>_
Sign inSign up

// SECRET_KEY_USE_CASE

Generate a Session Secret

A session secret protects signed cookies and server-side session data from tampering. Use a long random value, keep it private, and rotate it deliberately when needed.

Open Secret Key Generator Test HMAC signatures

Recommended Variable

SESSION_SECRET="..."

Recommended Format

Base64URL, 48 characters or longer

How to do it

  1. STEP_01 Open the Secret Key Generator and choose the Session Secret preset.
  2. STEP_02 Generate a Base64URL secret with at least 48 characters.
  3. STEP_03 Copy the environment variable value into your server or deployment settings.
  4. STEP_04 Restart the app after changing the secret so every runtime uses the same value.

FAQ

Can I reuse a session secret across environments?

Use separate secrets for development, staging, and production so a leaked lower-environment value cannot affect production sessions.

What happens if I rotate a session secret?

Existing signed sessions may become invalid. Plan rotations during low-risk windows or support multiple secrets if your framework allows it.