What to Do When Your JWT Secret Key Is Accidentally Pushed to GitHub

The JWT Secret Key is used to sign and verify every token in your system. If an attacker finds it on GitHub — even for a few minutes — they can:

• Create a fake JWT and gain unauthorized access
• Impersonate an administrator
• Access your users' private data

If you accidentally pushed a key, do the following immediately — in this exact order:

1. Rotate the Secret Key Immediately

   This is the most important action — do this before anything else.

   • Generate a new Secret Key using a cryptographically secure generator
   • Immediately disable and replace the old key on your server
2. Remove the Secret from GitHub

   • Remove the secret from your code
   • Move it to a .env file
   • Add .env to .gitignore immediately

   ⚠️ Note: Simply deleting the file or commit is not enough — the data may still remain in the Git history.
3. Clear Git History

   You need to remove the secret from the entire commit history — not just the latest commit. According to GitHub's official guide on removing sensitive data, the recommended approach is:

   • Use git filter-repo or BFG Repo Cleaner to rewrite history
   • Then force push the cleaned repository
4. Invalidate All Existing Tokens

   Invalidate all JWT tokens that were created with the old Secret Key. Since you've already rotated the key in Step 1, any token signed with the old key will automatically fail verification — but it's good to confirm this is working correctly across all your services.
5. Check Logs and Activity

   • Check if anyone engaged in suspicious activity during the exposure window
   • Identify any unauthorized access attempts
   • If you find evidence of a breach, consider notifying affected users

• Never hardcode secrets into code — this is the single root cause of almost every secret leak
• Always use a .env file and add it to .gitignore before your very first commit
• Set .gitignore correctly — verify it is working before pushing to any remote
• Use secret manager tools — such as AWS Secrets Manager, HashiCorp Vault, or GitHub Secrets for CI/CD pipelines
• Conduct regular security audits — periodically scan your repositories for accidentally committed secrets

A good approach is to use environment variables or secret vault services to protect sensitive data. You can also enable GitHub's built-in Secret Scanning feature, which automatically alerts you if a known secret pattern is detected in your repository.

A small mistake, like pushing a secret, can compromise the security of the entire system. So always be careful — and set up the right habits from the very start of every project.

If your JWT Secret Key is accidentally sent to GitHub, there's no need to panic — but it's crucial to take immediate action. First, change the key, then clean up the code and history, and secure your system.

• Rotate the key immediately — this is always Step 1, no exceptions
• Deleting the file is not enough — you must also clean the full Git history
• Invalidate all old tokens — so any stolen tokens become useless
• Check your logs — identify if anyone accessed the key during the exposure window
• Prevent it next time — .env + .gitignore + secret manager = safe habits

🔐 Need a new secure JWT secret key right now? Generate one in seconds at jwtsecretkeygenerator.com — cryptographically secure, free, and never stored anywhere.