Jitsi Meet supports optional End-to-End Encryption (E2EE) using the WebRTC Insertable Streams API. When E2EE is enabled, media is encrypted directly on the sender’s device before it enters the WebRTC pipeline, and it is decrypted only on each recipient’s device. The Jitsi server infrastructure relays encrypted packets but cannot read their contents — the server sees only ciphertext.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/jitsi/jitsi-meet/llms.txt
Use this file to discover all available pages before exploring further.
How E2EE Works
Jitsi’s standard transport already uses DTLS-SRTP, which encrypts traffic between each participant and the server. E2EE adds a second encryption layer on top of this at the application level:- Each participant generates a symmetric encryption key locally.
- Keys are exchanged between participants through the end-to-end encrypted signaling channel (not via the media server).
- Outgoing audio and video frames are encrypted using the Insertable Streams API before being handed to the WebRTC engine.
- Incoming frames are decrypted by the recipient’s browser before rendering, using the sender’s shared key.
Participant Limits with E2EE
The source defines automatic mode thresholds:| Participant count | E2EE behavior |
|---|---|
≤ 20 (MAX_MODE_LIMIT) | Fully available — E2EE can be toggled freely |
21–25 (MAX_MODE_LIMIT + MAX_MODE_THRESHOLD) | ENABLED mode — E2EE can still be toggled but a performance warning is displayed |
| > 25 | THRESHOLD_EXCEEDED — E2EE is automatically disabled to protect call quality |
Enabling E2EE
- In the UI
- IFrame API
- Click the Shield (Security) icon in the meeting toolbar.
- In the Security options panel, toggle End-to-End Encryption on.
- All participants who support E2EE will automatically negotiate encrypted sessions.
E2EE with Externally Managed Keys
For deployments where key management must be handled outside of Jitsi (e.g., a custom KMS or a pre-shared key scheme), use thesetMediaEncryptionKey command to inject a specific key rather than relying on Jitsi’s built-in key exchange.
Pass a keyInfo object containing a key (CryptoKey) and an optional index (key rotation index). The API handles exporting and serializing the key internally:
JaaS and E2EE
On JaaS (8x8.vc) deployments, E2EE is available and can be enabled per-meeting. Because JaaS runs a selective forwarding unit (SFU), E2EE means the SFU forwards ciphertext without being able to decode media. Refer to the JaaS overview for plan-specific availability and any restrictions on participant limits when E2EE is active.
