Salt and secret key for security

Hi all.

When creating a sync gateway (SG) user via curl (just like the code below), SG automatically hash or bcrypt the password.

curl -X PUT ‘’ -d ‘{“name”: “usernameHere”, “password”: “pwHere”, “admin_channels”: [“channelNameHere”]}’

I noticed that same password produced different hash. My question is, does this mean that we don’t need to add salt since SG is already doing this? Does SG also takes care of adding secret key?

Thanks in advance!

That’s correct - Sync Gateway manages the bcrypt encoding of the password. There’s no additional configuration required for consumers.

Sync Gateway uses the standard golang bcrypt library (, which calculates it’s own randomly generated salt.

1 Like

Thank you for responding… What about secret key? Does Sync Gateway also handles it? If not, how can we add secret key? Is it via the SG config file?


There’s no secret key needed. You don’t need to configure anything; it’s secure by default.

Ok. This also answers my questions. Thanks.