Jitsi token authentication in header instead of URL


Is the token authentication only possible to deliver in the url?
I am trying to integrate this with Drupal, and found this:

Is there really a security risk with jitsi, that someone could find the token from the logs?

someone who have the token, can participate to Jitsi session if the token isn’t expired yet

You can also do a bit of custom logic and make the token one time use only. This way the same token cannot be used even by the authorised person.