What APP_KEY does in Laravel
It's the symmetric encryption key used by Laravel's Crypt facade and indirectly by:
- Encrypted session cookies
- Signed URLs (
URL::signedRoute()) - Encrypted Eloquent attributes (
$casts = ['column' => 'encrypted']) - Password reset tokens (indirectly — they're hashed but the hash uses APP_KEY-derived state in some flows)
If your .env ships without APP_KEY, you'll see "No application encryption key has been specified" on first request. That's Laravel telling you to fix it.
Format details
php artisan key:generate outputs base64: followed by 44 base64 characters (encoding 32 raw bytes). The base64: prefix is how Laravel knows to decode the string before using the bytes as a 256-bit AES-256-CBC key. Without the prefix, Laravel treats the literal string as the key and refuses if it's not exactly 16 / 32 bytes long.
Rotation
Laravel 11+ supports key rotation via APP_PREVIOUS_KEYS. Set the new key in APP_KEY and the old one in APP_PREVIOUS_KEYS (comma-separated for multiple). Existing encrypted data still decrypts; new writes use the new key. After a rotation period, drop the old key from APP_PREVIOUS_KEYS.
Privacy
Keys are generated in your browser via crypto.getRandomValues(). The page makes no network calls — verify in DevTools → Network. Treat any key on screen as live: don't paste into a chat or screenshot.