The salt is a second secret key but it is per-token rather than system-wide, and it is just to add a bit more randomization so it can be simple, I usually just use something related to the use, so when I stuff in the :account_id
I will usually just make it "account_id_salt"
or something. ^.^
If you are really paranoid then you could store it in the database or so…