JaaS uses RS256 JWT tokens signed with your private API key to authenticate meetings. Every JaaS meeting request requires a valid token containing your App ID, the target room name, and a user context that describes the participant’s identity and feature permissions. Tokens must always be signed server-side — never in the browser — and should carry a short expiry to limit the blast radius of any credential exposure.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/jitsi/jitsi-meet/llms.txt
Use this file to discover all available pages before exploring further.
Generating an API key pair
Log into the JaaS API keys console
Navigate to https://jaas.8x8.vc/#/apikeys and sign in with your JaaS account.
Create a new API key
Click Add API key, then select Generate API key pair. JaaS will generate a 2048-bit RSA key pair on your behalf and register the public key with the platform.
Download and securely store the private key
Download the private key (
.pk file) from the confirmation dialog immediately — JaaS does not retain a copy. Store it in a secrets manager or a vault, never in source control. Transfer it securely to the server that will sign tokens.Record the Key ID
Note the Key ID displayed next to your new key in the console. The Key ID takes the form
vpaas-magic-cookie-<app-id>/<key-uuid>. You will embed this full value in the kid header field of every JWT token you sign with that key. The portion before the / is your App ID (vpaas-magic-cookie-<app-id>), which also goes in the sub claim of the JWT payload.JWT token structure
A JaaS JWT payload carries your App ID in thesub claim, the target room in room, and a context object describing the user and the features they are permitted to use. A wildcard ("*") in room authorises the token for any room under your App ID.
| Field | Description |
|---|---|
iss | Always "chat" for JaaS tokens. |
aud | Always "jitsi" for JaaS tokens. |
sub | Your full JaaS App ID, e.g. vpaas-magic-cookie-<id>. |
exp | Unix timestamp after which the token is invalid. |
nbf | Unix timestamp before which the token is not yet valid. |
room | Specific room name or "*" for any room under your App ID. |
context.user.moderator | "true" grants the participant moderator privileges. |
context.features.* | Enable or disable specific JaaS features for this participant. |
Signing the token
Use any RS256-capable JWT library to sign your payload with the private key. The example below uses the popularjsonwebtoken package for Node.js.
Using the token in the IFrame API
Pass the signed token directly toJitsiMeetExternalAPI via the jwt option. Combine it with the 8x8.vc domain and the <app-id>/<room> room name format:
