Iframe api - how to secure configOverwrite and interfaceConfigOverwrite

I would like to use iFrame API with a self-hosted Jitsi installation.

I need to make sure that:

  1. only people I decide should be able to participate to the meeting

  2. people should have one of the following roles:

  • power user: can do a lot of things (I do not use the term “moderator” which is used by Jitsi, too)
  • simple participant: can do a few things

From my understanding (I am quite new to Jitsi):

  1. I can make sure that only authenticated people can join the meeting:
  • setting ENABLE_GUESTS=false so that unknown people cannot join the room
  • using JWT authentication, so that I can set their username, and they cannot modify it
    The main problem with this solution is that all the users authenticated using JWT are Jitsi moderators, am I missing something?
  1. I can use iFrame API to customize UI based on their application role. The problem is that a user could potentially see the HTML source code and create an HTML page with the same code, modifying only certain parameters to customize their UI. For example, in my application I would like the “power user” to create breakout rooms and to add “simple participants” to the breakout room, while “simple participants” cannot create breakout rooms and cannot join autonomously breakout rooms. I can achieve that with iFrame API, but I cannot prevent a user from downloading the page and changing the parameters to allow himself to create and join breakout rooms.
    Is there a way to enforce that configOverwrite and interfaceConfigOverwrite are not modified by the user? I think the ideal case would be to have them inside the JWT token

Not quite. You can allow/disallow certain privileges in JWT.

These are all the parameters I can put in JWT, are there more? For example, can I disable for a particular user breakout room creation directly in JWT?

  "context": {
    "features": {
      "livestreaming": false,
      "outbound-call": false,
      "sip-outbound-call": false,
      "transcription": false,
      "recording": false
    "user": {
      "hidden-from-recorder": false,
      "moderator": false,
      "name": "simple participant",
      "avatar": "",
      "email": "test.user@company.com"
  "aud": "my_jitsi_app_id",
  "iss": "my_jitsi_app_id",
  "sub": "my_jitsi_app_id",
  "room": "sampleroom2",
  "iat": 1684513860,
  "exp": 1684513860

also, “moderator”: false is not working.

If you are getting these examples from JaaS documentation, those is how JaaS is configured and it is the token to use for jaas.

Not all features from JaaS come as it is with the self-hosted deployment without manual configuration.

For example, on your self hosted deployment you can use this module prosody-plugins/token_affiliation at main · jitsi-contrib/prosody-plugins · GitHub to control affiliation (moderator or not), similar to the example you posted above "moderator": true, but with that module it is "affiliation": "owner".

FYI: it accepts also "moderator": true

1 Like

Most probably you enabled the external auth in jicofo. In this case, the participant will be moderator if she has a token.

Thanks, now it makes perfectly sense.

I tried to use mod_token_affiliation, but it is not working. I just created a post with all the details.