Start a team blog
Start a team blog, invite your team, and start publishing.

Can we use user password as jwt secret key?

Yashu Mittal's photo
Yashu Mittal
·Jan 27, 2020

To create a userToken, we need the token payload and the secret key after which it returns the token.

const token = jwt.sign(data, "secretkey");

Instead of hard-coding the word secretKey (or any word) as a secret key, is it a good practice to user password as secret key?

const userToken = jwt.sign(tokenPayload, userPassword);

Mostly the payload consists of user data which we want to get on the client-side:

  userId: 123,
  email: "user@example.com"
  image: "http://example.com/image.png"

so my idea behind passing userPassword instead of passing is to create a more secure auth token.

What are your thoughts on this idea and what are the possible down-fall of it?