diff --git a/rifaserver/app.py b/rifaserver/app.py
index 8d43ed3..ccad86a 100644
--- a/rifaserver/app.py
+++ b/rifaserver/app.py
@@ -1,8 +1,10 @@
 import functools
 import itertools
+import json
 import operator
 import os
 import random
+import secrets
 
 from flask import Flask, render_template, request, url_for, redirect, flash, session, make_response
 from flask.cli import with_appcontext
@@ -53,7 +55,21 @@ def create_app():
     app = Flask(__name__)
     app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///raffle.db'
     app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False  # optional, but can improve performance
-    app.config['SECRET_KEY'] = 'idm&#@$8*RSXZpc6Wvb4'
+    app.config.from_prefixed_env()
+    config_filename = os.path.join(app.instance_path, "config.json")
+    if os.path.isfile(config_filename):
+        app.config.from_file(config_filename, load=json.load)
+        with open(config_filename, 'r') as f:
+            _config = json.load(f)
+    else:
+        print(f"{config_filename} not found")
+        _config = {}
+    if app.config['SECRET_KEY'] is None:
+        app.config['SECRET_KEY'] = secrets.token_hex()
+        print(f"Using generated key {app.config['SECRET_KEY']}")
+        _config['SECRET_KEY'] = app.config['SECRET_KEY']
+        with open(config_filename, 'w') as f:
+            json.dump(_config, f)
     db.init_app(app)
 
     login_manager = LoginManager()