Table of Contents
- Introduction
- 1. Why Use JWT for Authentication?
- 2. Understanding How JWT Works in Jitsi
- 3. Jitsi JWT Authentication Requirements
- 4. Setting Up Jitsi Meet for JWT Authentication
- 5. Creating JWT Tokens for Jitsi
- 6. Adding Claims to Your JWT Payload
- 7. Frontend Integration: Embedding Jitsi with JWT
- 8. Securing JWT Tokens and Best Practices
- 9. Common Issues and Troubleshooting
- 10. Use Case Example: SaaS Integration with JWT
- Conclusion
Introduction
Ever wondered how to secure your Jitsi Meet video calls so that only the right people get in?
When building or managing a video conferencing platform, one of the most important aspects is controlling user access. That’s where JSON Web Tokens (JWT) come in. If you’re looking to authenticate users to Jitsi Meet using JWT tokens, this guide will walk you through the process from start to finish.
Whether you’re running Jitsi on your own server or integrating it into a SaaS application, JWT-based authentication gives you more control, better security, and a smoother user experience. Let’s dive in.
1. Why Use JWT for Authentication?
Using JWT (JSON Web Tokens) to authenticate users gives you:
- Access control: Limit who can start or join meetings
- Secure identity: Trust that users are who they say they are
- Stateless authentication: No need to store session data
- Simple integration: Easy to embed into existing login systems
JWT is especially useful for multi-tenant platforms or SaaS apps, where each user or company needs isolated access.
2. Understanding How JWT Works in Jitsi
Jitsi Meet uses Prosody (an XMPP server) under the hood. When JWT is enabled, Jitsi checks for a valid JWT before letting a user join or create a room.
Here’s a simplified flow:
- User logs in to your app
- Your server generates a signed JWT
- JWT is passed when the user joins the meeting
- Jitsi reads the token, verifies it, and grants or denies access
3. Jitsi JWT Authentication Requirements
Before you start, make sure you have:
- A self-hosted Jitsi Meet instance
- Access to your server’s configuration files (root or sudo)
- A domain name with SSL (required for secure connections)
- Node.js or backend to generate JWT tokens
Dependencies:
- Jitsi Meet with token support (usually based on Prosody)
- Lua libraries for JWT validation
4. Setting Up Jitsi Meet for JWT Authentication
Let’s configure your server to accept JWT tokens.
Step 1: Enable JWT Plugin
In /etc/prosody/conf.avail/yourdomain.cfg.lua
, update your virtual host:
VirtualHost "yourdomain.com"
authentication = "token"
app_id = "your_app_id"
app_secret = "your_app_secret"
allow_empty_token = false
Step 2: Install Required Modules
Ensure mod_auth_token.lua
is installed and enabled.
bash CopyEdit
sudo apt install lua-cjson lua-sec
Restart the services: bash CopyEdit
sudo systemctl restart prosody
sudo systemctl restart jicofo
sudo systemctl restart jitsi-videobridge2
5. Creating JWT Tokens for Jitsi
You can generate JWTs using Node.js, Python, or any backend language.
Sample JWT Payload
json CopyEdit
{
"aud": "your_app_id",
"iss": "your_app_id",
"sub": "yourdomain.com",
"room": "conference1",
"exp": 1712366400,
"context": {
"user": {
"name": "John Doe",
"email": "john@example.com"
}
}
}
Sign it using your secret key (app_secret
) with HMAC SHA-256.
6. Adding Claims to Your JWT Payload
To fine-tune permissions, add custom claims:
- **room: **Limits access to a specific room
- **moderator: **Grants host-level controls
- **context.user: **Pass user metadata for display
This is useful when embedding Jitsi into portals or dashboards.
7. Frontend Integration: Embedding Jitsi with JWT
Use the Jitsi Meet IFrame API to embed meetings.
javascript CopyEdit
const domain = "yourdomain.com";
const options = {
roomName: "conference1",
parentNode: document.querySelector('#meet'),
jwt: "your_generated_token"
};
const api = new JitsiMeetExternalAPI(domain, options);
8. Securing JWT Tokens and Best Practices
Keep your tokens safe. Here’s how:
- Use short expiration times (e.g., 5–15 minutes)
- Sign tokens server-side only
- Avoid storing tokens in local storage
- Use HTTPS for all communication
This ensures your meetings aren’t hijacked or abused.
9. Common Issues and Troubleshooting
Error: “Invalid JWT” or “Not authorized”
- Check token signature, app_id, and app_secret
Blank screen or connection error
- Ensure Prosody is restarted and the plugin is loaded
Room mismatch
- Token room must match the one user is trying to join
Use browser dev tools and Jitsi logs(/var/log/prosody/
)to debug.
10. Use Case Example: SaaS Integration with JWT
Imagine you’re running a telehealth platform. Patients can only talk to assigned doctors. Here’s how JWT helps:
- User logs in to your portal
- Your backend issues a JWT for a private room
- Jitsi verifies the token, ensuring only invited users can join
- No need for extra logins or passwords
This streamlines user experience while keeping calls secure.
Conclusion
Setting up JWT authentication with Jitsi Meet may seem technical, but it’s a powerful way to secure your video meetings. From generating tokens to embedding them in your app, every step adds a layer of trust and control.
If you’re running a multi-user platform, building a SaaS product, or simply want to lock down access, using JWT is the way to go.
FAQ
No. JWT authentication requires a self-hosted Jitsi instance.
Short durations (5–15 mins) are best for security.
Technically yes, but it's insecure. Always generate tokens server-side.
Yes. Restart prosody, jicofo, and videobridge.
Yes, but it's more complex. You’d need a separate virtual host config.