# PoliticTalk Jitsi Auth Roadmap

These notes are intentionally not deployed yet. They describe the local files and app changes we should add when we connect PgApi authentication to Jitsi.

## Target Flow

```text
PgPlatform calendar event
  -> PgPlatform PoliticTalk prejoin page
  -> PgApi verifies logged-in user, event ownership/invite/access, and event time window
  -> PgApi returns a short-lived Jitsi JWT
  -> PgPlatform embeds or opens Jitsi with that JWT
  -> Jitsi VPS validates JWT through Prosody token auth
```

## Local Files To Add Later

```text
jitsi/templates/prosody-token-auth.cfg.lua.example
jitsi/templates/jicofo-token-auth.conf.example
jitsi/templates/jitsi-token-auth.env.example
```

Only templates should be committed. Real JWT secrets must stay in VPS-only files.

## Platform Changes To Add Later

- PgApi endpoint to issue Jitsi JWTs for valid PoliticTalk event access.
- JWT claims for room, user display name, email/id, moderator flag, expiry, and feature permissions.
- PgPlatform prejoin route that shows event title and immutable platform user name.
- PgPlatform embedded Jitsi room using the IFrame API.
- Moderator-only controls for audio moderation and poll permissions.
- Event end-time enforcement through JWT expiry and/or iframe hangup.