Back to Generator

Secret Keys & Salts — Explained

These eight values are the cryptographic backbone of a secure application. Each one is a random 64-character string that should be unique per project and never shared publicly.

Keys are used as the secret in HMAC (Hash-based Message Authentication Code) hashing; salts add extra randomness so two identical inputs never produce the same hash. Together they make cookies and nonces unpredictable and tamper-evident.

Auth Key

AuthKey

Authenticates logged-in users

Used to encrypt and verify the authentication cookie set when a user logs in. It is the primary secret that proves a session belongs to a specific user.

Risk: If compromised, attackers can forge login cookies and gain unauthorized access to any account.

Auth Salt

AuthSalt

Adds entropy to the Auth Key

Works alongside AuthKey to add randomness (entropy) to the hashing process. A salt makes brute-force and rainbow-table attacks computationally infeasible even if the key itself leaks.

Risk: Without a strong salt, an attacker with the key could precompute valid cookies offline.

Logged In Key

LoggedInKey

Signs the front-end session cookie

Secures the cookie used to check whether a user is logged in on the front end. Kept separate from AuthKey so that front-end and back-end sessions use independent secrets.

Risk: Reusing the same value as AuthKey reduces security isolation between front-end and admin sessions.

Logged In Salt

LoggedInSalt

Salts the Logged In Key

Provides the salt component for the logged-in cookie hash, mirroring the role AuthSalt plays for AuthKey. Keeps the front-end session token unpredictable.

Risk: A weak or reused salt here makes front-end session tokens easier to predict or forge.

Nonce Key

NonceKey

Signs one-time action tokens

Nonces are short-lived tokens that protect URLs and forms from CSRF (Cross-Site Request Forgery). NonceKey is the secret used to generate and verify these tokens.

Risk: A predictable NonceKey lets attackers craft valid nonces, enabling CSRF attacks on privileged actions.

Nonce Salt

NonceSalt

Adds entropy to Nonce Key

Salt companion to NonceKey. Ensures that even if two requests share the same context, the resulting nonce tokens are unique and non-guessable.

Risk: Without a proper salt, nonces generated close together in time may be predictable.

Secure Auth Key

SecureAuthKey

Secures HTTPS-only sessions

Used exclusively over HTTPS to sign the secure authentication cookie. Provides an additional layer of isolation — even if HTTP cookies are sniffed, the HTTPS session cookie remains protected.

Risk: Sharing this value with AuthKey eliminates the security benefit of having separate HTTPS-only session tokens.

Secure Auth Salt

SecureAuthSalt

Salts the Secure Auth Key

The salt paired with SecureAuthKey. Together they harden the HTTPS-only session cookie against offline attacks and ensure each installation has a cryptographically unique token space.

Risk: A weak or default salt makes the secure session cookie vulnerable to offline brute-force.

Generated by ababilspark.com — rotate these values any time you suspect a breach.