JWT_SECRET Purpose
Hey all we’re primarily using AWS Cognito for auth, and noticed JWT_SECRET is still a required env var in Wasp. Since Cognito is handling all the auth flows like email verification and password resets, we’re not using this var ourselves.
Is JWT_SECRET actually needed in this case, and can we override the Zod schema to skip the check?
6 Replies
Hi @Suchitk. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
Based on the available knowledge sources, JWT_SECRET is required by Wasp only if you are using Wasp's built-in auth features. The documentation states:
- JWT_SECRET is only required if you use Wasp's built-in auth. - If you use only AWS Cognito, it should not be required, but the current validation may still expect it. - There is no documented way to override the Zod schema or skip the check as of now. If you encounter issues with the env var check, you may need to follow up with the Wasp team or community for a workaround, as the knowledge sources do not provide a solution for overriding or skipping the JWT_SECRET requirement in this scenario. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @Suchitk, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
Deploying Manually: Environment Variables If you are exclusively using AWS Cognito for authentication and not leveraging any of Wasp's built-in auth features, then, according to the docs, JWT_SECRET should not be required. However, the current implementation of environment variable validation in Wasp (using Zod or similar) may still expect JWT_SECRET to be present, depending on how the validation schema is set up. There is ongoing discussion in the Wasp community about improving env var validation and making it more flexible, including the ability to warn users if required variables are missing and to define which variables are required based on actual usage (see Defining environment variable types using Zod and Implement good support for environment variables). Currently, there is no explicit documentation or example showing how to override the Zod schema or skip the JWT_SECRET check if you are not using Wasp Auth. The knowledge sources do not provide a way to disable this requirement directly. Summary:JWT_SECRET(required if using Wasp Auth)
You only need this environment variable if you're using Wasp'sauthfeatures.
Set it to a random string at least 32 characters long (you can use an online generator).
- JWT_SECRET is only required if you use Wasp's built-in auth. - If you use only AWS Cognito, it should not be required, but the current validation may still expect it. - There is no documented way to override the Zod schema or skip the check as of now. If you encounter issues with the env var check, you may need to follow up with the Wasp team or community for a workaround, as the knowledge sources do not provide a solution for overriding or skipping the JWT_SECRET requirement in this scenario. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @Suchitk, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
Hey. It seems like the bot gave the correct answer. Are you defining
auth in your main wasp config file? If so, and you don't need it, then remove it and you should get prompted to defined this secret according to the docs.
You'll of course have to do your own authorization strategies throughout the app.hey @Vinny (@Wasp) we are actually using the auth object to retain useful features related to user context. Cognito has been setup in a similar way compared to the custom OAuth with Spotify example.
Can I refer to any docs that specify how JWT_SECRET is being used besides my initial assumptions?
Hey @Suchitk, JWT_SECRET is used to sign and verify JWT tokens in Wasp Auth. The JWT tokens are mainly used in two main places:
- in the OAuth login flow, the server passes a JWT token to the client that it can exchange for a session
- in the Email Verification and Password Reset flows, the link emailed to the user has a JWT token in it as a means of verification
In our current design, we use JWT tokens where the server is granting a session to a system outside of its immediate boundaries, so it needs to have a trust mechanism, based in this case on the JWT_SECRET. This is treated as an implementation detail, so it is not dwelled on much in the docs.
If you're basing your Cognito code off of our Spotify example, you're indeed using the JWT tokens at this point in the code: https://gist.github.com/infomiho/3c63de7d53aba59d6293bcb59501a029#file-src-auth-ts-L71-L80
Due to our design that has different origins for server and client, we need to use JWT tokens for the moment being. Is there a specific problem you have found with setting JWT_SECRET?
Thanks once again @Carlos I had completely missed it being using in the OAuth login flow so that's super helpful. There's currently no issue with setting JWT_SECRET, we were simply streamlining our secrets and this point had come up.
Happy to help!