From cd861c22b746c1126039fb87401c1f1d2b4c84f9 Mon Sep 17 00:00:00 2001 From: Jessica Boezwinkle Date: Mon, 17 Apr 2023 18:22:03 +0100 Subject: [PATCH 1/2] docs: adds info on payload secret encryption --- docs/getting-started/installation.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/getting-started/installation.mdx b/docs/getting-started/installation.mdx index 3bdd9ec751..1c3d93f349 100644 --- a/docs/getting-started/installation.mdx +++ b/docs/getting-started/installation.mdx @@ -106,6 +106,8 @@ Here is a list of all properties available to pass through `payload.init`: **Required**. This is a secure string that will be used to authenticate with Payload. It can be random but should be at least 14 characters and be very difficult to guess. Often, it's smart to store this value in an `env` and set different values for each of your environments (local, stage, prod, etc). The `dotenv` package is very handy and works well alongside of Payload. +Payload uses the secret key to generate a secure user token (JWT). Behind the scenes, we first take the secret key and create an encrypted string using the SHA-256 hash function. Then, we reduce the encrypted string to its first 32 characters. This final value gets assigned to the user object as `token`. + ##### `mongoURL` **Required**. This is a fully qualified MongoDB connection string that points to your Mongo database. If you don't have Mongo installed locally, you can [follow these steps for Mac OSX](https://docs.mongodb.com/manual/tutorial/install-mongodb-on-os-x/) and [these steps](https://docs.mongodb.com/manual/tutorial/install-mongodb-on-windows/) for Windows 10. If you want to use a local database and you know you have MongoDB installed locally, a typical connection string will look like this: From 7fa27686bb2e62902f08cebf05a68bf1251cf04b Mon Sep 17 00:00:00 2001 From: James Date: Mon, 17 Apr 2023 17:02:07 -0400 Subject: [PATCH 2/2] chore: clarity to secret key usage --- docs/getting-started/installation.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/installation.mdx b/docs/getting-started/installation.mdx index 1c3d93f349..9c5e5f4f0d 100644 --- a/docs/getting-started/installation.mdx +++ b/docs/getting-started/installation.mdx @@ -106,7 +106,7 @@ Here is a list of all properties available to pass through `payload.init`: **Required**. This is a secure string that will be used to authenticate with Payload. It can be random but should be at least 14 characters and be very difficult to guess. Often, it's smart to store this value in an `env` and set different values for each of your environments (local, stage, prod, etc). The `dotenv` package is very handy and works well alongside of Payload. -Payload uses the secret key to generate a secure user token (JWT). Behind the scenes, we first take the secret key and create an encrypted string using the SHA-256 hash function. Then, we reduce the encrypted string to its first 32 characters. This final value gets assigned to the user object as `token`. +Payload uses this secret key to generate secure user tokens (JWT). Behind the scenes, we do not use your secret key to encrypt directly - instead, we first take the secret key and create an encrypted string using the SHA-256 hash function. Then, we reduce the encrypted string to its first 32 characters. This final value is what Payload uses for encryption. ##### `mongoURL`