While having the shared key in the hash part prevents Ephemere clients from sending it to your server, it does not prevent users from sharing the room URL on insecure channels, where the hash will be essentially in clear text.
For truly secure rooms, a separate form of authentication should be required, possibly in the form of a password from which a key that decrypts the room key can be derived.
While having the shared key in the hash part prevents Ephemere clients from sending it to your server, it does not prevent users from sharing the room URL on insecure channels, where the hash will be essentially in clear text.
For truly secure rooms, a separate form of authentication should be required, possibly in the form of a password from which a key that decrypts the room key can be derived.