I started using the dev branch of the Docker install for the JWT stuff.
I used https://jwt.io/ to create tokens based on stuff I filled in .env file with the cred along with the room names. I believe that I do this part right because the tokens seems to work well.
I use it like this
(jumbled it a bit to hide creds)
Basically this seems to work, I can and the others can join the room without a password, and no room can be created without proper token. It sounds all good.
The issue I am having is that if I put the whole token back in https://jwt.io/ (in the big space block on the left) I get all the passwords and the creds back which means that anyone that has my token can access those and create new ones etc.
I am sure this is not the right way to use since this is a huge security risk. Where am I doing this wrong?