diff --git a/agent_chat/app.py b/agent_chat/app.py
index a6d1344b2..47952e4e6 100644
--- a/agent_chat/app.py
+++ b/agent_chat/app.py
@@ -77,7 +77,8 @@ logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger(__name__)
 
 app = Flask(__name__)
-app.config['SECRET_KEY'] = 'rpa-vision-v3-secret'
+import secrets as _secrets
+app.config['SECRET_KEY'] = os.environ.get('SECRET_KEY', _secrets.token_hex(32))
 socketio = SocketIO(app, cors_allowed_origins="*")
 
 # Global state
diff --git a/visual_workflow_builder/backend/app.py b/visual_workflow_builder/backend/app.py
index e819151b2..c931097ec 100644
--- a/visual_workflow_builder/backend/app.py
+++ b/visual_workflow_builder/backend/app.py
@@ -42,7 +42,8 @@ logging.getLogger().addHandler(_file_handler)
 logging.getLogger().setLevel(logging.INFO)
 
 # Configuration
-app.config['SECRET_KEY'] = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
+import secrets as _secrets
+app.config['SECRET_KEY'] = os.getenv('SECRET_KEY', _secrets.token_hex(32))
 app.config['SQLALCHEMY_DATABASE_URI'] = os.getenv('DATABASE_URL', 'sqlite:///vwb_v3.db')
 app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
 app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024  # 10MB max upload