---
number: 30606
slug: 30606-removal-of-app-settings-jwt-secret-from-the-database
published: 2024-11-22
discussion: https://github.com/orgs/supabase/discussions/30606
labels:
  - security
page: https://supabase.com/changelog/30606-removal-of-app-settings-jwt-secret-from-the-database
---

# Removal of app.settings.jwt_secret from the database

# Introduction

We are removing `app.settings.jwt_secret` from the `postgres` database on 2024/11/22.

This [setting](https://postgrest.org/en/stable/references/configuration.html#app-settings) has previously been available through our PostgREST integration, and could be accessed using `current_setting('app.settings.jwt_secret')` in SQL.

# Why are we doing this?

The `jwt_secret` can be used to mint new, custom JWTs and is security sensitive. Supabase limits access to the `jwt_secret` , through both the dashboard and API, to [specific roles](https://supabase.com/docs/guides/platform/access-control#api-config-permissions) (owner, admin and developer). Allowing access to this setting directly in the database can allow bypassing of these restrictions. 

# What do you need to do?

If you need the `jwt_secret`, it can be retrieved through the Supabase [dashboard](https://supabase.com/dashboard/project/_/settings/api).

If you are using the `app.settings.jwt_secret` in SQL, you will need to update your function to retrieve this value from [Vault](https://supabase.com/docs/guides/database/vault). 

```sql
select vault.create_secret('JWT_SECRET', 'app.jwt_secret', 'The jwt secret');

-- retrieve the value, this replaces select current_setting('app.settings.jwt_secret')
select decrypted_secret 
   from vault.decrypted_secrets 
   where name = 'app.jwt_secret';
```

Also, please consult the [changelog entry for Asymmetric Keys](https://github.com/orgs/supabase/discussions/29289) to understand the coming changes to `jwt_secret` and how keys at Supabase are changing.