




-->
Ever wondered how to secure your Jitsi Meet video calls so that only the right people get in?
When building or managing a video conferencing platform, one of the most important aspects is controlling user access. That’s where JSON Web Tokens (JWT) come in. If you’re looking to authenticate users to Jitsi Meet using JWT tokens, this guide will walk you through the process from start to finish.
Whether you’re running Jitsi on your own server or integrating it into a SaaS application, JWT-based authentication gives you more control, better security, and a smoother user experience. Let’s dive in.
Using JWT (JSON Web Tokens) to authenticate users gives you:
JWT is especially useful for multi-tenant platforms or SaaS apps, where each user or company needs isolated access.
Jitsi Meet uses Prosody (an XMPP server) under the hood. When JWT is enabled, Jitsi checks for a valid JWT before letting a user join or create a room.
Here’s a simplified flow:
Before you start, make sure you have:
Dependencies:
Let’s configure your server to accept JWT tokens.
Step 1: Enable JWT Plugin
In /etc/prosody/conf.avail/yourdomain.cfg.lua
, update your virtual host:
VirtualHost "yourdomain.com"
authentication = "token"
app_id = "your_app_id"
app_secret = "your_app_secret"
allow_empty_token = false
Step 2: Install Required Modules
Ensure mod_auth_token.lua
is installed and enabled.
bash CopyEdit
sudo apt install lua-cjson lua-sec
Restart the services: bash CopyEdit
sudo systemctl restart prosody
sudo systemctl restart jicofo
sudo systemctl restart jitsi-videobridge2
You can generate JWTs using Node.js, Python, or any backend language.
Sample JWT Payload
json CopyEdit
{
"aud": "your_app_id",
"iss": "your_app_id",
"sub": "yourdomain.com",
"room": "conference1",
"exp": 1712366400,
"context": {
"user": {
"name": "John Doe",
"email": "john@example.com"
}
}
}
Sign it using your secret key (app_secret
) with HMAC SHA-256.
To fine-tune permissions, add custom claims:
This is useful when embedding Jitsi into portals or dashboards.
Use the Jitsi Meet IFrame API to embed meetings.
javascript CopyEdit
const domain = "yourdomain.com";
const options = {
roomName: "conference1",
parentNode: document.querySelector('#meet'),
jwt: "your_generated_token"
};
const api = new JitsiMeetExternalAPI(domain, options);
Keep your tokens safe. Here’s how:
This ensures your meetings aren’t hijacked or abused.
Error: “Invalid JWT” or “Not authorized”
Blank screen or connection error
Room mismatch
Use browser dev tools and Jitsi logs(/var/log/prosody/
)to debug.
Imagine you’re running a telehealth platform. Patients can only talk to assigned doctors. Here’s how JWT helps:
This streamlines user experience while keeping calls secure.
Setting up JWT authentication with Jitsi Meet may seem technical, but it’s a powerful way to secure your video meetings. From generating tokens to embedding them in your app, every step adds a layer of trust and control.
If you’re running a multi-user platform, building a SaaS product, or simply want to lock down access, using JWT is the way to go.
No. JWT authentication requires a self-hosted Jitsi instance.
Short durations (5–15 mins) are best for security.
Technically yes, but it's insecure. Always generate tokens server-side.
Yes. Restart prosody, jicofo, and videobridge.
Yes, but it's more complex. You’d need a separate virtual host config.
We have worked on 200+ jitsi projects and we are expert now.