Jwt authentication how to build asap_key_server for sso

Hi @damencho,
I’m using mysql to authentication. Now i want to use jwt authentication for sso.
But i dont know how to build a asap_key_server and authentication workflow using asap key server.
Could you explain more about that and tell me how can build a asap key server.

Thanks so much.

The asap key server is a web server just holding a public keys, where you sign your jwt tokens using the private key and prosody just downloads the public key to verify the tokens.

Hi @damencho,
kid: is in the header of token jwt that is public key? if i want save it on the jitsi serve how can i config kid parameter? And i dont know how can make a public key?
Pls help me how to do it.



Please let us know how to build an asap_key_server on jitsi. I get that it’s a webserver, but not sure how to set that up. We have an existing Nginx here, should we add some conf there? Or should we setup a simple python server?

What is the best approach here?

Thanks in advance.

asap_key_server is not a must for JWT. If the problem is a not-working JWT, this is not the solution.

I was able to make it work with just the app id and secret. I want to set up JWT based on the public keys and private keys. I wasn’t able to find a good guide about that anywhere. Can you suggest one or guide me on it?

I’m not sure, where to keep the keys on the jitsi server and how to point to them on jitsi configurations.

The key server is just a webserver holding the public keys. Where the filename should be something like echo -n priv_key_filename | shasum -a 256 with .pem at the end.

1 Like

Thanks, @damencho. This helped a lot

@Vyshak_M Can you share me the procedure how you achieved it? Thank you in advance.

While installing jitsi, we also install a nginx webserver along with it as a dependency. The default configuration exists in the following location.


This contains the normal jitsi stuff. I have added a server block at the end of this conf file.

server {
     listen       8000;
     server_name  localhost;

     location / {
         root /path/to/key_dir;

Once this is done you can put the keys in this document_root. The name should be the sha256. If the keyname is


You can convert it by doing this.

echo -n secret_key | shasum -a 256
6523e58bc0eec42c31b9635d5e0dfc23b6d119b73e633bf3a5284c79bb4a1ede  -

So the key file should be named;


Once this is done, you can try it out by creating a jwt from https://jwt.io
You can use this as the header;

  "kid": "secret_key",
  "typ": "JWT",
  "alg": "RS256"