Reputation: 153
Secure way of storing JWT secret key used to encode/decode token data
I'm building a Python application using FastApi and I'm using JWT and OAuth2 password flow to authenticate the users, as specified in their documentation. When a user logs in it receives a token, generated with HS256 algorithm and a user secret key. This token is stored as local storage in the browser. Then for each request that depends on the current logged in user, the token is send to the backend, decoded using the same secret key and the needed information is provided. In my app I have a PostgreSQL database and my question is where should I store those secret keys used to generate tokens for different type of users that I have and to keep those keys secured.
Thank you
Upvotes: 2
Views: 2477
Answers (1)
Reputation: 434
A recommended approach is to:
- Create an
.envfile and store theSECRETin it - Create one
settings.pyfile in root folder of the project - Import
SECRETfrom.envto a variable insettings.pyand use it
Upvotes: 2
Related Questions
- How to safely store & process secret key for JWT
- How to secure fastapi API endpoint with JWT Token based authorization?
- Encrypting JWT payload
- How to encode a JWT in Python?
- can't decode JWT token
- JWT encrypting payload in python? (JWE)
- How to give clients JSON web token (JWT) in secure fashion?
- Best way to use JWT and how to store the secret key
- How to handle JWT secret key when decoding tokens clientside?
- Securely store Oauth token(s) in file