diff --git a/synapse/config/server.py b/synapse/config/server.py
index 89d61a0503bc..00cad1e9c521 100644
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@@ -43,6 +43,9 @@ def read_config(self, config):
 
         self.filter_timeline_limit = config.get("filter_timeline_limit", -1)
 
+        self.require_auth_for_room_directory = \
+            config.get("require_auth_for_room_directory", False)
+
         if self.public_baseurl is not None:
             if self.public_baseurl[-1] != '/':
                 self.public_baseurl += '/'
@@ -194,6 +197,11 @@ def default_config(self, server_name, **kwargs):
         # and sync operations. The default value is -1, means no upper limit.
         # filter_timeline_limit: 5000
 
+        # Set whether this server's public room directory is restricted to
+        # local authenticated users, or visible to the wider world.
+        # Default is to be visible to the wider world.
+        require_auth_for_room_directory: False
+
         # List of ports that Synapse should listen on, their purpose and their
         # configuration.
         listeners:
diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py
index cd388770c887..6ab9cdc116c1 100644
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@@ -294,7 +294,7 @@ def on_GET(self, request):
             # In both cases we call the auth function, as that has the side
             # effect of logging who issued this request if an access token was
             # provided.
-            if server:
+            if server or self.hs.config.require_auth_for_room_directory:
                 raise e
             else:
                 pass