Skip to main content

Secure Domain setup

It is possible to allow only authenticated users to create new conference rooms. Whenever a new room is about to be created, Jitsi Meet will prompt for a user name and password. After the room is created, others will be able to join from anonymous domain. Here's what has to be configured:

Prosody configuration

If you have installed Jitsi Meet from the Debian package, these changes should be made in /etc/prosody/conf.avail/[your-hostname].cfg.lua

Enable authentication

Inside the VirtualHost "[your-hostname]" block, replace anonymous authentication with hashed password authentication:

VirtualHost ""
authentication = "internal_hashed"

Replace with your hostname.

Enable anonymous login for guests

Add this block after the previous VirtualHost to enable the anonymous login method for guests:

VirtualHost ""
authentication = "anonymous"
c2s_require_encryption = false

Note that is internal to Jitsi, and you do not need to (and should not) create a DNS record for it, or generate an SSL/TLS certificate, or do any web server configuration. While it is internal, you should still replace with your hostname.

Jitsi Meet configuration

In config.js, the anonymousdomain options has to be set.

If you have installed jitsi-meet from the Debian package, these changes should be made in /etc/jitsi/meet/[your-hostname]-config.js.

var config = {
hosts: {
domain: '',
anonymousdomain: '',

Jicofo configuration

When running Jicofo, specify your main domain in an additional configuration property. Jicofo will accept conference allocation requests only from the authenticated domain. This should go as a new 'authentication' section in /etc/jitsi/jicofo/jicofo.conf:

jicofo {
authentication: {
enabled: true
type: XMPP

When using token based authentication, the type must use JWT as the scheme instead:

jicofo {
authentication: {
enabled: true
type: JWT

Create users in Prosody (internal auth)

Finally, run prosodyctl to create a user in Prosody:

sudo prosodyctl register <username> <password>

and then restart prosody, jicofo and jitsi-videobridge2

systemctl restart prosody
systemctl restart jicofo
systemctl restart jitsi-videobridge2

Docker users may require an alternate config path. Users of the official jitsi/prosody image should invoke prosodyctl as follows.

prosodyctl --config /config/prosody.cfg.lua register <username> meet.jitsi <password>

Full documentation for prosodyctl can be found on the official site.

Optional: Jigasi configuration

Enable Authentication

If you are using Jigasi, set it to authenticate by editing the following lines in /etc/jitsi/jigasi/


Note that the password is the actual plaintext password, not a base64 encoding.


If you experience problems with a certificate chain, you may need to uncomment the following line, also in

This should only be used for testing/debugging purposes, or in controlled environments. If you confirm that this is the problem, you should then solve it in another way (e.g. get a signed certificate for Prosody, or add the particular certificate to Jigasi’s trust store).