What is SECRET_KEY for and why is it empty?

I have set up a gitea instance using docker-rootless, and I can see in the config that SECRET_KEY is empty. I thought it would have been generated automatically. Is it OK to be empty? What does it actually encrypt, and is encryption on by default?
Does it mean the secret key is not used if app.ini shows an empty string? Is this a valid use case, or do I always have to set it to something?

Same question about INTERNAL_TOKEN. This field has a value. Do I need to save this somewhere? If I delete the config file (which is mounted to the docker container) and restart the docker image, will I lose this token? Where is the token used (e.g. what should I expect not to work if this token is lost)?


If SECRET_KEY is empty, it will be the default value. Many data encrypted before stored in database.
INTERNAL_TOKEN will be generated when empty. It will be used between gitea sub command and gitea web internal APIs. It could be changed and with no affect.

Thank you for the information! Is the default value for SECRET_KEY a randomly generated string? Where is it stored please? Looks like deleting app.ini and re-creating it with the same settings (no secret_key specified, and doing docker restart) is working.

The default value of SECRET_KEY is a fixed value hard coded in the source.

Thank you, that is great to know!
It explains why it has been working so far!