JWT authentication now working



I have configured jwt token auth as per https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md.

But my setup is not working.

i am using below payload and generated token from jwt.io

“aud”: “jitsi”,
“sub”: “hello.liquidclouds.in”,
“iss”: “jitsi_app_it”,
“room”: “*”,
“exp”: 1600006923


my prosody logs showing.

Dec 04 20:01:07 mod_bosh info New BOSH session, assigned it sid ‘7667749b-1739-4f15-938a-d9800390bc47’
Dec 04 20:01:08 general warn Error verifying token err:not-allowed, reason:token required
Dec 04 20:01:30 bosh7667749b-1739-4f15-938a-d9800390bc47 info BOSH client disconnected: session close
Dec 04 20:02:26 mod_bosh info New BOSH session, assigned it sid ‘6b90de89-bb06-4aa3-b7f5-7ee90266ac6a’
Dec 04 20:02:26 general warn Error verifying token err:not-allowed, reason:token required
Dec 04 20:03:11 bosh6b90de89-bb06-4aa3-b7f5-7ee90266ac6a info BOSH client disconnected: session close
Dec 04 20:03:31 mod_bosh info New BOSH session, assigned it sid ‘17129cac-0f61-42eb-9f69-898e70740ff5’
Dec 04 20:03:32 general warn Error verifying token err:not-allowed, reason:token required
Dec 04 20:04:02 bosh17129cac-0f61-42eb-9f69-898e70740ff5 info BOSH client disconnected: session close

please help here if i missed any thing in setup.
if required i can share prosody configs.


adding prosody configs.


admins = { }
modules_enabled = {
– Generally required
“roster”; – Allow users to have a roster. Recommended :wink:
“saslauth”; – Authentication for clients and servers. Recommended if you want to log in.
“tls”; – Add support for secure TLS on c2s/s2s connections
“dialback”; – s2s dialback support
“disco”; – Service discovery
– Not essential, but recommended
“carbons”; – Keep multiple clients in sync
“pep”; – Enables users to publish their avatar, mood, activity, playing music and more
“private”; – Private XML storage (for room bookmarks, etc.)
“blocklist”; – Allow users to block communications with other users
“vcard4”; – User profiles (stored in PEP)
“vcard_legacy”; – Conversion between legacy vCard and PEP Avatar, vcard
– Nice to have
“version”; – Replies to server version requests
“uptime”; – Report how long server has been running
“time”; – Let others know the time here on this server
“ping”; – Replies to XMPP pings with pongs
“register”; – Allow users to register on this server using a client and change passwords
–“mam”; – Store messages in an archive and allow users to access it
–“csi_simple”; – Simple Mobile optimizations
– Admin interfaces
“admin_adhoc”; – Allows administration via an XMPP client that supports ad-hoc commands
–“admin_telnet”; – Opens telnet console interface on localhost port 5582
– HTTP modules
–“bosh”; – Enable BOSH clients, aka “Jabber over HTTP”
–“websocket”; – XMPP over WebSockets
–“http_files”; – Serve static files from a directory over HTTP
– Other specific functionality
–“limits”; – Enable bandwidth limiting for XMPP connections
–“groups”; – Shared roster support
–“server_contact_info”; – Publish contact information for this service
–“announce”; – Send announcement to all online users
–“welcome”; – Welcome users who register accounts
–“watchregistrations”; – Alert admins of registrations
–“motd”; – Send a message to users when they log in
–“legacyauth”; – Legacy authentication. Only used by some old clients and bots.
–“proxy65”; – Enables a file transfer proxy service which clients behind NAT can use
modules_disabled = {
– “offline”; – Store offline messages
– “c2s”; – Handle client connections
– “s2s”; – Handle server-to-server connections
– “posix”; – POSIX functionality, sends server to background, enables syslog, etc.
allow_registration = false
c2s_require_encryption = false
s2s_require_encryption = false
s2s_secure_auth = false
pidfile = “/var/run/prosody/prosody.pid”
archive_expires_after = “1w” – Remove archived messages after 1 week
log = {
info = “/var/log/prosody/prosody.log”; – Change ‘info’ to ‘debug’ for verbose logging
error = “/var/log/prosody/prosody.err”;
– “*syslog”; – Uncomment this for logging to syslog
– “console"; – Log to the console, useful for debugging with daemonize=false
certificates = “certs”
Include "conf.d/

domain prosody config

– Plugins path gets uncommented during jitsi-meet-tokens package install - that’s where token plugin is located
plugin_paths = { “/usr/share/jitsi-meet/prosody-plugins/” }

VirtualHost “hello.liquidclouds.in”
– enabled = false – Remove this line to enable this host
authentication = “token”
– Properties below are modified by jitsi-meet-tokens package config
– and authentication above is switched to “token”
– Assign this host a certificate for TLS, otherwise it would use the one
– set in the global section (if any).
– Note that old-style SSL on port 5223 only supports one certificate, and will always
– use the global one.
ssl = {
key = “/etc/prosody/certs/hello.liquidclouds.in.key”;
certificate = “/etc/prosody/certs/hello.liquidclouds.in.crt”;
– we need bosh
modules_enabled = {
“ping”; – Enable mod_ping

    c2s_require_encryption = false

Component “conference.hello.liquidclouds.in” “muc”
storage = “null”
modules_enabled = { “token_verification” }
admins = { “focus@auth.hello.liquidclouds.in” }

Component “jitsi-videobridge.hello.liquidclouds.in”
component_secret = “hBqspLBX”

VirtualHost “auth.hello.liquidclouds.in”
ssl = {
key = “/etc/prosody/certs/auth.hello.liquidclouds.in.key”;
certificate = “/etc/prosody/certs/auth.hello.liquidclouds.in.crt”;
authentication = “internal_plain”

Component “focus.hello.liquidclouds.in”
component_secret = “ILQXXy6u”


working fine after reinstalling prosody trunk vresion 747 earlier it was lastest one.

found this workaround in some other thread …:slight_smile: