Phoenix Token for API-auth, salt per user or per app?

So Phoenix Token doc specify that we must supply salt whenever we sign and verify.

I want to use the token as bearer token to do API authentication in order to identify user, is that salt is special per user (stored in database) or is it a single secret string for everyone (app-wide)?

  • If it is per user, then I need to supply the user id in the request API in order to get specific user’s salt in the database, which doesn’t make sense.
  • If it is app-wide secret string, then wouldn’t it (the salt) become redundant, as we already have the :secret_key_base on config? If it is app-wide then it is not a salt but more like a pepper. CMIIW.

I think the intention is to use it app-wide, and can be hard-coded. Referring to my old thread about Phoenix.Token, José said it’s closer to “namespace” instead of “salt” in semantic.


Many thanks for the answer.