Developer guide
Integrating with the BigBlueButton API
A sound integration does more than generate join URLs. It owns meeting identity, authorisation, idempotency, callbacks and the recording lifecycle without leaking the shared secret.
Executive brief
What matters
- 01
Make every API call from trusted server-side code; the BigBlueButton shared secret must never reach the client.
- 02
Use a stable internal meeting ID and treat create as an idempotent lifecycle operation.
- 03
Verify callback authenticity and reconcile state by querying the API rather than trusting one delivery.
01
Build a narrow server-side adapter
BigBlueButton’s HTTPS API uses a checksum derived from the call name, encoded query string and shared secret, and returns XML. Put signing, transport, parsing, timeouts and error translation in one adapter. The rest of your application should call domain methods such as createClassroom or publishRecording, not assemble query strings.
02
Own identity and authorisation
BigBlueButton does not provide your user database or application permission model. Authenticate users in your LMS or service, decide attendee versus moderator server-side, and issue a short-lived join flow. Never accept a moderator password or arbitrary role from a browser request without re-authorising it.
03
Model meeting state carefully
Use a non-secret meeting ID that is stable for the intended session and an unpredictable attendee path or access control in your application. Store the parameters used to create it. Handle a repeated create safely, check isMeetingRunning when useful and do not infer that a successful redirect means the meeting completed.
04
Treat callbacks as notifications
Meeting-ended and recording-ready callbacks reduce polling, but delivery can be duplicated, delayed or blocked by proxy configuration. Validate the callback mechanism supported by your version, authenticate where possible, make handlers idempotent and confirm the current recording state through getRecordings before changing user-visible status.
Evidence base
Sources and further reading
We prefer project documentation and first-party product guidance. Community links are included where they reveal recurring operational questions rather than establish product guarantees.
Practical answers
Questions teams ask
Can the browser call the BigBlueButton API directly?+
It should not. Signing requires the shared secret, which must remain in trusted server-side code.
Does BigBlueButton return JSON?+
The documented API primarily returns XML. Parse it defensively and preserve error codes and messages for operations.
How should recordings be managed?+
Use getRecordings as the source of current state, then publish, unpublish, update metadata or delete through authorised server-side operations.
Continue the research
Related guides and infrastructure
How to integrate BigBlueButton with Moodle
Configure Moodle’s BigBlueButton activity, connect your own server, map roles, publish recordings and test a course safely.
Read next → Identity & accessSSO with Microsoft Entra ID, Google Workspace and LDAP
Connect Greenlight to Microsoft Entra ID, Google Workspace or LDAP using OpenID Connect and an identity broker.
Read next → Planning & architectureScalelite architecture and operations
Understand Scalelite load balancing, PostgreSQL, Redis, shared recordings, node lifecycle, monitoring and failure modes.
Read next →