JWT authentication with optional moderation


I am looking for some guidance on how best to achieve my desired use case.

I have a self-hosted jitsi instance that I use via API from my website. The use case is that website members can join large calls for scheduled events, but there is no presenter or moderation required for the event to happen.

Currently with JWT authentication all users are moderators which has some challenges I need to resolve.

  • I would like the ability for a moderator to join the event via a password or private token if required
  • All other users to be guests (no access to kick out button etc)
  • Event to start and complete with no moderation (if no moderation is required)

The reason I use JWT authentication is to restrict access from my website only. Would it be better to not use tokens for guests (enableUserRolesBasedOnToken), but restrict IP access from my webserver, or limit access to API only?

Thanks all in advance! I have already learned a lot from this community.

You can turn it on and enable allow_empty_token so guest can connect with no token.

Wait so if we require JWT auth for accessing the server it defaults all entrants to moderator?

Can this be avoided? Or that’s the current functionality. And allowing users to enter as guests would be only option to restrict moderator access?

Yep, this is how it is currently working. Search the forum someone proposed a change that you can add a field in the token to set moderator or not.

Thanks, I can confirm that this works to allow guests to join but unfortunately, it breaks some other requirements:

  1. The ability for an event to run unmoderated
  2. Block access to all rooms if not coming from my website

I did see the post about moderator tokens, but it does not solve requirement #1 here unless I can also allow guests to start a room?
My understanding is that a default setup without the secure domain will just make the first guest a moderator anyway?


I have setup the token moderation plugin (link below) and I believe this has resolved all of my challenges.

  • Any user can start or join a call and only receive guest access
  • A moderator can also join the call and receive moderator access (kick/mute etc)
  • The call will start and also continue with no moderators present
  • JWT authentication is still being used so access is restricted

I will continue to test and post any updates if I learn of any limitations.

Hey guys. We also setup this moderator plugin and it’s working great.

1 Like

What is the version of your Prosody?
have you applied the muc_owner_allow_kick.patch patch to prosody?
Can you share your prosody and jicofo configurations?

It is a fresh installation following the instructions below, no additional patches or configurations.

thanks for the reply
just to confirm, what is your OS and its version, and your Prosody version?

Ubuntu 18.04.3 and Prosody 11.5

and you did not encounter any difficulty in Luarocks installation for Lua5.2 for Ubuntu 18.04?

Nope. Fresh server and i followed those instructions line by line

you are a great help, thanks for the confirmation


  • Set the ENV XMPP_MUC_MODULES=token_moderation for prosody at .env or docker-compose.yml .
  • Add the file mod_token_moderation.lua to the image at /prosody-plugins-custom . You can use as an example the Dockerfile or you can mount the file directly into the container.

Would you have any further explanation of this
I do not understand these commands