# Encryption key (auth\_key)

To secure the authentication process, the data exchanged between the **APP** and the **PKSA** will be encrypted using an encryption key (`auth_key`). By encrypting these data, the **HAS** will be unaware of what's going on between the **APP** and the **PKSA** and unable to tamper with the authentication process.

Before initiating the authentication process, the **APP** must create an `auth_key` for each account it manages. 

The `auth_key` can be any **string**. However, we recommend using a [uuid](https://en.wikipedia.org/wiki/Universally_unique_identifier)  each time you generate a new `auth_key` to strengthen security.

{% hint style="info" %}
This `auth_key` should be stored by the **APP** if it plans to perform transactions later.
{% endhint %}

{% hint style="info" %}
Each account managed by the APP should use a different `auth_key`.
{% endhint %}

{% hint style="info" %}
The **APP** should create a **new** `auth_key` **each time it authenticates** **an account** and should never reuse it for another authentication.
{% endhint %}

For the **PKSA** to be able to decrypt the payload sent to it by the **APP**, the **APP** will have to share it with the **PKSA**. This can be done in two ways:

1. by embedding it in a QR code that the **PKSA** mobile app will scan
2. by encrypting it and embedding it in the `auth_req` authentication payload when running your own **PKSA** in  [Service Mode](https://docs.hiveauth.com/tutorials/pksa-code-example/service-mode)