate/urls.py
+++ b/pretalx_musicrate/urls.py
@@ -1,6 +1,6 @@
 from django.urls import include, path
 
-from .views import MusicrateSettingsView, QRCodeView
+from .views import JoinView, MusicrateSettingsView, QRCodeView
 
 urlpatterns = [
     path(
@@ -13,6 +13,7 @@ urlpatterns = [
         include(
             [
                 path("", QRCodeView.as_view(), name="qrcode"),
+                path("<slug:token>/", JoinView.as_view(), name="join"),
             ]
         ),
     ),
diff --git a/pretalx_musicrate/views.py b/pretalx_musicrate/views.py
index 2670c60..8970527 100644
--- a/pretalx_musicrate/views.py
+++ b/pretalx_musicrate/views.py
@@ -1,13 +1,45 @@
+from hmac import compare_digest
+
 from django.contrib import messages
+from django.shortcuts import redirect
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from django.views.generic import FormView, TemplateView
 from pretalx.common.mixins.views import EventPermissionRequired
 
-
 from .forms import MusicrateSettingsForm
 
 
+class JoinView(TemplateView):
+    template_name = "pretalx_musicrate/join.html"
+
+    def validate_token(self, token):
+        if compare_digest(
+            token.encode("utf-8"),
+            self.request.event.pretalx_musicrate_settings.join_token.encode("utf-8"),
+        ):
+            return True
+        messages.error(self.request, _("Invalid token"))
+        return False
+
+    def get_context_data(self, token_valid=False, **kwargs):
+        context = super().get_context_data(**kwargs)
+        context["token_valid"] = token_valid
+        return context
+
+    def get(self, request, *args, token, **kwargs):
+        token_valid = self.validate_token(token)
+        return super().get(request, *args, token_valid=token_valid, **kwargs)
+
+    def post(self, request, *args, token, **kwargs):
+        token_valid = self.validate_token(token)
+        if token_valid:
+            return redirect(request.path)
+        return self.render_to_response(
+            self.get_context_data(token_valid=token_valid, **kwargs)
+        )
+
+
 class MusicrateSettingsView(EventPermissionRequired, FormView):
     permission_required = "orga.change_settings"
     template_name = "pretalx_musicrate/settings.html"
