Jitsi Meet provides several complementary security mechanisms that can be layered together to match the threat model of your deployment. A casual internal tool may only need HTTPS and room passwords, while a healthcare or financial-services deployment might require JWT authentication, end-to-end encryption, and lobby moderation on every call. This guide walks through each mechanism, how to configure it, and which combinations make sense together.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/jitsi/jitsi-meet/llms.txt
Use this file to discover all available pages before exploring further.
Room Passwords
Any meeting moderator can lock a room by setting a password through the Security options panel (the shield icon in the toolbar). Once set, new participants must enter the password before joining. Key config.js options:When set to a positive integer, restricts room passwords to that number of digits (numeric only). This is useful for phone dial-in participants who can only enter digits. Example:
roomPasswordNumberOfDigits: 6.When
true, hides the password input from the Security panel, preventing any participant from setting a room password. Useful when you want to rely solely on JWT auth or lobby mode.Room passwords are transmitted and enforced through the XMPP MUC layer. They are not a substitute for JWT authentication — a determined user who can reach the XMPP server may be able to bypass them. Use JWT authentication for strong access control.
Lobby Mode
Lobby mode places incoming participants into a waiting room where they must be explicitly admitted by a moderator. This is the simplest way to prevent uninvited guests without requiring a shared password. When lobby is active:- New participants see a “Waiting for the host” screen.
- Moderators receive a notification for each knock request and can approve or reject individually.
- Lobby chat can be enabled so the moderator can communicate with waiting participants.
JWT Authentication
JWT (JSON Web Token) authentication delegates access control to your own backend. Your server issues signed tokens that encode which user may access which room and with what permissions. Prosody verifies the signature before allowing any XMPP connection. Benefits over room passwords:- User identity (name, email, avatar) is asserted by your trusted backend, not self-reported.
- Per-user feature flags (recording, screen-share, moderator) can be baked into the token.
- Tokens expire automatically, eliminating the “shared password leakage” risk.
End-to-End Encryption (E2EE)
E2EE encrypts media streams directly between participants using the WebRTC Insertable Streams API, so that even the Jitsi Videobridge cannot decrypt the audio and video. Encryption keys are exchanged via a secure out-of-band channel (or derived from a passphrase entered by participants). Enable E2EE in config.js:TLS / HTTPS
All Jitsi Meet traffic — signalling, media, and the web app itself — must be served over TLS. The official Jitsi installation script automatically provisions a Let’s Encrypt certificate viacertbot during setup.
To renew or reprovision a certificate manually:
/etc/nginx/sites-available/<domain>.conf (or the Apache equivalent) to point to them.
Relevant config.js settings (these are informational overrides used by the web app):
Disabling Guest Access
By default, anyone who knows the room URL can join a Jitsi meeting anonymously. The followingconfig.js options help restrict this.
Require a Display Name
Require a JWT for All Users
Setauthentication = "token" in your Prosody configuration (see JWT Auth). With this setting, any connection without a valid JWT is rejected by the XMPP server — there is no anonymous fallback.
Separate Authenticated and Guest Domains
For a hybrid deployment where registered users get moderator privileges and anonymous users join as guests (read-only or restricted), configure a guest subdomain:guest.jitsi-meet.example.com virtual host uses authentication = "anonymous" while the main domain uses authentication = "token". This ensures that only token holders can create rooms; guests can join but not initiate.
Warn About Weak Room Names
Security Checklist
Use this checklist before going live with a self-hosted Jitsi Meet deployment:- HTTPS is enforced — a valid TLS certificate is installed and HTTP redirects to HTTPS.
- WebSocket/BOSH URLs use TLS —
boshstarts withhttps://andwebsocketstarts withwss://. - JWT authentication is configured — Prosody validates tokens and rejects unauthenticated connections for sensitive deployments.
- Room passwords are enabled or locked down — either educate users to set passwords, or enforce lobby mode so moderators control admission.
- End-to-end encryption is offered — E2EE is not disabled in
config.jsand users are informed of the option for sensitive calls. - Lobby mode is available — the
securityUi.hideLobbyButtonisfalseso moderators can enable the lobby when needed. - Guest access is restricted —
anonymousdomainis configured orauthentication = "token"is set on the main Prosody virtual host. -
requireDisplayNameis enabled — prevents fully anonymous participation. -
enableInsecureRoomNameWarningis enabled — alerts participants to rooms that lack password or lobby protection. - Packages are up to date — run
sudo apt update && sudo apt upgraderegularly to pick up Jitsi security patches. - Firewall rules are in place — only ports 80, 443, and 10000/UDP (media) are exposed; all other ports are firewalled.
