Store JWT Secrets — Security Checklist

A practical checklist for JWT secret storage from development through production deployment.

Steps

  1. 1

    Never hardcode secrets in source code or commit them to git repositories.

  2. 2

    Use .env files for local development only — add .env to .gitignore.

  3. 3

    Set production secrets via your hosting platform or a secrets manager (AWS Secrets Manager, Vault, Doppler).

  4. 4

    Generate separate secrets for development, staging, and production environments.

  5. 5

    Plan key rotation using the kid header before you need emergency rotation.

  6. 6

    Audit logs and error handlers to ensure secrets are never printed.

Generate New Secret

Related Articles

Frequently Asked Questions

Are environment variables secure enough?

For small production deployments, yes. Growing teams should move to a dedicated secrets manager.

What if I committed a secret to git?

Rotate immediately. Assume the secret is compromised — git history retains deleted files.