To create a <code>userToken</code>, we need the token payload and the secret key after which it returns the token.
<pre><code class="lang-js">const token = jwt.sign(data, "secretkey");
</code></pre>
Instead of hard-coding the word <code>secretKey</code> (or any word) as a secret key, is it a good practice to user password as secret key?
<pre><code class="lang-js">const userToken = jwt.sign(tokenPayload, userPassword);
</code></pre>
Mostly the payload consists of user data which we want to get on the client-side:
<pre><code class="lang-js">{
 userId: 123,
 email: "user@example.com"
 image: "http://example.com/image.png"
}
</code></pre>
so my idea behind passing <code>userPassword</code> instead of passing is to create a more secure auth token.
What are your thoughts on this idea and what are the possible down-fall of it?

To create a `userToken`, we need the token payload and the secret key after which it returns the token.

```js
const token = jwt.sign(data, "secretkey");
```

Instead of hard-coding the word `secretKey` _(or any word)_ as a secret key, is it a good practice to user password as secret key?

```js
const userToken = jwt.sign(tokenPayload, userPassword);
```

Mostly the payload consists of user data which we want to get on the client-side:

```js
{
  userId: 123,
  email: "user@example.com"
  image: "http://example.com/image.png"
}
```

so my idea behind passing `userPassword` instead of passing is to create a more secure auth token.

What are your thoughts on this idea and what are the possible down-fall of it?

Can we use user password as jwt secret key?

Product

Explore

Company

Blogs

Support