Can someone please explain the different “secrets” that can be set within a Prisma setup. I usually see 2 different ones in docs and examples:

PRISMA_MANAGEMENT_API_SECRET

and also a

APP_SECRET

. Which one should be for which context. I’ve read the docs here (https://www.prisma.io/docs/run-prisma-server/authentication-and-security-kke4/), and think I understand the

PRISMA_MANAGEMENT_API_SECRET

bit, which locks down access to the Management API. is

APP_SECRET

then used to lock down the public facing API exposed by your sever (ie, graphql-yoga)?

I don’t know about the APP_SECRET (might be graphql yoga related or something else), but the secrets you can set on your Project type are the ones used for locking down the public facing API.

@Ramin B your understanding is correct!

APP_SECRET

is the secret that's used to authenticate the users of your application, in that sense it doesn't really have anything to do with Prisma but only with how you want implement the authentication mechanism for your users.

thanks @nikolasburk.. so which secret should one pass in the

prisma.yml

file and also when instantiating the Prisma client? would that be be

PRISMA_MANAGEMENT_API_SECRET

or

APP_SECRET

?

The

secret

passed in prisma.yml again is another secret called the "Service secret". That's to protect the GraphQL API or your Prisma service. More info here: https://www.prisma.io/docs/prisma-graphql-api/reference/authentication-ghd4/

I seem to have some issues on auth when creating a brand new service on a Heroku hosted server - can you help, @nikolasburk ? 🙂 https://github.com/prisma/prisma/issues/3502