Where do I get SECRET_KEY for Flask?

Question

While trying to set up Flask-Debugtoolbar, I am getting:

"DebugToolBar requires a SECRET_KEY".

Where do I get SECRET_KEY?

Grey Li · Answer 1 · 2021-03-02T01:58:37.583

Get the random string for secret key:

Method 1: Use os in Python 2/3:

>>> import os
>>> os.urandom(12)
'\xf0?a\x9a\\\xff\xd4;\x0c\xcbHi'

Method 2: Use uuid in Python 2/3:

>>> import uuid
>>> uuid.uuid4().hex
'3d6f45a5fc12445dbac2f59c3b6c7cb1'

Method 3: Use secrets in Python >= 3.6:

>>> import secrets
>>> secrets.token_urlsafe(16)
'Drmhze6EPcv0fN_81Bj-nA'
>>> secrets.token_hex(16)
'8f42a73054b1749f8f58848be5e6502c'

Method 4: Use os in Python 3:

>>> import os
>>> os.urandom(12).hex()
'f3cfe9ed8fae309f02079dbf'

Set secret key in Flask

Method 1: Use app.secret_key:

app.secret_key = 'the random string'

Method 2: Use app.config:

app.config['SECRET_KEY'] = 'the random string'

Method 3: Put it in your config file:

SECRET_KEY = 'the random string'

Then load the config form config file:

app.config.from_pyfile('config.py')  # if your config file's name is config.py

Should secret key be the same for my Flask application, or should I generate a new one for each user? — jryan14ify, Jan 03 '23 at 15:36

score 93 · Accepted Answer · edited Mar 19 '19 at 10:33

93

The secret key is needed to keep the client-side sessions secure. You can generate some random key as below:

>>> import os
>>> os.urandom(24)
'\xfd{H\xe5<\x95\xf9\xe3\x96.5\xd1\x01O<!\xd5\xa2\xa0\x9fR"\xa1\xa8'

Just take that key and copy/paste it into your config file

SECRET_KEY = '\xfd{H\xe5<\x95\xf9\xe3\x96.5\xd1\x01O<!\xd5\xa2\xa0\x9fR"\xa1\xa8'

See Sessions documentation

edited Mar 19 '19 at 10:33

Girish Gupta

1,241
13
27

answered Jan 20 '16 at 15:03

r-m-n

14,192
4
69
68

29

In python 3, if you prefer a plain string (to store in a JSON file, for example), you can convert to a hex string: `import os; print(os.urandom(24).hex())` – Daniel Waltrip Aug 23 '18 at 19:14
4

Could you just do `SECRET_KEY = os.urandom(24)`? I believe this generates a new key everytime, but would that be a problem? – m13op22 Sep 03 '19 at 21:22
6

My above question is answered [here](https://stackoverflow.com/questions/27287391/why-not-generate-the-secret-key-every-time-flask-starts). – m13op22 Sep 03 '19 at 22:11
9

for the really lazy people like me, here is @Daniel Waltrips line which you can copy paste into command line : `python -c "import os; print(os.urandom(24).hex())"` – erncyp Nov 20 '19 at 16:50
1

@erncyp or `python -c "print(__import__('os').urandom(24).hex())"` – Xbox One Apr 25 '21 at 00:20
1

@HS-nebula if application generates new random key on every startup then whenever you restart your app or server then each and every session will be destroyed and all the clients will need to login again in case of login is maintained in session – Gopal Singh Sirvi May 06 '21 at 07:38

score 15 · Answer 3 · answered Jan 20 '16 at 19:15

In order to use session in flask you need to set the secret key in your application settings. secret key is a random key used to encrypt your cookies and save send them to the browser.

This error is because of this line in the Flask-Debugtoolbar code

To fix this you just need to set a SECRET_KEY in your config file.

app.config['SECRET_KEY'] = "Your_secret_string"

or if you have a config file just add below config to it:

SECRET_KEY = "Your_secret_string"

score 9 · Answer 4 · edited Jun 18 '20 at 13:42

9

Open Python, run following in you

import secrets
secret_key = secrets.token_hex(16)
# example output, secret_key = 000d88cd9d90036ebdd237eb6b0db000
app.config['SECRET_KEY'] = secret_key

edited Jun 18 '20 at 13:42

Krunal Kapadiya

2,853
3
16
37

answered Sep 14 '19 at 15:40

Prakashmm

107
1
1

You should not do that. It would mean that every time you restart application there will be new secret. And this would mean that cookie signature will be different, ergo - session will not prevail. – ravenwing Jun 27 '22 at 00:29

Sylvain · Answer 5 · 2022-09-17T05:05:47.733

Here is a way to store Flask's secret_key in a hidden file instead of the code:

import secrets
from pathlib import Path

from flask import Flask

app = Flask(__name__)

SECRET_FILE_PATH = Path(".flask_secret")
try:
    with SECRET_FILE_PATH.open("r") as secret_file:
        app.secret_key = secret_file.read()
except FileNotFoundError:
    # Let's create a cryptographically secure code in that file
    with SECRET_FILE_PATH.open("w") as secret_file:
        app.secret_key = secrets.token_hex(32)
        secret_file.write(app.secret_key)

It's always a good idea to store secrets away from versioned code. Git is very good at not losing data. This includes secret keys and passwords :)

lmiguelvargasf · Answer 6 · 2022-09-22T20:01:23.310

1

According to the Flask's documentation, you can use the following command to generate the value of SECRET_KEY:

python -c 'import secrets; print(secrets.token_hex())'

It is important to keep in mind the following:

Do not reveal the secret key when posting questions or committing code.

edited Sep 22 '22 at 20:01

answered Sep 22 '22 at 17:58

lmiguelvargasf

63,191
45
217
228

score -2 · Answer 7 · answered May 01 '22 at 12:31

I recommend to hash it with bcrypt hash and use hex

# IMPORT
from flask_bcrypt import Bcrypt
import secrets

secret_key = secrets.token_hex(16) #Create HEX Key
bcrypt = Bcrypt(app) #Init Bcrypt
secret_key_hash = bcrypt.generate_password_hash(secret_key) #hash the HEX key with Bcrypt
app.config['SECRET_KEY'] = secret_key_hash #setup secret key

# Output like: $2b$12$Y0QMIGwksa5OhtOBF9BczuAJ0hYMUv7esEBgMMdAuJ4V.7stwxT9e

Where do I get SECRET_KEY for Flask?

7 Answers7

Get the random string for secret key:

Set secret key in Flask

Linked