diff --git a/cmd/budgeteer/main.go b/cmd/budgeteer/main.go
index b78e28f..af132b3 100644
--- a/cmd/budgeteer/main.go
+++ b/cmd/budgeteer/main.go
@@ -30,8 +30,10 @@ func main() {
 	}
 
 	handler := &server.Handler{
-		Service:             queries,
-		TokenVerifier:       &jwt.TokenVerifier{},
+		Service: queries,
+		TokenVerifier: &jwt.TokenVerifier{
+			Secret: cfg.SessionSecret,
+		},
 		CredentialsVerifier: &bcrypt.Verifier{},
 		StaticFS:            http.FS(static),
 	}
diff --git a/config/config.go b/config/config.go
index 7c3e324..5e98f3e 100644
--- a/config/config.go
+++ b/config/config.go
@@ -7,12 +7,14 @@ import (
 // Config contains all needed configurations.
 type Config struct {
 	DatabaseConnection string
+	SessionSecret      string
 }
 
 // LoadConfig from path.
 func LoadConfig() (*Config, error) {
 	configuration := Config{
 		DatabaseConnection: os.Getenv("BUDGETEER_DB"),
+		SessionSecret:      os.Getenv("BUDGETEER_SESSION_SECRET"),
 	}
 
 	return &configuration, nil
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index f747b77..2d907be 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -17,6 +17,7 @@ services:
                         - ~/.cache:/.cache
                 environment:
                         BUDGETEER_DB: postgres://budgeteer:budgeteer@db:5432/budgeteer
+                        BUDGETEER_SESSION_SECRET: random string for JWT authorization
                 depends_on:
                         - db
 
diff --git a/jwt/login.go b/jwt/login.go
index 0494e44..bbb44c8 100644
--- a/jwt/login.go
+++ b/jwt/login.go
@@ -11,7 +11,9 @@ import (
 )
 
 // TokenVerifier verifies Tokens.
-type TokenVerifier struct{}
+type TokenVerifier struct {
+	Secret string
+}
 
 // Token contains everything to authenticate a user.
 type Token struct {
@@ -23,7 +25,6 @@ type Token struct {
 
 const (
 	expiration = 72
-	secret     = "uditapbzuditagscwxuqdflgzpbu´ßiaefnlmzeßtrubiadern"
 )
 
 // CreateToken creates a new token from username and name.
@@ -36,7 +37,7 @@ func (tv *TokenVerifier) CreateToken(user *postgres.User) (string, error) {
 	})
 
 	// Generate encoded token and send it as response.
-	t, err := token.SignedString([]byte(secret))
+	t, err := token.SignedString([]byte(tv.Secret))
 	if err != nil {
 		return "", fmt.Errorf("create token: %w", err)
 	}
@@ -56,7 +57,7 @@ func (tv *TokenVerifier) VerifyToken(tokenString string) (budgeteer.Token, error
 		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("method '%v': %w", token.Header["alg"], ErrUnexpectedSigningMethod)
 		}
-		return []byte(secret), nil
+		return []byte(tv.Secret), nil
 	})
 	if err != nil {
 		return nil, fmt.Errorf("parse jwt: %w", err)
diff --git a/server/account_test.go b/server/account_test.go
index 742b314..fe79cba 100644
--- a/server/account_test.go
+++ b/server/account_test.go
@@ -27,8 +27,10 @@ func TestRegisterUser(t *testing.T) { //nolint:funlen
 	}
 
 	h := Handler{
-		Service:             database,
-		TokenVerifier:       &jwt.TokenVerifier{},
+		Service: database,
+		TokenVerifier: &jwt.TokenVerifier{
+			Secret: "this_is_my_demo_secret_for_unit_tests",
+		},
 		CredentialsVerifier: &bcrypt.Verifier{},
 	}