How to JWT properly?

Hi

I started using the dev branch of the Docker install for the JWT stuff.

I used https://jwt.io/ to create tokens based on stuff I filled in .env file with the cred along with the room names. I believe that I do this part right because the tokens seems to work well.

I use it like this

(jumbled it a bit to hide creds)

ROOM?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IXXXXCJ9.eyJjb250ZXh0Ijp7InVzZXIiOnsiYXZhdGFyIjoiaHR0cHM6Ly9yb2JvaGFzaC5vcmcvam9obi1kb2UiLCJuYW1lIjoiSm9obiBEb2UXXXXlbWFpzCIXXXXkb2VAZXhhbXBsZS5j320ifX0sImF1ZCI6Ing5MF9JbnNhbl9NZWV0X1VwIiwiaXNzIjoieDkwX0luc2FuX01lZXRfVXAXXXXzdWIiOiJtZWV0LmppdHNpIiwicm9vbSI6IkV2XXXXbGlzaSJ9.ZyTDGJNP38dcjY2XXXXt_pJgI_dRD0u62-jXveEt084

Basically this seems to work, I can and the others can join the room without a password, and no room can be created without proper token. It sounds all good.

The issue I am having is that if I put the whole token back in https://jwt.io/ (in the big space block on the left) I get all the passwords and the creds back which means that anyone that has my token can access those and create new ones etc.

I am sure this is not the right way to use since this is a huge security risk. Where am I doing this wrong?

Why you pass passwords?
The idea of jwt is that it holds some information of the user and some other features or rules and it is signed in a way that can be server side verified and trusted.
It is like digital signature, it does not encrypt and hide content, it is just a way to verify that the content can be trusted.

Well, I cobbled what to put in https://jwt.io sites generator from some posts here and from the wiki. It was recommended to put those like below

(all three sections)

HEADER:

{
  "alg": "HS256",
  "typ": "JWT"
}

PAYLOAD:

{
  "context": {
    "user": {
      "avatar": "https://robohash.org/john-doe",
      "name": "John Doe",
      "email": "jdoe@example.com"
    }
  },
  "aud": "JWT_APP_ID",
  "iss": "JWT_APP_ID",
  "sub": "meet.jitsi",
  "room": "ROOM_NAME"
}
VERIFY SIGNATURE:

CRED_IN_.ENV_JWT_APP_SECRET

Then I use the final token with ROOM?jwt=TOKEN

If I am doing it wrong , can you please tell me how I am supposed to use this?

That seems fine.
The JWT_APP_SECRET is configured in prosody and in the service that generates your tokens. So the service adds the relevant information and signs it with the shared key. Prosody receives the token and can verify that the token was created by your service, and can trust it and allow that participant to enter room with name ROOM_NAME and use the name avatar and email for it.
Anyone with the token can see its conntent but cannot change it cause it must known the shared key in order to sign it.

Thanks that makes sense. I just tried it on that web site and indeed the shared key was not recovered.