Generate Secret Keys¶
All keys are generated locally in your browser using the Web Crypto API. Nothing is sent to any server.
| Variable | Purpose |
|---|---|
SECRET_KEY | Signs sessions and internal tokens |
CREDS_KEY | AES-256 key for encrypting stored MCP server credentials |
JWT_PRIVATE_KEY | RSA-2048 private key — signs JWTs issued by the auth server |
JWT_PUBLIC_KEY | RSA-2048 public key — verifies JWTs across all services |
🔒 Keys are generated entirely in your browser. Refresh the page to clear them.
SECRET_KEY
64 random bytes, base64url-encoded — used for session signing
CREDS_KEY
32 random bytes, hex-encoded (64 chars) — AES-256 key for encrypting stored credentials
JWT_PRIVATE_KEY
RSA-2048 private key (PKCS8 PEM) — signs JWTs issued by the auth server
JWT_PUBLIC_KEY
RSA-2048 public key (SPKI PEM) — verifies JWTs across all services
.env output
Generate keys above, then paste this block into your .env file.
Storing Your Keys¶
Local development — paste the .env output directly into your .env file.
Production — store JWT_PRIVATE_KEY and JWT_PUBLIC_KEY in a secrets manager:
- AWS: Secrets Manager or Parameter Store (SecureString)
- Azure: Key Vault
- GCP: Secret Manager
Keep your private key secret
JWT_PRIVATE_KEY is a signing key. Anyone who holds it can issue valid JWTs for your deployment. Never commit it to version control or log it.
Once your .env is populated, continue to Step 4: Deploy Services.