diff --git a/kibicara/config.py b/kibicara/config.py
index ae81933..47237c0 100644
--- a/kibicara/config.py
+++ b/kibicara/config.py
@@ -18,6 +18,8 @@ Example:
 """
 
 from argparse import ArgumentParser
+from nacl.secret import SecretBox
+from nacl.utils import random
 from pytoml import load
 from sys import argv
 
@@ -25,6 +27,7 @@ from sys import argv
 config = {
     'database_connection': 'sqlite:////tmp/kibicara.sqlite',
     'frontend_url': 'http://127.0.0.1:4200',  # url of frontend, change in prod
+    'secret': random(SecretBox.KEY_SIZE).hex(),  # generate with: openssl rand -hex 32
     # production params
     'frontend_path': None,  # required, path to frontend html/css/js files
     'production': True,
diff --git a/kibicara/webapi/admin.py b/kibicara/webapi/admin.py
index 7486449..8098fea 100644
--- a/kibicara/webapi/admin.py
+++ b/kibicara/webapi/admin.py
@@ -15,7 +15,6 @@ from logging import getLogger
 from nacl.encoding import URLSafeBase64Encoder
 from nacl.exceptions import CryptoError
 from nacl.secret import SecretBox
-from nacl.utils import random
 from passlib.hash import argon2
 from ormantic.exceptions import NoMatch
 from pickle import dumps, loads
@@ -38,7 +37,7 @@ class BodyAccessToken(BaseModel):
 
 
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl='/api/admin/login')
-secret_box = SecretBox(random(SecretBox.KEY_SIZE))
+secret_box = SecretBox(bytes.fromhex(config['secret']))
 
 
 def to_token(**kwargs):