investigate auth_secret

[edublancas]

see this: #205 (comment)

[edublancas]

I did some research, I think AUTH_SECRET is used to verify the session IDs. I deployed, logged in, then deployed again (but changed AUTH_SECRET) and the app still worked but it logged me out

I'll update the docs but spent a few minutes doing some research to see if I missed anything

[bryannho]

@edublancas I deep dived into the auth0 docs to find a real definition of AUTH_SECRET - they don't seem to define it anywhere. I think it makes sense that it verifies the session IDs / it's a unique identifier in the case you want to redeploy the application (since the other credentials can't change).

Is there a specific set of docs/reference you used to create the login flow? Knowing that might help me find a more concrete answer

[bryannho]

@edublancas I can update the docs if you haven't yet

[edublancas]

yeah I didn't find anything clear as well. but based on my experiments, seems like it's used to sign session tokens

no worries, we can close this now