diff --git a/app/controllers/api/v2/registration_commands_controller.rb b/app/controllers/api/v2/registration_commands_controller.rb
index 8c8bb6984a9e..6163f47d370f 100644
--- a/app/controllers/api/v2/registration_commands_controller.rb
+++ b/app/controllers/api/v2/registration_commands_controller.rb
@@ -5,7 +5,6 @@ class RegistrationCommandsController < V2::BaseController
       include Foreman::Controller::RegistrationCommands
 
       before_action :find_smart_proxy, if: -> { registration_params['smart_proxy_id'] }
-
       api :POST, "/registration_commands", N_("Generate global registration command")
       param :registration_command, Hash, required: false, action_aware: true do
         param :organization_id, :number, desc: N_("ID of the Organization to register the host in")
@@ -15,7 +14,7 @@ class RegistrationCommandsController < V2::BaseController
         param :smart_proxy_id, :number, desc: N_("ID of the Smart Proxy. This Proxy must have enabled both the 'Templates' and 'Registration' features")
         param :setup_insights, :bool, desc: N_("Set 'host_registration_insights' parameter for the host. If it is set to true, insights client will be installed and registered on Red Hat family operating systems")
         param :setup_remote_execution, :bool, desc: N_("Set 'host_registration_remote_execution' parameter for the host. If it is set to true, SSH keys will be installed on the host")
-        param :jwt_expiration, :number, desc: N_("Expiration of the authorization token (in hours)")
+        param :jwt_expiration, :number, desc: N_("Expiration of the authorization token (in hours), 0 means 'unlimited'.")
         param :insecure, :bool, desc: N_("Enable insecure argument for the initial curl")
         param :packages, String, desc: N_("Packages to install on the host when registered. Can be set by `host_packages` parameter, example: `pkg1 pkg2`")
         param :update_packages, :bool, desc: N_("Update all packages on the host")
diff --git a/app/controllers/concerns/foreman/controller/registration_commands.rb b/app/controllers/concerns/foreman/controller/registration_commands.rb
index 6db3b94a31ab..e7f148614fef 100644
--- a/app/controllers/concerns/foreman/controller/registration_commands.rb
+++ b/app/controllers/concerns/foreman/controller/registration_commands.rb
@@ -19,6 +19,14 @@ def insecure
     registration_params['insecure'] ? '--insecure' : ''
   end
 
+  def is_token_valid(min_value, max_value)
+    registration_params['jwt_expiration'].to_i.between?(min_value, max_value)
+  end
+
+  def unlimited
+    registration_params['jwt_expiration'].to_i == 0 || registration_params['jwt_expiration'] == 'unlimited'
+  end
+
   def registration_url(proxy = nil)
     return global_registration_url unless proxy
 
@@ -33,7 +41,13 @@ def command_headers
     }
 
     if registration_params['jwt_expiration'].present?
-      jwt_args[:expiration] = registration_params['jwt_expiration'].to_i.hours.to_i if registration_params['jwt_expiration'] != 'unlimited'
+      min_value = 0
+      max_value = 999999
+      if is_token_valid(min_value, max_value)
+        jwt_args[:expiration] = registration_params['jwt_expiration'].to_i.hours.to_i unless unlimited
+      else
+        raise ::Foreman::Exception.new(N_("Invalid value %s for jwt_expiration. The value must be between %s to %s. 0 means 'unlimited'."), registration_params['jwt_expiration'], min_value, max_value)
+      end
     else
       jwt_args[:expiration] = 4.hours.to_i
     end