Creating JWT Token using REST in JItsi_prosody

I am trying to create a REST server which will accept the participant name and mail the meeting link with JWT token to that participant.
But i am running into the below issue as attached in screenshot.
When i try to click on Share meeting invitation dropdown I have written a REST call to generate token.

Lua Script for generating jwt token

module:provides("http", {
    route = {
        ["POST"] = function (event) 
        local req = json.decode(event.request.body);
        print("Request Data From Jitsi API ---->", req);
        if == "" or == "" then return "Name Or Email Id missing" end;
        if req.exp == nil or req.exp == "" then req.exp = 3600 end;
        if req.meetingId == "" or req.meetingId == nil then req.meetingId = to_hex(random_bytes(6)) end;
        local payload = {
                aud = "jitsi",
                sub = host,
                room = req.meetingId,
                iss = app_id,
                nbf = os.time(),
                exp = os.time() + req.exp,
                context = {
                    user = {name =, email =},
        local token, err = jwt.encode(payload, key, alg)
        local resp = {
                meetingId = req.meetingId,
                meetingLink = "https://"..parentHostName.."/"..req.meetingId.."?jwt="..token,
        return json.encode(resp);

Glad if anyone can help

In your nginx config you need to proxy the token path to prosody and make sure you load the module under your virtual host for that domain.

Hi @damencho
Below is my prosody.conf

-- Prosody XMPP Server Configuration
-- Information on configuring Prosody can be found on our
-- website at
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running this command:
--     prosodyctl check config
-- If there are any errors, it will let you know what and where
-- they are, otherwise it will keep quiet.
-- Good luck, and happy Jabbering!

---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts

-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see for info)
-- Example: admins = { "", "" }
admins = { }

component_ports = { 5347 }
component_interface = ""
-- Enable use of libevent for better performance under high load
-- For more information see:
--use_libevent = true

-- Prosody will always look in its source directory for modules, but
-- this option allows you to specify additional locations where Prosody
-- will look for modules first. For community modules, see
--plugin_paths = {}
plugin_paths = { "/usr/local/lib/prosody/modules" }

-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation for bundled modules can be found at:
modules_enabled = {

	-- Generally required
		"roster"; -- Allow users to have a roster. Recommended ;)
		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
		"tls"; -- Add support for secure TLS on c2s/s2s connections
		"dialback"; -- s2s dialback support
		"disco"; -- Service discovery

	-- Not essential, but recommended
		"carbons"; -- Keep multiple clients in sync
		"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
		"private"; -- Private XML storage (for room bookmarks, etc.)
		"blocklist"; -- Allow users to block communications with other users
		"vcard4"; -- User profiles (stored in PEP)
		"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
		"limits"; -- Enable bandwidth limiting for XMPP connections

	-- Nice to have
		"version"; -- Replies to server version requests
		"uptime"; -- Report how long server has been running
		"time"; -- Let others know the time here on this server
		"ping"; -- Replies to XMPP pings with pongs
		"register"; -- Allow users to register on this server using a client and change passwords
		--"mam"; -- Store messages in an archive and allow users to access it
		--"csi_simple"; -- Simple Mobile optimizations

	-- Admin interfaces
		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582

	-- HTTP modules
		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
		--"websocket"; -- XMPP over WebSockets
		--"http_files"; -- Serve static files from a directory over HTTP

	-- Other specific functionality
		--"groups"; -- Shared roster support
		--"server_contact_info"; -- Publish contact information for this service
		--"announce"; -- Send announcement to all online users
		--"welcome"; -- Welcome users who register accounts
		--"watchregistrations"; -- Alert admins of registrations
		--"motd"; -- Send a message to users when they log in
		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use

-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
modules_disabled = {
	-- "offline"; -- Store offline messages
	-- "c2s"; -- Handle client connections
	-- "s2s"; -- Handle server-to-server connections
	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.

-- Disable account creation by default, for security
-- For more information see
allow_registration = false

-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.

c2s_require_encryption = false

-- Force servers to use encrypted connections? This option will
-- prevent servers from authenticating unless they are using encryption.

s2s_require_encryption = true

-- Force certificate authentication for server-to-server connections?

s2s_secure_auth = false

-- Some servers have invalid or self-signed certificates. You can list
-- remote domains here that will not be required to authenticate using
-- certificates. They will be authenticated using DNS instead, even
-- when s2s_secure_auth is enabled.

--s2s_insecure_domains = { "insecure.example" }

-- Even if you disable s2s_secure_auth, you can still require valid
-- certificates for some domains by specifying a list here.

--s2s_secure_domains = { "" }

-- Enable rate limits for incoming client and server connections

limits = {
  c2s = {
    rate = "10kb/s";
  s2sin = {
    rate = "30kb/s";

-- Required for init scripts and prosodyctl
pidfile = "/var/run/prosody/"

-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.

authentication = "internal_hashed"

-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See for more info.

--storage = "sql" -- Default is "internal"

-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }

-- Archiving configuration
-- If mod_mam is enabled, Prosody will store a copy of every message. This
-- is used to synchronize conversations between multiple clients, even if
-- they are offline. This setting controls how long Prosody will keep
-- messages in the archive before removing them.

archive_expires_after = "1w" -- Remove archived messages after 1 week

-- You can also configure messages to be stored in-memory only. For more
-- archiving options, see

-- Logging configuration
-- For advanced logging see
log = {
	info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
	error = "/var/log/prosody/prosody.err";
	-- "*syslog"; -- Uncomment this for logging to syslog
	-- "*console"; -- Log to the console, useful for debugging with daemonize=false

-- Uncomment to enable statistics
-- For more info see
-- statistics = "internal"

-- Certificates
-- Every virtual host and component needs a certificate so that clients and
-- servers can securely verify its identity. Prosody will automatically load
-- certificates/keys from the directory specified here.
-- For more information, including how to use 'prosodyctl' to auto-import certificates
-- (from e.g. Let's Encrypt) see

-- Location of directory to find certificates in (relative to main config file):
certificates = "certs"

-- HTTPS currently only supports a single certificate, specify it here:
--https_certificate = "/etc/prosody/certs/localhost.crt"

----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.

VirtualHost "localhost"

--VirtualHost ""
--	certificate = "/path/to/example.crt"

------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see

---Set up a MUC (multi-user chat) room server on
Component "" "muc"
--- Store MUC messages in an archive and allow users to access it
modules_enabled = { "muc_mam" }

---Set up an external component (default component port is 5347)
-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info
-- see:
--Component ""
--	component_secret = "password"

-- internal muc component, meant to enable pools of jibri and jigasi clients
Component "" "muc"
    modules_enabled = {
    -- storage should be "none" for prosody 0.10 and "memory" for prosody 0.11
    storage = "memory"
    muc_room_cache_size = 1000

VirtualHost ""
  modules_enabled = {
  authentication = "internal_plain"

Include "conf.d/*.cfg.lua"

nginx conf:-
location ^~ /token {
proxy_pass http://localhost:5280/token;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection ‘upgrade’;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;

I have already attached my custom lua script.

You are looking at the wrong prosody config file. Your jitsi-meet config file is not this.

nano /etc/prosody/conf.d/
Is this the conf i need to edit ?

I Have now created a dummy hello REST API call in prosody using lua script.
Below are the details

nginx conf:-

location ^~ /hello {
    proxy_pass http://localhost:5280/hello;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;



local log = module._log;
local host =;
local st = require “util.stanza”;
local json = require “util.json”;
local um_is_admin = require “core.usermanager”.is_admin;
local env = module:shared("/*/admin_telnet/env");

– Now publish our HTTP ‘app’:
module:provides(“http”, {
route = {
[“POST /hello”] = function (event)
print("Hello REST API ");
log(“info”, “Hello REST API”);



registered hello in modules_enabled in /etc/prosody/prosody.cfg.lua file.

When i try to access I am getting 404 Not Found
PLease if anyone can help

The host that is set here, need to be the virtual host under which you had enabled the module.
So in the example you show, find the virtual host of, which normally is not in /etc/prosody/prosody.cfg.lua but in the included file from conf.d and enable the module for that virtual host.

My Virtual Host entry in /etc/prosody/conf.d/

VirtualHost ""
    -- enabled = false -- Remove this line to enable this host
    authentication = "token"
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/";
        certificate = "/etc/prosody/certs/";
    av_moderation_component = ""
    speakerstats_component = ""
    conference_duration_component = ""
    -- we need bosh
    modules_enabled = {
        "ping"; -- Enable mod_ping
    c2s_require_encryption = false
    lobby_muc = ""
    main_muc = ""
    -- muc_lobby_whitelist = { "" } -- Here we can whitelist jibri to enter lobby enabled rooms
    allow_empty_token = false

Anything else to be configured ?


Remove this

Yes removed but still the same error.

Even when i do curl -X POST http://localhost:5280/hello
I get 404 Not Found

I was explaining you how to fix this ^, which is different than curl -X POST http://localhost:5280/hello.

For you also need to make sure that the nginx rule is hit before the one for the rooms.

If you want to access it only on localhost:5280 maybe the global approach will work as you have started, create it as a global module and loaded in the main prosody config, but only from localhost.

No I dont want it from localhost.
The use case is
From Jitsi-meet → Invite More People → Call REST API of /token which is in mod_http-token.lua and send email with jwt token tot users. → Gives 404 Not Found → Main Url to be used also gives 404 Not Found

You are doing GET and your module does only POST, maybe that’s the problem.
If it is still a problem in the main prosody config turn on debug and read when its loading and when you are hitting it … and debug it.