Why does your cookie secret matter?

The cookie secret is a string that signs your session cookies. Without it, anyone could forge a session cookie and impersonate any user.

How it works

When the server creates a session cookie, it signs it with the secret — like a wax seal on a letter. When the cookie comes back with the next request, the server checks the seal. If it matches, the cookie is genuine. If not, it's been tampered with and the server rejects it.

pnpm prep generates a strong random secret and saves it to your .env file as COOKIE_SECRET.

Rules

1. Use a long random string. At least 32 characters of random data. pnpm prep handles this for you.
2. Never commit it to code. Store it as an environment variable (COOKIE_SECRET).
3. Keep it in a password manager. You'll need it when setting up new environments.
4. Rotate it if it leaks. If the secret is compromised, all existing sessions become untrustworthy. Change it, and every user will need to log in again.