We are all familiar with the feature called APP_KEY during the installation process of Laravel. We know that it is used for the protection of sensitive data and sessions. Now we will see how it works and what is its purpose. Taylor Otwell once tweeted about it that many of us believe it is for password hashing. Then in the tweet he says “It is not. It has nothing to do with password hashing at all. It is only used for encryption”. Every data you encrypt in your project is using APP_KEY. One thing to keep in mind is that encrypted data can be decrypted but hashed data cannot be decrypted. Some best practices associated with it is that to store it only in .env file. Change it only when you find your key may be leaked or you want to logout all users and you want to invalidate cookies.