What is a JWT Token?

JSON Web Token (JWT) is an industry-standard security protocol (RFC 7519) that enables secure information sharing between applications. Think of it as a digital passport that proves who you are and what you're allowed to access.

When you log into an application, JWT tokens act like a secure key card - every time you make a request, the token proves your identity without requiring you to log in again.

Why Use JWT with Jitsi Meet?

JWT authentication transforms your Jitsi Meet experience by providing:

  • Enhanced Security: Prevents unauthorized users from joining your meetings
  • Seamless Access: Users join meetings instantly without waiting in lobbies
  • No Zoom-bombing: Even if someone has your meeting URL, they can't join without a valid token
  • Automated Authentication: No manual username/password entry required

Ready to secure your meetings? Follow these simple steps to create your own JWT token.

Step 1: Locate Your App Credentials

Before generating tokens, you need to find your App ID and App Secret from your Jitsi server configuration.

Configuration File Location

Navigate to the following path on your Jitsi server:

/etc/prosody/conf.avail/YOUR_DOMAIN.cfg.lua

What to look for: Find the line containing VirtualHost "YOUR_DOMAIN"

Step 2: Generate Your JWT Token

Now it's time to create your token! We'll use the popular JWT.io website for easy token generation.

Token Components Explained

Header: Contains algorithm and token type (leave as default)

Payload: Your custom data and permissions (this is where the magic happens!)

Signature: Your secret key for verification

Configuring the Payload

The payload is the heart of your JWT token. It contains all the important information about the user and meeting permissions.

User Information

  • avatar: User's profile picture URL
  • name: Display name for the meeting
  • email: User's email address

Application Settings

  • iss: Your App ID (from config file)
  • sub: Your XMPP domain
  • exp: Token expiration time

Sample Payload Configuration

Copy and customize this template with your actual values:

JWT Payload Template
{
  "context": {
    "user": {
      "avatar": "https://example.com/user-avatar.jpg",
      "name": "John Doe",
      "email": "john.doe@company.com"
    }
  },
  "moderator": true,
  "aud": "jitsi",
  "iss": "your_app_id_here",
  "sub": "jitsimeet.yourdomain.com",
  "room": "*",
  "exp": 1753498815
}

Pro Tip

The "moderator": true setting gives the user full meeting control. Set to false for regular participants.

Setting Up the Signature

In the "Verify Signature" section on JWT.io, replace the placeholder your-256-bit-secret with your actual App Secret from the configuration file.

Step 3: Test Your JWT Token

Time to see your JWT token in action! Copy the generated token from the "Encoded" section on JWT.io and test it with your Jitsi Meet instance.

Testing Your Token

Use this URL format to test your JWT authentication:

Test URL Format
https://YOUR_DOMAIN/jwt_test_room?jwt=YOUR_TOKEN

Remember: Replace YOUR_DOMAIN with your actual domain and YOUR_TOKEN with the encoded JWT from JWT.io

Success Indicators

What to Expect When Everything Works

If everything is configured correctly, you should experience:

  • Instant meeting access without lobby waiting
  • Your name and avatar displayed automatically
  • Appropriate moderator or participant permissions
  • Secure meeting environment protected from unauthorized access

Frequently Asked Questions

What happens if my JWT token expires?

When a JWT token expires, users will be denied access to the meeting. You'll need to generate a new token with an updated expiration time. It's recommended to set expiration times that align with your meeting duration plus some buffer time.

Can I use the same JWT token for multiple meetings?

Yes, if you set the 'room' field to '*' (wildcard), the token can be used for any room on your domain. For enhanced security, you can specify a particular room name to restrict the token to that specific meeting.

How do I troubleshoot JWT authentication issues?

Common issues include incorrect App ID/Secret, expired tokens, or mismatched domain names. Check your Prosody configuration, verify your token payload matches your server settings, and ensure the token hasn't expired.

Is it safe to use JWT.io for production tokens?

JWT.io is safe for testing and development, but for production environments, you should generate tokens programmatically on your server to keep your App Secret secure. Never expose your App Secret in client-side code.

Need Expert JWT Implementation Help?

Setting up JWT authentication can be complex. Our team at Meetrix specializes in Jitsi Meet implementations and can help you get everything configured perfectly for your specific use case.

Contact Our Jitsi Experts