Real-time collaboration in Word or Excel files directly in the browser—whenever you host platforms like Nextcloud or Seafile, you will eventually stumble across the OnlyOffice Document Server.

However, simply booting an OnlyOffice Docker container and putting it public without specific precautions creates a highly dangerous vulnerability: anyone on the internet who discovers your OnlyOffice URL could configure their own cloud instance to use your server, hijacking your CPU and RAM resources.

This is where JWT (JSON Web Token) comes into play.

What is JWT and how does it protect OnlyOffice?

In simple terms, a JSON Web Token is a cryptographically signed “permit” or digital stamp.

When you enable JWT between your Nextcloud and OnlyOffice setup, the entire security foundation relies on a Shared Secret. This secret is configured exclusively by you—it’s typed into Nextcloud (or Seafile) and registered in the OnlyOffice environment variables.

The typical flow looks like this:

  1. A user in Nextcloud clicks to open a .docx file.
  2. Nextcloud sends an instruction to your OnlyOffice server: “Hey, load this document and render the editor for my user.”
  3. The Trapdoor: Before hitting “Send”, Nextcloud calculates a signature for this request using the JWT_SECRET. This acts as an irrefutable VIP password.
  4. OnlyOffice receives the request, evaluates the signature utilizing the matching secret, and confirms: “This signature is valid. The request legitimately originated from my trusted Nextcloud instance. Allowed.”
  5. A malicious actor without the secret attempting to render documents through your server fails the signature check and is immediately blocked with an Error 403 (Forbidden).

Easy Docker Compose Deployment

Activating JWT in an OnlyOffice Document Server is effortlessly managed through standard environment variables during your Docker deployment.

version: '3.8'

services:
  onlyoffice:
    image: onlyoffice/documentserver:latest
    restart: always
    ports:
      - "9090:80"
    environment:
      - JWT_ENABLED=true
      - JWT_SECRET=YourSuperLongAndSecureSecretString!
      # Optional: The signature header depending on your integration (Authorization is standard)
      - JWT_HEADER=Authorization

Launch the stack via docker compose up -d.

Applying the Secret in Nextcloud/Seafile

Once OnlyOffice is operational (and preferably secured behind a Reverse Proxy granting it an SSL certificate), you must inform your cloud platform about the secret key:

In Nextcloud: Navigate to Administration Settings -> ONLYOFFICE. Fill in your Document Server Address, and under “Secret key”, paste YourSuperLongAndSecureSecretString! and hit Save.

In Seafile (seahub_settings.py):

ONLYOFFICE_JWT_SECRET = 'YourSuperLongAndSecureSecretString!'

Conclusion

Never expose an OnlyOffice Document Server to the open internet without activating JSON Web Tokens. As demonstrated, enabling it takes mere minutes and comprehensively protects your infrastructure, system performance, and sensitive documents.

If you are dealing with Corporate IT architectures, security layers, or need a Freelancer to configure a stable deployment, feel free to contact me!