Skip to main content

Shared Secret

Summary

Shared Secret is the base64-encoded, 256-bit key used to mutually authenticate requests between services. It's critical that secret keys are random, and stored safely.

How to configure

Config file keysEnvironment variablesTypeUsage
shared_secretSHARED_SECRETstringrequired (unless using shared_secret_file)
Note

Pomerium Core configurations do not require a shared_secret or shared_secret_file. You only need to include a shared secret if you are running the Console.

If you are connecting to the Console, your Pomerium Core and Console configurations require the same shared secret.

See the Enterprise Quickstart for an example implementation.

Examples

To generate a key, run the following command:

head -c32 /dev/urandom | base64

Add the value to your configuration file:

# config file key
shared_secret: wC4RFsEdM1gHFzvRt3XW+iWw6Ddt/1kKkdh66OKxiqs=

# environment variable
SHARED_SECRET=wC4RFsEdM1gHFzvRt3XW+iWw6Ddt/1kKkdh66OKxiqs=