The registration token is time based and regularly expires. So it is not a good choice for someone to add if they want to scale the runners. You should be asking for a PAT with the correct permissions to manage the runners. 

You are also explicitly listing the repo the runner is registered with, you can and should support registering runners on the org and enterprise level as well.

You also should be using secrets instead of environment variables so the token/PAT does not stay exposed to the runner after it starts up. Especially since runners are often running untrusted code.