Load jwt_key from config

config_full.json.example

@@ -120,6 +120,7 @@
         "enabled": false,
         "listen_ip_address": "127.0.0.1",
         "listen_port": 8080,
+        "jwt_secret_key": "somethingrandom",
         "username": "freqtrader",
         "password": "SuperSecurePassword"
     },

docs/rest-api.md

@@ -11,6 +11,7 @@ Sample configuration:
         "enabled": true,
         "listen_ip_address": "127.0.0.1",
         "listen_port": 8080,
+        "jwt_secret_key": "somethingrandom",
         "username": "Freqtrader",
         "password": "SuperSecret1!"
     },
@@ -29,7 +30,7 @@ This should return the response:
 {"status":"pong"}
 ```
 
-All other endpoints return sensitive info and require authentication, so are not available through a web browser.
+All other endpoints return sensitive info and require authentication and are therefore not available through a web browser.
 
 To generate a secure password, either use a password manager, or use the below code snipped.
 
@@ -38,6 +39,9 @@ import secrets
 secrets.token_hex()
 ```
 
+!!! Hint
+    Use the same method to also generate a JWT secret key (`jwt_secret_key`).
+
 ### Configuration with docker
 
 If you run your bot using docker, you'll need to have the bot listen to incomming connections. The security is then handled by docker.

freqtrade/rpc/api_server.py

@@ -91,7 +91,8 @@ class ApiServer(RPC):
         self.app = Flask(__name__)
 
         # Setup the Flask-JWT-Extended extension
-        self.app.config['JWT_SECRET_KEY'] = 'super-secret'  # Change this!
+        self.app.config['JWT_SECRET_KEY'] = self._config['api_server'].get(
+            'jwt_secret_key', 'super-secret')
 
         self.jwt = JWTManager(self.app)
         self.app.json_encoder = ArrowJSONEncoder