Jitsi Meet supports JSON Web Token (JWT) authentication to restrict who can create or join conference rooms. Rather than relying solely on room passwords, JWTs let your application server issue cryptographically signed tokens that carry the user’s identity, which rooms they may access, and which features they are permitted to use. Tokens are validated server-side by the Prosody XMPP server using either a shared secret (HS256) or an RSA/EC public key (RS256/ES256), so they cannot be forged by clients.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/jitsi/jitsi-meet/llms.txt
Use this file to discover all available pages before exploring further.
How It Works
When a participant navigates to a Jitsi Meet URL or initialises the IFrame API, a JWT can be provided. The flow is:- Your application server authenticates the user (via your own login system) and issues a signed JWT containing the user’s name, email, permitted room, and any feature flags.
- The client passes the token to Jitsi Meet — either in the URL query string (
?jwt=…) or as an IFrame API constructor option. - Prosody intercepts the XMPP connection and validates the JWT signature against the configured secret or public key.
- If the token is valid and not expired, the room is opened and the user’s identity (
context.user) is applied to their participant entry. - If the token is missing, expired, or has an invalid signature, Prosody rejects the connection.
Token Payload Structure
JWTs are Base64URL-encoded JSON. The payload section must contain the following claims:Claim Reference
Issuer — identifies your application. Must match the
app_id value configured in Prosody’s token_verification plugin.Subject — your Jitsi Meet domain, e.g.
jitsi-meet.example.com. For JaaS this is your JaaS tenant ID (e.g. vpaas-magic-cookie-abc123).Audience — must be
"jitsi" for standard deployments.Expiry — Unix timestamp (seconds since epoch) after which the token is rejected. Keep lifetimes short (minutes to hours) and issue fresh tokens as needed.
Not Before — Unix timestamp before which the token is not yet valid. Useful to prevent token reuse before a scheduled meeting starts.
The room name this token grants access to. Use
"*" (asterisk) to create a wildcard token valid for any room on the domain. Wildcards should only be issued to trusted users (e.g. administrators).Display name shown in the participant list and tiles for this user.
Email address used for Gravatar-style avatar lookups.
Direct URL to the user’s profile picture. Overrides email-based avatar lookups. Also accepted as
avatarUrl.An opaque identifier for the user from your system. Used to correlate participants across sessions.
When set to
"true", Prosody grants this user moderator privileges (mute others, remove participants, end meeting for all). This field is processed server-side by Prosody and is not parsed by the Jitsi client.Per-user feature gate flags. Values must be the string
"true" or "false" (or booleans). Supported keys are defined by the MEET_FEATURES constants in the Jitsi codebase: recording, livestreaming, screen-sharing, lobby, moderation, transcription, create-polls, send-groupchat, outbound-call, inbound-call, sip-outbound-call, sip-inbound-call, flip, file-upload, live-translation, branding, calendar, room, list-visitors.Enable JWT Authentication in Prosody
On a Jitsi self-hosted server, install and configure theprosody-plugins token authentication module. The relevant section in /etc/prosody/conf.d/<domain>.cfg.lua looks like:
app_secret with the path to your public key file:
Enable JWT Support in config.js
On the Jitsi side, enable thetokenAuthUrl redirect flow if you want unauthenticated users to be redirected to your login service automatically:
The
tokenAuthUrl supports the following template parameters: {room} (room name), {code_challenge} (OAuth 2.0 PKCE challenge), and {state} (a JSON object with the current navigation state). The code verifier is saved to sessionStorage under the key code_verifier.Pass JWT via URL
Append the token as a query parameter when linking directly to a room:parseJWTFromURLParams) checks both the URL query string and the hash fragment, so the following also works:
Pass JWT to the IFrame API
When embedding Jitsi Meet with the IFrame API, supply the token in the constructor options. This is the preferred approach for embedded deployments because it avoids exposing the token in the browser’s address bar.Feature Flags via JWT
Thecontext.features object in the payload maps directly to the MEET_FEATURES constants in the Jitsi codebase. Each flag value must be "true", "false", true, or false — any other value is treated as invalid by the client-side validator. Some commonly used feature flags:
| Feature key | Effect when "true" |
|---|---|
recording | User can start/stop cloud recordings |
livestreaming | User can start YouTube Live streams |
screen-sharing | User may share their screen |
lobby | User can enable/disable lobby mode |
moderation | User can moderate other participants |
transcription | User can request live captions |
create-polls | User can create polls in the meeting |
send-groupchat | User can send messages in group chat |
outbound-call | User can make outbound calls |
sip-outbound-call | User can make SIP outbound calls |
live-translation | User can use live translation |
JaaS (Jitsi as a Service) Tokens
If you are using JaaS (8x8 Jitsi as a Service), token generation is different. The
sub claim must contain your JaaS App ID (in vpaas-magic-cookie-* format), the iss claim must be "chat", and tokens must be signed with the private key downloaded from your JaaS dashboard. See the JaaS API Keys guide for full instructions.