diff --git a/services/jitsi/deployment.yaml b/services/jitsi/deployment.yaml
index f4f6cd3..454fa14 100644
--- a/services/jitsi/deployment.yaml
+++ b/services/jitsi/deployment.yaml
@@ -12,24 +12,10 @@ spec:
     metadata:
       labels: { app: jitsi-prosody }
     spec:
+      serviceAccountName: jitsi
       nodeSelector:
         kubernetes.io/hostname: titan-22
         kubernetes.io/arch: amd64
-      initContainers:
-        - name: prosody-bootstrap-auth
-          image: jitsi/prosody:stable
-          command: ["/bin/sh","-c"]
-          args:
-            - |
-              set -eu
-              prosodyctl --config /config/prosody.cfg.lua register "${JITSI_AUTH_USER}" meet.jitsi "${JITSI_AUTH_PASSWORD}" || true
-          env:
-            - name: JITSI_AUTH_USER
-              valueFrom: { secretKeyRef: { name: jitsi-auth-user, key: username } }
-            - name: JITSI_AUTH_PASSWORD
-              valueFrom: { secretKeyRef: { name: jitsi-auth-user, key: password } }
-          volumeMounts:
-            - { name: cfg, mountPath: /config }
       containers:
         - name: prosody
           image: jitsi/prosody:stable
@@ -44,8 +30,13 @@ spec:
             - { name: XMPP_INTERNAL_MUC_DOMAIN, value: "internal-muc.meet.jitsi" }
             - { name: ENABLE_AUTH, value: "1" }
             - { name: ENABLE_GUESTS, value: "1" }
-            - { name: AUTH_TYPE, value: "internal" }
+            - { name: AUTH_TYPE, value: "jwt" }
             - { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" }
+            - { name: JWT_ACCEPTED_ISSUERS, value: "https://sso.bstein.dev/realms/atlas" }
+            - { name: JWT_ACCEPTED_AUDIENCES, value: "jitsi" }
+            - { name: JWT_APP_ID, value: "jitsi" }
+            - name: JWT_APP_SECRET
+              valueFrom: { secretKeyRef: { name: jitsi-jwt, key: app_secret } }
             - { name: JICOFO_AUTH_USER, value: "focus" }
             - { name: JVB_AUTH_USER, value: "jvb" }
             - name: JICOFO_AUTH_PASSWORD
@@ -56,9 +47,16 @@ spec:
               valueFrom: { secretKeyRef: { name: jitsi-internal-secrets, key: JVB_AUTH_PASSWORD } }
           volumeMounts:
             - { name: cfg, mountPath: /config }
+            - { name: jwt, mountPath: /var/lib/jitsi-jwt, readOnly: true }
       volumes:
         - name: cfg
           persistentVolumeClaim: { claimName: jitsi-prosody-config }
+        - name: jwt
+          csi:
+            driver: secrets-store.csi.x-k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: jitsi-jwt
 
 ---
 
@@ -75,6 +73,7 @@ spec:
     metadata:
       labels: { app: jitsi-jicofo }
     spec:
+      serviceAccountName: jitsi
       nodeSelector:
         kubernetes.io/hostname: titan-22
         kubernetes.io/arch: amd64
@@ -89,7 +88,7 @@ spec:
             - { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" }
             - { name: ENABLE_AUTH, value: "1" }
             - { name: ENABLE_GUESTS, value: "1" }
-            - { name: AUTH_TYPE, value: "internal" }
+            - { name: AUTH_TYPE, value: "jwt" }
             - { name: XMPP_SERVER, value: "jitsi-prosody.jitsi.svc.cluster.local" }
             - { name: JICOFO_AUTH_USER, value: "focus" }
             - name: JICOFO_AUTH_PASSWORD
@@ -120,6 +119,7 @@ spec:
     metadata:
       labels: { app: jitsi-jvb }
     spec:
+      serviceAccountName: jitsi
       initContainers:
         - name: jvb-custom-config
           image: busybox:1.36
@@ -163,6 +163,7 @@ spec:
             - { name: JVB_ADVERTISE_IPS, value: "38.28.125.112,192.168.22.22" }
             - { name: JVB_TCP_HARVESTER_DISABLED, value: "false" }
             - { name: JVB_TCP_PORT, value: "4443" }
+            - { name: AUTH_TYPE, value: "jwt" }
             - name: JVB_OPTS
               value: "-Dorg.jitsi.videobridge.DISABLE_TCP_HARVESTER=false -Dorg.ice4j.ice.harvest.DISABLE_TCP_HARVESTER=false -Dorg.jitsi.videobridge.TCP_HARVESTER_PORT=4443 -Dorg.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=4443"
           volumeMounts:
@@ -189,6 +190,7 @@ spec:
     metadata:
       labels: { app: jitsi-web }
     spec:
+      serviceAccountName: jitsi
       nodeSelector:
         kubernetes.io/hostname: titan-22
         kubernetes.io/arch: amd64
@@ -206,12 +208,24 @@ spec:
             - { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" }
             - { name: ENABLE_AUTH, value: "1" }
             - { name: ENABLE_GUESTS, value: "1" }
-            - { name: AUTH_TYPE, value: "internal" }
+            - { name: AUTH_TYPE, value: "jwt" }
+            - { name: JWT_APP_ID, value: "jitsi" }
+            - { name: JWT_ACCEPTED_ISSUERS, value: "https://sso.bstein.dev/realms/atlas" }
+            - { name: JWT_ACCEPTED_AUDIENCES, value: "jitsi" }
+            - name: JWT_APP_SECRET
+              valueFrom: { secretKeyRef: { name: jitsi-jwt, key: app_secret } }
             - { name: XMPP_BOSH_URL_BASE, value: "https://meet.bstein.dev" }
             - { name: ENABLE_XMPP_WEBSOCKET, value: "1" }
             - { name: ENABLE_COLIBRI_WEBSOCKET, value: "1" }
           volumeMounts:
             - { name: cfg, mountPath: /config }
+            - { name: jwt, mountPath: /var/lib/jitsi-jwt, readOnly: true }
       volumes:
         - name: cfg
           persistentVolumeClaim: { claimName: jitsi-web-config }
+        - name: jwt
+          csi:
+            driver: secrets-store.csi.x-k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: jitsi-jwt
diff --git a/services/jitsi/kustomization.yaml b/services/jitsi/kustomization.yaml
index 117ef5e..cfa5622 100644
--- a/services/jitsi/kustomization.yaml
+++ b/services/jitsi/kustomization.yaml
@@ -3,7 +3,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
-  - secret-auth-user.yaml
+  - serviceaccount.yaml
+  - secretproviderclass.yaml
   - deployment.yaml
   - service.yaml
   - pvc.yaml
diff --git a/services/jitsi/secret-auth-user.yaml b/services/jitsi/secret-auth-user.yaml
deleted file mode 100644
index 2a2949e..0000000
--- a/services/jitsi/secret-auth-user.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-# services/jitsi/secret-auth-user.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: jitsi-auth-user
-  namespace: jitsi
-stringData:
-  username: brad
-  password: qvUqX5foh2zyM0th
diff --git a/services/jitsi/secretproviderclass.yaml b/services/jitsi/secretproviderclass.yaml
new file mode 100644
index 0000000..365af60
--- /dev/null
+++ b/services/jitsi/secretproviderclass.yaml
@@ -0,0 +1,21 @@
+# services/jitsi/secretproviderclass.yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: jitsi-jwt
+  namespace: jitsi
+spec:
+  provider: vault
+  parameters:
+    vaultAddress: "http://vault.vault.svc.cluster.local:8200"
+    roleName: jitsi-jwt
+    objects: |
+      - objectName: "jwt"
+        secretPath: "kv/data/jitsi/jwt-hs256"
+        secretKey: "app_secret"
+  secretObjects:
+    - secretName: jitsi-jwt
+      type: Opaque
+      data:
+        - objectName: "jwt"
+          key: app_secret
diff --git a/services/jitsi/serviceaccount.yaml b/services/jitsi/serviceaccount.yaml
new file mode 100644
index 0000000..ce1a1c9
--- /dev/null
+++ b/services/jitsi/serviceaccount.yaml
@@ -0,0 +1,6 @@
+# services/jitsi/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: jitsi
+  namespace: jitsi