v0.4.1

🚀 Cont. Towards Matrix 2.0 – MatrixRTC-Authorisation Service

This release is a minor update from 0.4.0 reflecting the lastest changes in MSC4195: MatrixRTC Transport which adds unpadded base64 encoding to hashes for room alias and participant ID.

Furthermore, this release ensures compatibility between clients using the old /sfu/get endpoint and the new /get_token endpoint (details are here).

Docker image

The service is available as a Docker image from the GitHub Container Registry.

docker pull ghcr.io/element-hq/lk-jwt-service:0.4.1 

Precompiled binaries

The service is available as static precompiled binaries for amd64 and arm64 on linux attached to this release below.

What's Changed

• README: Use LIVEKIT_FULL_ACCESS_HOMESERVERS consistently by @csett86 in #140
• README: Describe the static binaries by @csett86 in #141
• refactor build.yaml into reusable chunks by @fkwp in #142
• fix build.yaml date determination by @fkwp in #143
• Use base64 encoded hashes for room alias and participant ID (minimize identifying metadata sent to SFU) by @robintown in #144
• Add 'synchronize' and 'opened' types to PR trigger by @fkwp in #146
• Update room alias handling in token generation for LegacySfuRequest by @fkwp in #147

New Contributors

• @robintown made their first contribution in #144

Full Changelog: v0.4.0...v0.4.1

v0.4.0

🚀 Towards Matrix 2.0 – MatrixRTC-Authorisation Service

This release brings major foundational work towards MSC4195: MatrixRTC Transport, introduces the new /get_token endpoint, improves validation and error-handling, and enhances deployment flexibility with improved bind controls.

✨ What's New

Implementation of MSC4195: MatrixRTC Transport using LiveKit Backend

This release introduces the new MSC4195-compliant request flow and /get_token endpoint, while keeping /get/sfu available for a transition period.

Key changes:

• Added unified error handling via writeMatrixError.
• Introduced new Matrix 2.0 SFURequest type, alongside LegacySFURequest.
• Refactored internal functions for better testability and structure.
• Added extensive new tests across request mapping, processing, and JSON handling.
• Updated logging, error codes, and user-identity checks.

🔌 Allow Binding of Arbitrary Addresses

This release improves deployment flexibility by allowing the service to bind to any or a specific address.

Features & Fixes

• feat: Introduced support for binding to arbitrary addresses.
  Contributed by @matdup
• fix: Documentation updated for environment variable changes.
• feat: Reintroduced LIVEKIT_JWT_PORT for backward compatibility.
  • Now mutually exclusive with LIVEKIT_JWT_BIND.
  • Emits a warning when used.
• feat: Enforced mutual exclusivity between LIVEKIT_JWT_BIND and LIVEKIT_JWT_PORT.

⚙️ Configuration

Environment Variables

Variable	Description
LIVEKIT_JWT_BIND	Binds the service to a specific host:port (new preferred method). Defaults to :8080
LIVEKIT_JWT_PORT	Deprecated but still supported. Mutually exclusive with LIVEKIT_JWT_BIND.

Endpoint Changes

Endpoint	Status	Notes
/get_token	New (Primary)	Conforms to MSC4195.
/get/sfu	Legacy (Transitional)	Auto-maps request types; will be removed in a future release.

🤝 Client Compatibility

• Legacy MatrixRTC clients continue functioning via /sfu/get.
• MSC4195-aware clients should migrate to /get_token.
• Both request formats remain supported during the transition.
• Stricter validation may require client-side updates:
  • Correct request field shapes
  • Accurate user identity claims (claimed_user_id vs OpenID sub)

Docker image

The service is available as a Docker image from the GitHub Container Registry.

docker pull ghcr.io/element-hq/lk-jwt-service:0.4.0

Precompiled binaries

The service is available as static precompiled binaries for amd64 and arm64 on linux attached to this release below.

What's Changed

• ci: add static go releases for linux arm64 and amd64 by @csett86 in #111
• fix(deps): update github.com/matrix-org/gomatrixserverlib digest to a234d6d by @renovate[bot] in #113
• chore(deps): update dependency go to v1.24.5 by @renovate[bot] in #114
• refactor README.md by @fkwp in #115
• feat: allow binding of arbitrary addresses by @MatthieuCoder in #118
• fix(deps): update github.com/matrix-org/gomatrixserverlib digest to 6697d93 by @renovate[bot] in #120
• chore(deps): update dependency go to v1.25.3 by @renovate[bot] in #121
• Refactor config parsing by @fkwp in #125
• fix(deps): update module github.com/golang-jwt/jwt/v5 to v5.3.0 by @renovate[bot] in #127
• chore(deps): update github actions by @renovate[bot] in #126
• Implementation of MSC4195: MatrixRTC Transport using LiveKit Backend by @fkwp in #128
• fix: add expires_in field to OpenIDTokenType by @fkwp in #130

New Contributors

• @csett86 made their first contribution in #111
• @MatthieuCoder made their first contribution in #118

Full Changelog: v0.3.0...v0.4.0

v0.3.0

🔒 Restrict SFU Room Creation to Selected Homeservers

This update introduces a infrastructure control mechanism that differentiates between full-access and restricted Matrix users when accessing the LiveKit SFU.

✨ What's New

User Differentiation -- Users are now classified into two access levels:

• Full-access users: Matrix users whose homeservers are part of the same or a related deployment as the MatrixRTC backend.
• Restricted users: All other users, typically federated users from external homeservers.

Access Behavior

• ✅ Full-access users trigger automatic LiveKit SFU room creation via the JWT service when needed.
• 🚫 Restricted users can join existing LiveKit SFU rooms but cannot trigger automatic room creation.
• 🔐 This ensures infrastructure resources are only created by user of known homeservers, preserving resource control.

Federation Compatibility

• ⚠️ This change does not block video conferencing across Matrix federation.
• Due to the SFU selection algorithm and event timing, federated calls may still occur, but without automatic SFU provisioning for restricted users.

🛠 Configuration

• Set LIVEKIT_FULL_ACCESS_HOMESERVERS (comma-separated) to define which homeservers are considered trusted. It supports * as a wildcard to grant full access to all users which is currently the default setting (e.g., LIVEKIT_FULL_ACCESS_HOMESERVERS=*).
• The legacy LIVEKIT_LOCAL_HOMESERVERS variable is also still supported for compatibility during transition.
• Additionally, you must disable LiveKit's automatic room creation in the SFU's config.yaml to enforce access control:

room:  
  auto_create: false

🧪 Client Compatibility

• This feature requires robust SFU error handling in MatrixRTC clients.
• For now, we recommend setting LIVEKIT_FULL_ACCESS_HOMESERVERS=* (the current default setting) until client implementations are fully compliant to avoid unexpected behavior.

---

Docker image

The service is available as a Docker image from the GitHub Container Registry.

docker pull ghcr.io/element-hq/lk-jwt-service:0.3.0

What's Changed

• Fkwp/add license header by @fkwp in #94
• Update GitHub Actions by @renovate[bot] in #99
• Update module golang.org/x/net to v0.38.0 [SECURITY] by @renovate[bot] in #97
• Update dependency go to v1.24.2 by @renovate[bot] in #98
• Update dependency go to v1.24.3 by @renovate[bot] in #101
• Update actions/setup-go action to v5.5.0 by @renovate[bot] in #102
• Update golangci/golangci-lint-action action to v8 by @renovate[bot] in #103
• Update docker/build-push-action action to v6.18.0 by @renovate[bot] in #105
• Update github.com/matrix-org/gomatrixserverlib digest to c70b213 by @renovate[bot] in #104
• Update README.md by @escix in #87
• Update module github.com/pion/interceptor to v0.1.39 [SECURITY] by @renovate[bot] in #106
• Update dependency go to v1.24.4 by @renovate[bot] in #109
• Update github.com/matrix-org/gomatrixserverlib digest to 904c8f0 by @renovate[bot] in #108
• Restrict access to LiveKit SFU by differentiating full-access and restricted Matrix users for room creation by @fkwp in #67

Full Changelog: v0.2.3...v0.3.0

v0.2.3

Docker image

The service is available as a Docker image from the GitHub Container Registry.

docker pull ghcr.io/element-hq/lk-jwt-service:0.2.3

What's Changed

• Fix DNS resolution with host aliases + Fix TLS Verifiy on default transport by @gaelgatelement in #92
• Add LIVEKIT_KEY_FILE, rename env vars to _FROM_FILE and trim keys&secrets by @gaelgatelement in #93

Full Changelog: v0.2.2...v0.2.3

v0.2.2

Docker image

The service is available as a Docker image from the GitHub Container Registry.

docker pull ghcr.io/element-hq/lk-jwt-service:0.2.2

What's Changed

• Document where go version comes from in Dockerfile by @hughns in #85
• Update module github.com/golang-jwt/jwt/v5 to v5.2.2 [SECURITY] by @renovate in #82
• Update module github.com/redis/go-redis/v9 to v9.7.3 [SECURITY] by @renovate in #86
• Update github.com/matrix-org/gomatrixserverlib digest to 479c9ab by @renovate in #89
• Update dependency go to v1.24.1 by @renovate in #90
• Allow to read secrets and keys from files by @gaelgatelement in #88
• update README with _FILE env vars by @gaelgatelement in #91

New Contributors

• @gaelgatelement made their first contribution in #88

Full Changelog: v0.2.1...v0.2.2

v0.2.1

Docker image

The service is available as a Docker image from the GitHub Container Registry.

docker pull ghcr.io/element-hq/lk-jwt-service:0.2.1

What's Changed

• Update module github.com/livekit/protocol to v1.34.0 by @renovate in #72
• Update GitHub Actions by @renovate in #74
• Update github.com/matrix-org/gomatrixserverlib digest to 51ff16e by @renovate in #73
• Update module github.com/go-jose/go-jose/v3 to v3.0.4 [SECURITY] by @renovate in #75
• Update module golang.org/x/net to v0.36.0 [SECURITY] by @renovate in #76
• removed key and secret from startup logs by @fkwp in #78

Full Changelog: v0.2.0...v0.2.1

v0.2.0

Breaking Changes

The LK_JWT_PORT environment variable is no longer supported. If you want the service to listen on a port other than the default (port 8080) then you need to use the LIVEKIT_JWT_PORT environment variable.

What's Changed

• Update README.md by @escix in #64 and #66
• Rename LK_JWT_PORT to LIVEKIT_JWT_PORT by @fkwp in #69
• Use version of go from toolchain during docker build by @hughns in #71
• Update dependency go to v1.24.0 by @renovate in #70

New Contributors

• @escix made their first contribution in #64

Full Changelog: v0.1.2...v0.2.0

Docker image

The service is available as a Docker image from the GitHub Container Registry.

docker pull ghcr.io/element-hq/lk-jwt-service:0.2.0

v0.1.2

Docker image

The service is available as a Docker image from the GitHub Container Registry.

docker pull ghcr.io/element-hq/lk-jwt-service:0.1.2

What's Changed

• Log the Origin header for HTTP requests by @hughns in #65
• Update module github.com/livekit/protocol to v1.32.1 by @renovate in #63
• Update GitHub Actions by @renovate in #62

Full Changelog: v0.1.1...v0.1.2

v0.1.1

Docker image

The service is available as a Docker image from the GitHub Container Registry.

docker pull ghcr.io/element-hq/lk-jwt-service:0.1.1

What's Changed

• Explicitly add SBOM and provenance attestations to docker images by @hughns in #61

Full Changelog: v0.1.0...v0.1.1

v0.1.0

Docker image

The service is available as a Docker image from the GitHub Container Registry.

docker pull ghcr.io/element-hq/lk-jwt-service:0.1.0