SigNoz uses a JWT secret key to sign and verify all user session tokens. It is critical to set this secret to ensure the security of your SigNoz instance.
If you do not set the JWT secret, SigNoz will not fail to start; it will only print a warning log:
No JWT secret key is specified
Running without a secret leaves your instance exposed and anyone can forge valid tokens with an empty string.
How to Set the JWT Secret
Choose a Strong Secret:
Use a long, random string. Avoid using simple or guessable values.Set the Environment Variable:
Set the following to your environment configuration:SIGNOZ_TOKENIZER_JWT_SECRET=your-very-strong-random-secretRestart SigNoz:
After setting the variable, restart your SigNoz services to apply the change.
Best Practices
- Never share your JWT secret publicly.
- Rotate the secret periodically and update your environment configuration accordingly.
- Monitor logs for any warnings about missing or invalid JWT secrets.