With tokens you can control user's access to the room. You can set properties like user's role, username and avatar. Highly recommended is to set a token validity interval, so the token is valid only for a period of time when the meeting will be conducted - see the exp (expires) and nbf (not-before) in the full properties list.
Tokens are obligatory for private rooms, and they are also needed in public rooms if you have more than one role in the room and need to specify with which role should the user enter.
Private room means no one can enter the room without a token. They are much more secure than public rooms. Public room means everyone who knows the URL of the room can enter inside. We highly recommend to use private rooms for sensitive meetings. On the other hand public rooms could be easier to start with and be useful if you don't need high security or if you are just trying out the app.
Tokens should never be generated in client-facing code like frontends, because your secret developer key will become publicly visible. Tokens are cryptographically signed data, NOT encrypted. Do not put information which should not be seen by the users into the tokens.