Understanding and Managing `PAYLOAD_SECRET` Safety | Payload | Page 1

cunning blazeBOT Feb 20, 2025, 2:28 PM

#

Does anyone know what the PAYLOAD_SECRET is used for and whether it is safe to have a different secret used during the build process vs when deploying live?
Also is it safe to roll/change the secret from time to time?

swift idolBOT Feb 20, 2025, 2:28 PM

#

Original message from @thin sun - Moved from #general message

#

New Community-Help Thread Created!

Help is on the way! To mark it as solved, use the /solve command. In the meantime, here are some existing threads that may help you:

Documentation:

soft arrow Feb 20, 2025, 2:30 PM

#

Hey @thin sun,

The PAYLOAD_SECRET env var is used in a few places around Payload, namely the auth stuff. It's used for generating apiKeys for example. So, say you regenerated it, your existing apiKeys would fail and you would need to regenerate those. It's also used for things like tokens iirc. You can see it in practice in the source code in the /auth folder of the Payload package. Just be mindful that some things may not work as expected if you use two different ones in build vs live, or you rotate them.

thin sun Feb 20, 2025, 2:32 PM

#

Thanks so much for clarifying that, much appreciated thankyou

soft arrow Feb 20, 2025, 2:32 PM

#

My pleasure, truly

#Understanding and Managing `PAYLOAD_SECRET` Safety

Documentation: