Payload Secret Generator

Key

PAYLOAD_SECRET is a required environment variable for Payload. It is a long, random, unguessable string that Payload uses for encryption workflows — signing and verifying auth tokens, password hashing, and other server-side crypto. It is not an API key you paste into the admin UI; your app reads it from the environment at startup.

Value

Add this line to your environment:

PAYLOAD_SECRET="generate a secret above"

Application

Local development: add the line to a .env file at your project root and keep .env out of version control.
Deployed environments: set PAYLOAD_SECRET in your host's environment-variable settings — same variable name, available to the Node process before Payload starts.
Containers: pass PAYLOAD_SECRET as an environment variable to your app service.

Config

Reference the variable in payload.config.ts:

import { buildConfig } from 'payload'

export default buildConfig({
  secret: process.env.PAYLOAD_SECRET,
  // ...
})

Payload reads process.env.PAYLOAD_SECRET when your config loads. If the variable is missing, Payload will fail at startup. Read more in the Payload docs.

Endpoint

Fetch a fresh 32-byte base64 secret from https://payloadsecret.com/generate.

curl -fsSL https://payloadsecret.com/generate

# macOS
curl -fsSL https://payloadsecret.com/generate | pbcopy

# Linux
curl -fsSL https://payloadsecret.com/generate | xclip -selection clipboard

const secret = await fetch('https://payloadsecret.com/generate')
  .then(r => r.text());

console.log(secret);

Generator

Remember

Never commit secrets to git or expose them in client-side code (avoid the NEXT_PUBLIC_ prefix).
Use a unique secret for each environment — local, staging, and production.
If a secret is leaked, rotate it; existing sessions and tokens may be invalidated.