JWT security question for Jitsi Meet External API

I’ve set up JWT auth security for a private instance of Jitsi where all users (mods/guests) must have tokens to access rooms. I’m trying to wrap my head around how the security works to prevent bad actors from gaining access.

If an authenticated user is granted a token to access a room, would it not be fairly trivial for this user to distribute his token to allow others to access that same room? Is there any security mechanism to ensure that the token only works for the user it is granted to?

Appreciate the help. Total security n00b here!

Not a dev with Jitsi, just bumping the thread with my own thoughts on this.

Generally with JWT based authentication you place a timer on the issued token so it would expire after a certain amount of time. This is always a good idea. However, if the token got stolen once you have to ask yourself if this couldn’t happen again. So basically when you’re giving someone a mod token, you should be reasonably confident in their ability to keep it safe or else not provide them one. Similar with usernames and passwords really.

As far as I know the only thing you can test is if the state of the token changed since you created (and signed) it, in other words, if someone tampered with it. I don’t think it is possible to check if the JWT got shared with anyone else. Unless your security system requires that person to sign something with their own private key each time they connect. But again, you have to trust them to keep their key safe.


can you please let me know how you did this? like a guide will be helpful

In my use case, all attendees use tokens, not just mods. Hence my fear that they distribute a token, permitting others to join.