lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Jitsi Meet

Jitsicollaboration4 credentials

Credentials4 documented
01

Prosody / Secure Domain User Password

jitsi-meet / prosody-user-password

Jitsi Meet secure domain configuration prompts users for a username and password before allowing creation of new rooms. Jitsi documentation shows configuring Prosody authentication for authenticated room creation.

user definedsecretusername/password

Location

config file
/etc/prosody/conf.avail/*.cfg.lua

Prosody virtual host authentication configuration for Jitsi Meet

database

Prosody internal storage or configured auth backend containing user password verifier data

secret store

deployment secrets, Ansible Vault, Kubernetes Secrets, and password vaults

source code

Docker Compose files, Helm values, and committed Prosody configs

logs

Prosody authentication logs and Jitsi troubleshooting output

public interface
Jitsi Meet web UI, XMPP BOSH/WebSocket

Notes

Secure-domain user credentials control who can create rooms, not necessarily who can join existing anonymous-guest rooms.

02

Jicofo / JVB / Prosody Component Secrets

jitsi-meet / component-shared-secrets

Jitsi Meet deployments use Prosody component and service account secrets for components such as Jicofo and Jitsi Videobridge. Package and Docker deployments store these in Prosody and Jitsi component configuration.

generated on installsecretsecret value

Location

environment
JICOFO_AUTH_PASSWORD, JVB_AUTH_PASSWORD, JIGASI_XMPP_PASSWORD, JIBRI_XMPP_PASSWORD
config file

Prosody config, jicofo.conf, sip-communicator.properties, JVB config, and .env files

secret store

Docker/Kubernetes secrets, Ansible Vault, and cloud secret managers

source code

committed .env files, Docker Compose configs, Helm values, and deployment scripts

logs

XMPP component authentication errors and startup traces

Notes

Component secrets can let an attacker impersonate core Jitsi services on the XMPP control plane.

03

JWT App Secret

jitsi-meet / jwt-app-secret

Jitsi Meet supports token authentication for deployments that require JWTs to authorize meetings. Token auth uses application IDs/secrets to validate signed meeting tokens.

user definedsecretsecret value

Location

config file

Prosody token authentication config, Jitsi web config.js, and deployment .env files

environment
JWT_APP_ID, JWT_APP_SECRET, ENABLE_AUTH, ENABLE_GUESTS
secret store

Kubernetes Secrets, deployment vaults, and cloud secret managers

source code

token generator code, tests, Docker Compose files, and Helm values

logs

JWT validation errors and authentication debug output

Notes

JWT app secrets can mint tokens accepted by the Jitsi deployment until rotated or invalidated.

04

Room Password

jitsi-meet / room-password

Jitsi Meet rooms can be protected with a password set from the meeting UI. Jitsi documentation describes room-level password access control managed inside rooms after creation.

user definedsecretpassword

Location

public interface
Jitsi Meet room UI

room-level password prompt for attendees

logs

browser automation, test logs, or meeting support traces if room passwords are recorded

source code

automated meeting tests and integration scripts

Notes

Room passwords are ephemeral collaboration secrets and are separate from deployment admin or component credentials.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.