JWT Keys Configuration

Generate and configure secure JWT keys for authentication

On this page

Overview

JSON Web Tokens (JWTs) are an essential part of ZapStart's authentication system. They require two secret keys for secure operation:

  • JWT Secret: Used to sign and verify access tokens (short-lived).
  • JWT Refresh Secret: Used to sign and verify refresh tokens (long-lived).

Security Note: These secrets should be kept confidential and never committed to your code repository. They should be at least 32 characters long to ensure adequate security. the .env is by default not committed to the repository.

Generating Secure JWT Secrets

You need to generate two different random strings to use as your JWT secrets. Use one of the following methods based on your operating system:

Option 1: Using OpenSSL (Mac/Linux)

OpenSSL is pre-installed on most Mac and Linux systems. Run the following command to generate a secure random string:

openssl rand -hex 64

Run this command twice to generate two different secrets.

Option 2: Using Node.js (Windows/Mac/Linux)

If you have Node.js installed, you can use the crypto module to generate a secure random string:

node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"

Run this command twice to generate two different secrets.

Adding Secrets to Environment Variables

Once you've generated your secrets, add them to your .env file in the backend directory:

# JWT Secret for signing access tokens
JWT_SECRET=your_first_generated_secret_here

# JWT Refresh Secret for signing refresh tokens
JWT_REFRESH_SECRET=your_second_generated_secret_here

Replace your_first_generated_secret_here and your_second_generated_secret_here with the actual secrets you generated.

For a tutorial on User Authentication and Authorization, please see the User Authentication tutorial.

Next Steps

Now that you've configured your JWT secrets, you can continue setting up the rest:

Back to DocumentationBack to top