Skip to main content

Shared Secret File


Shared Secret File is the location of a file containing the base64-encoded, 256-bit key used to mutually authenticate requests between services. It's critical that secret keys are random, and stored safely.

How to configure

Config file keysEnvironment variablesTypeUsage
shared_secret_fileSHARED_SECRET_FILEstringrequired (unless using [shared_secret])

Pomerium Core configurations do not require a shared_secret or shared_secret_file. You only need to include a shared secret if you are running the Console.

If you are connecting to the Console, your Pomerium Core and Console configurations require the same shared secret.

See the Enterprise Quickstart for an example implementation.


shared_secret_file points to a file containing the secret. This is useful when deploying in environments that provide secret management like Docker Swarm.

To generate a key, run the following command:

head -c32 /dev/urandom | base64

Place the value in your shared_secret_file:

shared_secret_file: '/run/secrets/POMERIUM_SHARED_SECRET'

If you adjust your shared secret and/or how it's accessed by Pomerium, you may create a secret mismatch.