Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi, I'm confused about how to set up an APP_KEY with Laravel Forge. I have an APP_KEY in my local .env file, but since that is ignored by git, I'm wondering if I need to add it to my environment variables in Forge, or is it somehow created for me automatically? In the docs under 'Configuration' it talks about setting up the application key but I see nothing there about how to do it for the production environment. I'm guessing the php artisan key:generate command wouldn't work for the production environment because I'm not aware of having a .env file on my production environment.
Please, am I supposed to just make up a 32 character APP_KEY myself and add it to my environment variables in Forge, and does it have to be the same as the APP_KEY in my local .env file? Or do I not need to set it for my production environment at all if it is in my local .env file?
Here's a video that shows how to use the environment variables https://laracasts.com/series/server-management-with-forge/episodes/5
You generate it by using artisan if you want. I also this site to generate keys (CodeIgniter Encryption Keys) http://randomkeygen.com since it's pretty much the same thing.
I've just had a quick experiment on Forge and found this works:
Create an environment variable APP_KEY using the Environment Tab, set the value to a dummy string. This will create a .env file in your project root with an APP_KEY entry.
Log in via ssh and use php artisan key:generate. This will then set the APP_KEY value to a new random string. This forms the basis of any encrypted hashes you make, so beware if you change it, you won't be able to decrypt anything. SO it's best to do this process at the start of a new project before any passwords get written to the database.
Note: if you do php artisan key:generate without a .env file with an APP_KEY entry, nothing happens, even though you get a success message. Doing the above process worked on my Laravel 5 project just now.
@craigwebster Thought it puts them into fastcgi_param vars?
Create an environment variable APP_KEY using the Environment Tab, set the value to a dummy string. This will create a .env file in your project root with an APP_KEY entry.
Forge say-> "All variables will be available via the getenv PHP function, and will also be added as fastcgi_param directives to your site's Nginx configuration. "
All my environment variables are present in a .env file in my project root. I don't know where the fastcgi_param are stored but if I change a variable in forge, then the corresponding value changes in my .env file
Thanks @bashy and @craigwebster! :) Hmm so I'm wondering, if it's important to set an APP_KEY*, why the docs don't mention how to do it for the production environment? Reading the docs sounds like as long as I've installed Laravel via Composer I have my APP_KEY set automatically and no more needs to be done. And I'm not even sure the point of having the APP_KEY set for the local environment. Or why in the video on environment variables, Jeffrey doesn't mention anything about adding an APP_KEY environment variable in Forge? I thought if it was important he would have added it.
So to summarize, I feel like if I just followed the docs and Jeffrey's video, I would have my APP_KEY set in my local .env file but not anywhere on production, and apparently that would mean my user sessions and other encrypted data won't be secure.
*According to the docs, 'If the application key is not set, your user sessions and other encrypted data will not be secure!'
APP_KEY is basically the string it uses to encrypt/decrypt data. If someone has that key, they can decrypt data on your app.
You can set PHP environment variables via Apache (SetEnv) or PHP fastcgi_param for Nginx. Forge should add them to the PHP environment but it depends which version you're using I think L4/5. All the .env file does it set them in runtime into PHP. http://php.net/manual/en/reserved.variables.environment.php
Maybe it's done automatically on Forge, not sure...never used it.
So if APP_KEY is the string it uses to encrypt data, and I've been using my production app without an APP_KEY, how is it that the passwords in my users table are still being encrypted?
There is a default setting in the config/app.php file.
It is a bit confusing ! The idea of having your .env ignored is so that this doesn't end up in the public domain on github with your keys visible. So in production we need to create a .env for our production server. On forge, it makes sense to use the Environment tab to set the keys, as that makes a nice way to make a change in the future, rather that logging in via ssh and Editing the file manually using nano or vim. On my project, I set the various variables using forge including the app_key with a dummy string, then ran php artisan key:generate via ssh which set a new random string in the .env file There may be a more elegant way of doing it, but thats what I did, and it works.
I see, thanks for the explanation @craigwebster! :)
Please or to participate in this conversation.