diff --git a/README.md b/README.md
index b1a99ab42..c9a4271db 100644
--- a/README.md
+++ b/README.md
@@ -26,5 +26,6 @@ There are a number of configuration details defined in environment variables. Th
 
 - **BUSLOC_URL**: Source of GTFS-realtime enhanced data file
 - **SWIFTLY_REALTIME_VEHICLES_URL** and **SWIFTLY_AUTHORIZATION_KEY**: Source of Swiftly vehicle data
+- **SECRET_KEY_BASE** Used for writing encrypted cookies. Generate a value using `mix phx.gen.secret` (only required in production)
 - **COGNITO_DOMAIN**, **COGNITO_CLIENT_ID**, **COGNITO_CLIENT_SECRET**, **COGNITO_USER_POOL_ID**, **COGNITO_AWS_REGION**, and **GUARDIAN_SECRET_KEY**: Authentication/authorization details (only required in production)
 - **STATIC_SCHEME**, **STATIC_HOST**, **STATIC_PATH**, and **STATIC_PORT**: CDN details (only required in production)
diff --git a/config/config.exs b/config/config.exs
index 59476e10f..cdef339bd 100644
--- a/config/config.exs
+++ b/config/config.exs
@@ -26,7 +26,6 @@ config :skate, :redirect_http?, false
 # Configures the endpoint
 config :skate, SkateWeb.Endpoint,
   url: [host: "localhost"],
-  secret_key_base: "HjFPO4gzlDmAuvgXBMSd4MIFGLhvKHYfXpNkIoXRM5LMGxQhjYW0NQVdP2QFgZND",
   render_errors: [view: SkateWeb.ErrorView, accepts: ~w(html json)],
   pubsub: [name: Skate.PubSub, adapter: Phoenix.PubSub.PG2]
 
diff --git a/config/dev.exs b/config/dev.exs
index 154b607fa..a4dab174c 100644
--- a/config/dev.exs
+++ b/config/dev.exs
@@ -17,6 +17,7 @@ config :skate, SkateWeb.Endpoint,
   debug_errors: true,
   code_reloader: true,
   check_origin: false,
+  secret_key_base: "local_secret_key_base_at_least_64_bytes_________________________________",
   watchers: [
     node: [
       "node_modules/webpack/bin/webpack.js",
diff --git a/config/test.exs b/config/test.exs
index 1705d822a..c214c4e13 100644
--- a/config/test.exs
+++ b/config/test.exs
@@ -9,7 +9,8 @@ config :skate, Gtfs.CacheFile, cache_filename: "test_cache.terms"
 # you can enable the server option below.
 config :skate, SkateWeb.Endpoint,
   http: [port: 4002],
-  server: false
+  server: false,
+  secret_key_base: "local_secret_key_base_at_least_64_bytes_________________________________"
 
 config :skate, SkateWeb.AuthManager, secret_key: "dev key"
 
diff --git a/lib/skate_web/endpoint.ex b/lib/skate_web/endpoint.ex
index 1e0d21c9c..735ce863f 100644
--- a/lib/skate_web/endpoint.ex
+++ b/lib/skate_web/endpoint.ex
@@ -43,4 +43,19 @@ defmodule SkateWeb.Endpoint do
     signing_salt: "jkUgGkwy"
 
   plug SkateWeb.Router
+
+  # callback for runtime configuration
+  def init(:supervisor, config) do
+    secret_key_base = System.get_env("SECRET_KEY_BASE")
+
+    config =
+      if secret_key_base do
+        Keyword.put(config, :secret_key_base, secret_key_base)
+      else
+        config[:secret_key_base] || raise "No SECRET_KEY_BASE ENV var!"
+        config
+      end
+
+    {:ok, config}
+  end
 end