diff --git a/api/config.dev.json b/api/config.dev.json
index 3b7f9b1..ced6214 100644
--- a/api/config.dev.json
+++ b/api/config.dev.json
@@ -1,4 +1,5 @@
 {
-  "secret": "CHANGEME!!!!!!!!!!@##@!!$$$$$$$$$$$$$!!",
+  "cookieSecret": "CHANGEME!!!!!!!!!!@##@!!$$$$$$$$$$$$$!!",
+  "jwtSecret": "CHANGEME??????????????////3212321;312kjbkasjd",
   "mail": false
 }
diff --git a/api/config.json.production b/api/config.json.example
similarity index 67%
rename from api/config.json.production
rename to api/config.json.example
index 4e9a02f..94bd39b 100644
--- a/api/config.json.production
+++ b/api/config.json.example
@@ -1,5 +1,6 @@
 {
-  "secret": "CHANGEME",
+  "cookieSecret": "CHANGEME!!!!!!!!!!!!!!!!!!!!!11",
+  "jwtSecret": "CHANGEME???????????????????////",
   "mail": {
     "from": "Sender Name <sender@example.com>",
     "smtp" : {
diff --git a/api/src/config.js b/api/src/config.js
index a82d2d3..c41431d 100644
--- a/api/src/config.js
+++ b/api/src/config.js
@@ -4,7 +4,8 @@ const Joi = require('joi');
 const configSchema = Joi.object()
   .required()
   .keys({
-    secret: Joi.string().min(16).max(128).required(),
+    jwtSecret: Joi.string().min(16).max(128).required(),
+    cookieSecret: Joi.string().min(16).max(128).required(),
 
     mail: Joi.alternatives().try(
       Joi.object({
diff --git a/api/src/index.js b/api/src/index.js
index 46f6ede..5d2b1ba 100644
--- a/api/src/index.js
+++ b/api/src/index.js
@@ -6,6 +6,7 @@ const cors = require('cors');
 const errorhandler = require('errorhandler');
 const passport = require('passport');
 
+const config = require('./config');
 require('./passport');
 
 const isProduction = process.env.NODE_ENV === 'production';
@@ -27,7 +28,7 @@ app.use(bodyParser.urlencoded({ limit: '50mb', extended: false }));
 app.use(require('method-override')());
 app.use(express.static(path.join(__dirname, 'public')));
 
-app.use(session({ secret: 'obsobs', cookie: { maxAge: 10 * 60 * 1000 }, resave: false, saveUninitialized: false }));
+app.use(session({ secret: config.cookieSecret, cookie: { maxAge: 10 * 60 * 1000 }, resave: false, saveUninitialized: false }));
 app.use(passport.initialize());
 app.use(passport.session());
 
diff --git a/api/src/models/User.js b/api/src/models/User.js
index 28ca006..91f9930 100644
--- a/api/src/models/User.js
+++ b/api/src/models/User.js
@@ -2,7 +2,6 @@ const mongoose = require('mongoose');
 const uniqueValidator = require('mongoose-unique-validator');
 const crypto = require('crypto');
 const jwt = require('jsonwebtoken');
-const secret = require('../config').secret;
 
 const schema = new mongoose.Schema(
   {
@@ -61,7 +60,7 @@ class User extends mongoose.Model {
         username: this.username,
         exp: parseInt(exp.getTime() / 1000),
       },
-      secret,
+      config.jwtSecret,
     );
   }
 
diff --git a/api/src/passport.js b/api/src/passport.js
index 0c21436..06e1fc2 100644
--- a/api/src/passport.js
+++ b/api/src/passport.js
@@ -6,7 +6,7 @@ const { Strategy: CustomStrategy } = require('passport-custom');
 
 const { User, AccessToken, RefreshToken } = require('./models');
 
-const secret = require('./config').secret;
+const config = require('./config');
 
 // used to serialize the user for the session
 passport.serializeUser(function (user, done) {
@@ -82,7 +82,7 @@ passport.use(
   'jwt',
   new JwtStrategy(
     {
-      secretOrKey: secret,
+      secretOrKey: config.jwtSecret,
       jwtFromRequest: getRequestToken,
       algorithms: ['HS256'],
     },