How to save a JSON web token secret into an environment variable

Use config/secrets.js for all your web application secrets

We now know how to generate and verify a JSON web token, but we still have some work to do.

In our previous examples we hardcoded the secret required by the JWT inside our methods as a simple string.
But this is not a good practice. It creates a security vulnerability in our code, and it also creates code duplication because the secret is used in two places in our application.
Let's clean this up and make it better.

What we really want to do is make the secret a configuration setting for the environment and make it so we can read it from the environment in a variable called JWT_SECRET.

Let's create a config folder at the root level of our application and inside of it we can create a secrets.js file:

mkdir config

touch config/secrets.js

In the secrets.js file, we export an object that contains our secret.
The object has one property, called jwtSecret, that is set to the value of an environment variable called JWT_SECRET.

// config/secrets.js

module.exports = {
  jwtSecret: process.env.JWT_SECRET

Now, in our restricted middleware file we require the secrets.js file and assign the exported object to a secrets variable that we can use instead of the hardcoded secret string.

const secrets = require('../config/secrets.js');

// ...

module.exports = (req, res, next) => {

  // ...

  if (token) {
    jwt.verify(token, secrets.jwtSecret, (err, decodedToken) => {
    // ...


We will do the same thing inside the auth-router.js file, where the login route is defined. The login route also needs the secret in order to generate the initial token, so we can use the secrets.js file as well:

// auth/auth-router.js

const secrets = require('../config/secrets.js');
// ...

return jwt.sign(payload, secrets.jwtSecret, options);

If we try to connect to localhost:5000/api/users now, we get this error:

"Error decoding token"

Why? That's because we used an environment variable called JWT_SECRET that we still have to define in the .env file in our project.

// .env


Once we have this variable defined, and we use the dotenv library to implement it, we can make our request and be sure we are authorized for access to restricted endpoints.

Did you like this article? Share it with your friends.
I write daily about front-end and back-end web technologies.
You can receive all my articles in your inbox by subscribing to my newsletter. Just click the button below. No spam, just good, useful content. Guaranteed!

Follow me on Twitter