Handling token secrets

mtee profile image Margaret W.N ・1 min read

How do i safely store a token secret?

Most of the resource i've come across talk of adding it to a .env file. However, there is a whole other bunch of resources that discredit the use of an .env file to store token secrets.

Since i'm simply learning i'll use .env before I find a better alternative for that. I previouly had my token secret stored in a config.js file which doesn't exactly make it a secret. I'll save that to a .env file and try and use it.


I'll npm install dotenv, include it in the user controller.js file and save the token secret to a variable. Then replace the config.secret with the varibale name.

const secret = process.env.SECRET

 const token = jwt.sign({ id: user._id }, secret, {
        expiresIn: 86400 

I suppose its safe now, for as long as it's in development.

Day 33

Posted on by:

mtee profile

Margaret W.N


Developer | GADs 20 scholar | Diving into backend


Editor guide