People often think APP_KEY
is used to hash passwords, it isn't. Here's what this key is used for:
- Encrypting cookies.
- Creating the signature for signed URLs and queued closures.
- Encrypting values using the
encrypt()
anddecrypt()
helpers.
You should deal with the APP_KEY
as a secret. If you think it has been exposed, you MUST change it. However, make sure you re-encrypt any stored encrypted values. Also understand that there'll be some side effects:
- All previously queued closures won't be able to run.
- All users will be logged out and all token values will be lost.
- All previously created signed routes won't work.
You can override the encrypter
in your app to use an old key if it failed to decrypt a value with the new key. That way you can keep your app running fully after rotation until all the values are re-encrypted. Here's how.