Releases: element-hq/lk-jwt-service
Release list
v0.5.0
Secure-by-default access control configuration
This release removes an insecure default that silently granted any federated Matrix user the right to trigger LiveKit room creation on the operator's SFU. LIVEKIT_FULL_ACCESS_HOMESERVERS no longer falls back to * wildcard implicitly and is now a required setting. the service refuses to start without it.
Alongside, the long-deprecated LIVEKIT_LOCAL_HOMESERVERS environment variable has been removed.
Warning
Action required before upgrading.
- Existing deployments that relied on the implicit
*wildcard default or onLIVEKIT_LOCAL_HOMESERVERSmust now setLIVEKIT_FULL_ACCESS_HOMESERVERSexplicitly. - Setting it to
*reproduces the old wildcard behavior, but listing the Matrix server name(s) of the homeserver(s) you intend to serve is strongly recommended. See the README for guidance.
Docker image
The service is available as a Docker image from the GitHub Container Registry.
docker pull ghcr.io/element-hq/lk-jwt-service:0.5.0
Precompiled binaries
The service is available as static precompiled binaries for amd64 and arm64 on linux attached to this release below.
What's Changed
- Log the errors that cause "Unable to create room on SFU" by @reversefold in #177
- Update module go.opentelemetry.io/otel to v1.41.0 [SECURITY] by @renovate[bot] in #178
- Update all non-major dependencies by @renovate[bot] in #179
- Update github.com/matrix-org/gomatrixserverlib digest to c9c4687 by @renovate[bot] in #182
- Update all non-major dependencies by @renovate[bot] in #183
- Require LIVEKIT_FULL_ACCESS_HOMESERVERS explicitly; drop wildcard default by @fkwp in #184
New Contributors
- @reversefold made their first contribution in #177
Full Changelog: v0.4.4...v0.5.0
v0.4.4
Towards Delegation of Delayed Events
This release updates the service to accept the JSON signature required for the delegation of MatrixRTC membership leave events, as specified in MSC4195.
Note: This update specifically addresses the JSON signature for JWT request. Comprehensive parsing and handling of the additional delegation data are currently in development (PR #171).
Docker image
The service is available as a Docker image from the GitHub Container Registry.
docker pull ghcr.io/element-hq/lk-jwt-service:0.4.4
Precompiled binaries
The service is available as static precompiled binaries for amd64 and arm64 on linux attached to this release below.
What's Changed
- Update Docker image version in installation steps by @her001 in #175
- Adapted the lastest JSON signature from MSC4195 for SFURequest by @fkwp in #176
New Contributors
Full Changelog: v0.4.3...v0.4.4
v0.4.3
Security Update and MSC4195 Identity Alignment
This release introduces important security updates and aligns the LiveKit identity calculation with the latest MSC4195 specification.
⚠️ Breaking Change
The update to the LiveKit Identity hash calculation (#172) impacts two experimental modes in Element Call: Compatibility: state events & multi SFU and Matrix 2.0. Note that by default, these modes are not activated and Element Call will remain working with this release.
For these experimental features to function correctly, the versions of Element Call and the JWT Service must be aligned:
- Compatible: Element Call v0.19.2 or higher AND lk-jwt-service v0.4.3 or higher
- Incompatible:
- Element Call v0.19.1 or lower AND lk-jwt-service v0.4.3 or higher
- Element Call v0.19.2 or higher AND lk-jwt-service v0.4.2 or lower
Docker image
The service is available as a Docker image from the GitHub Container Registry.
docker pull ghcr.io/element-hq/lk-jwt-service:0.4.3
Precompiled binaries
The service is available as static precompiled binaries for amd64 and arm64 on linux attached to this release below.
What's Changed
- Pin element-hq/setup-ess-cluster-action action to aac02ff by @renovate[bot] in #169
- Update module github.com/go-jose/go-jose/v3 to v3.0.5 [SECURITY] by @renovate[bot] in #170
- Update all non-major dependencies by @renovate[bot] in #173
- Update softprops/action-gh-release action to v3 by @renovate[bot] in #174
- Adapt LiveKit Identity hash calculation to latest MSC4195 update by @fkwp in #172
Full Changelog: v0.4.2...v0.4.3
v0.4.2
Healthcheck Improvement & Security Updates
This is a minor release focused on maintenance and small improvements.
Highlights:
Added support for the HEAD method on the healthcheck endpoint, improving compatibility with monitoring tools.
Included multiple security-related dependency updates to ensure the service remains up to date and secure.
No breaking changes are introduced in this release.
Docker image
The service is available as a Docker image from the GitHub Container Registry.
docker pull ghcr.io/element-hq/lk-jwt-service:0.4.2
Precompiled binaries
The service is available as static precompiled binaries for amd64 and arm64 on linux attached to this release below.
What's Changed
- Consolidate non-major dependency updates into larger batches by @robintown in #160
- Update module github.com/pion/dtls/v3 to v3.0.11 [SECURITY] by @renovate[bot] in #154
- Update module google.golang.org/grpc to v1.79.3 [SECURITY] by @renovate[bot] in #162
- Add tests against ESS by @gaelgatelement in #164
- Update all non-major dependencies by @renovate[bot] in #165
- Update github.com/matrix-org/gomatrixserverlib digest to 20c9de3 by @renovate[bot] in #134
- Allow HEAD method on healthcheck by @VlaDexa in #151
- Push docker images also to oci.element.io by @fkwp in #166
- Update all non-major dependencies by @renovate[bot] in #167
- Update GitHub Actions (major) by @renovate[bot] in #168
New Contributors
Full Changelog: v0.4.1...v0.4.2
v0.4.1
🚀 Cont. Towards Matrix 2.0 – MatrixRTC-Authorisation Service
This release is a minor update from 0.4.0 reflecting the lastest changes in MSC4195: MatrixRTC Transport which adds unpadded base64 encoding to hashes for room alias and participant ID.
Furthermore, this release ensures compatibility between clients using the old /sfu/get endpoint and the new /get_token endpoint (details are here).
Docker image
The service is available as a Docker image from the GitHub Container Registry.
docker pull ghcr.io/element-hq/lk-jwt-service:0.4.1
Precompiled binaries
The service is available as static precompiled binaries for amd64 and arm64 on linux attached to this release below.
What's Changed
- README: Use LIVEKIT_FULL_ACCESS_HOMESERVERS consistently by @csett86 in #140
- README: Describe the static binaries by @csett86 in #141
- refactor build.yaml into reusable chunks by @fkwp in #142
- fix build.yaml date determination by @fkwp in #143
- Use base64 encoded hashes for room alias and participant ID (minimize identifying metadata sent to SFU) by @robintown in #144
- Add 'synchronize' and 'opened' types to PR trigger by @fkwp in #146
- Update room alias handling in token generation for LegacySfuRequest by @fkwp in #147
New Contributors
- @robintown made their first contribution in #144
Full Changelog: v0.4.0...v0.4.1
v0.4.0
🚀 Towards Matrix 2.0 – MatrixRTC-Authorisation Service
This release brings major foundational work towards MSC4195: MatrixRTC Transport, introduces the new /get_token endpoint, improves validation and error-handling, and enhances deployment flexibility with improved bind controls.
✨ What's New
Implementation of MSC4195: MatrixRTC Transport using LiveKit Backend
This release introduces the new MSC4195-compliant request flow and /get_token endpoint, while keeping /get/sfu available for a transition period.
Key changes:
- Added unified error handling via
writeMatrixError. - Introduced new Matrix 2.0
SFURequesttype, alongsideLegacySFURequest. - Refactored internal functions for better testability and structure.
- Added extensive new tests across request mapping, processing, and JSON handling.
- Updated logging, error codes, and user-identity checks.
🔌 Allow Binding of Arbitrary Addresses
This release improves deployment flexibility by allowing the service to bind to any or a specific address.
Features & Fixes
- feat: Introduced support for binding to arbitrary addresses.
Contributed by @matdup - fix: Documentation updated for environment variable changes.
- feat: Reintroduced
LIVEKIT_JWT_PORTfor backward compatibility.- Now mutually exclusive with
LIVEKIT_JWT_BIND. - Emits a warning when used.
- Now mutually exclusive with
- feat: Enforced mutual exclusivity between
LIVEKIT_JWT_BINDandLIVEKIT_JWT_PORT.
⚙️ Configuration
Environment Variables
| Variable | Description |
|---|---|
LIVEKIT_JWT_BIND |
Binds the service to a specific host:port (new preferred method). Defaults to :8080 |
LIVEKIT_JWT_PORT |
Deprecated but still supported. Mutually exclusive with LIVEKIT_JWT_BIND. |
Endpoint Changes
| Endpoint | Status | Notes |
|---|---|---|
/get_token |
New (Primary) | Conforms to MSC4195. |
/get/sfu |
Legacy (Transitional) | Auto-maps request types; will be removed in a future release. |
🤝 Client Compatibility
- Legacy MatrixRTC clients continue functioning via
/sfu/get. - MSC4195-aware clients should migrate to
/get_token. - Both request formats remain supported during the transition.
- Stricter validation may require client-side updates:
- Correct request field shapes
- Accurate user identity claims (
claimed_user_idvs OpenIDsub)
Docker image
The service is available as a Docker image from the GitHub Container Registry.
docker pull ghcr.io/element-hq/lk-jwt-service:0.4.0
Precompiled binaries
The service is available as static precompiled binaries for amd64 and arm64 on linux attached to this release below.
What's Changed
- ci: add static go releases for linux arm64 and amd64 by @csett86 in #111
- fix(deps): update github.com/matrix-org/gomatrixserverlib digest to a234d6d by @renovate[bot] in #113
- chore(deps): update dependency go to v1.24.5 by @renovate[bot] in #114
- refactor README.md by @fkwp in #115
- feat: allow binding of arbitrary addresses by @MatthieuCoder in #118
- fix(deps): update github.com/matrix-org/gomatrixserverlib digest to 6697d93 by @renovate[bot] in #120
- chore(deps): update dependency go to v1.25.3 by @renovate[bot] in #121
- Refactor config parsing by @fkwp in #125
- fix(deps): update module github.com/golang-jwt/jwt/v5 to v5.3.0 by @renovate[bot] in #127
- chore(deps): update github actions by @renovate[bot] in #126
- Implementation of MSC4195: MatrixRTC Transport using LiveKit Backend by @fkwp in #128
- fix: add
expires_infield toOpenIDTokenTypeby @fkwp in #130
New Contributors
- @csett86 made their first contribution in #111
- @MatthieuCoder made their first contribution in #118
Full Changelog: v0.3.0...v0.4.0
v0.3.0
🔒 Restrict SFU Room Creation to Selected Homeservers
This update introduces a infrastructure control mechanism that differentiates between full-access and restricted Matrix users when accessing the LiveKit SFU.
✨ What's New
User Differentiation -- Users are now classified into two access levels:
- Full-access users: Matrix users whose homeservers are part of the same or a related deployment as the MatrixRTC backend.
- Restricted users: All other users, typically federated users from external homeservers.
Access Behavior
- ✅ Full-access users trigger automatic LiveKit SFU room creation via the JWT service when needed.
- 🚫 Restricted users can join existing LiveKit SFU rooms but cannot trigger automatic room creation.
- 🔐 This ensures infrastructure resources are only created by user of known homeservers, preserving resource control.
Federation Compatibility
⚠️ This change does not block video conferencing across Matrix federation.- Due to the SFU selection algorithm and event timing, federated calls may still occur, but without automatic SFU provisioning for restricted users.
🛠 Configuration
- Set
LIVEKIT_FULL_ACCESS_HOMESERVERS(comma-separated) to define which homeservers are considered trusted. It supports*as a wildcard to grant full access to all users which is currently the default setting (e.g.,LIVEKIT_FULL_ACCESS_HOMESERVERS=*). - The legacy
LIVEKIT_LOCAL_HOMESERVERSvariable is also still supported for compatibility during transition. - Additionally, you must disable LiveKit's automatic room creation in the SFU's config.yaml to enforce access control:
room:
auto_create: false🧪 Client Compatibility
- This feature requires robust SFU error handling in MatrixRTC clients.
- For now, we recommend setting
LIVEKIT_FULL_ACCESS_HOMESERVERS=*(the current default setting) until client implementations are fully compliant to avoid unexpected behavior.
Docker image
The service is available as a Docker image from the GitHub Container Registry.
docker pull ghcr.io/element-hq/lk-jwt-service:0.3.0
What's Changed
- Fkwp/add license header by @fkwp in #94
- Update GitHub Actions by @renovate[bot] in #99
- Update module golang.org/x/net to v0.38.0 [SECURITY] by @renovate[bot] in #97
- Update dependency go to v1.24.2 by @renovate[bot] in #98
- Update dependency go to v1.24.3 by @renovate[bot] in #101
- Update actions/setup-go action to v5.5.0 by @renovate[bot] in #102
- Update golangci/golangci-lint-action action to v8 by @renovate[bot] in #103
- Update docker/build-push-action action to v6.18.0 by @renovate[bot] in #105
- Update github.com/matrix-org/gomatrixserverlib digest to c70b213 by @renovate[bot] in #104
- Update README.md by @escix in #87
- Update module github.com/pion/interceptor to v0.1.39 [SECURITY] by @renovate[bot] in #106
- Update dependency go to v1.24.4 by @renovate[bot] in #109
- Update github.com/matrix-org/gomatrixserverlib digest to 904c8f0 by @renovate[bot] in #108
- Restrict access to LiveKit SFU by differentiating full-access and restricted Matrix users for room creation by @fkwp in #67
Full Changelog: v0.2.3...v0.3.0
v0.2.3
Docker image
The service is available as a Docker image from the GitHub Container Registry.
docker pull ghcr.io/element-hq/lk-jwt-service:0.2.3
What's Changed
- Fix DNS resolution with host aliases + Fix TLS Verifiy on default transport by @gaelgatelement in #92
- Add LIVEKIT_KEY_FILE, rename env vars to _FROM_FILE and trim keys&secrets by @gaelgatelement in #93
Full Changelog: v0.2.2...v0.2.3
v0.2.2
Docker image
The service is available as a Docker image from the GitHub Container Registry.
docker pull ghcr.io/element-hq/lk-jwt-service:0.2.2
What's Changed
- Document where go version comes from in Dockerfile by @hughns in #85
- Update module github.com/golang-jwt/jwt/v5 to v5.2.2 [SECURITY] by @renovate in #82
- Update module github.com/redis/go-redis/v9 to v9.7.3 [SECURITY] by @renovate in #86
- Update github.com/matrix-org/gomatrixserverlib digest to 479c9ab by @renovate in #89
- Update dependency go to v1.24.1 by @renovate in #90
- Allow to read secrets and keys from files by @gaelgatelement in #88
- update README with _FILE env vars by @gaelgatelement in #91
New Contributors
- @gaelgatelement made their first contribution in #88
Full Changelog: v0.2.1...v0.2.2
v0.2.1
Docker image
The service is available as a Docker image from the GitHub Container Registry.
docker pull ghcr.io/element-hq/lk-jwt-service:0.2.1
What's Changed
- Update module github.com/livekit/protocol to v1.34.0 by @renovate in #72
- Update GitHub Actions by @renovate in #74
- Update github.com/matrix-org/gomatrixserverlib digest to 51ff16e by @renovate in #73
- Update module github.com/go-jose/go-jose/v3 to v3.0.4 [SECURITY] by @renovate in #75
- Update module golang.org/x/net to v0.36.0 [SECURITY] by @renovate in #76
- removed key and secret from startup logs by @fkwp in #78
Full Changelog: v0.2.0...v0.2.1