nextauthjs · balazsorban44 · Nov 24, 2021 · Nov 23, 2021 · Nov 23, 2021
diff --git a/docs/configuration/options.md b/docs/configuration/options.md
@@ -70,6 +70,12 @@ A random string used to hash tokens, sign/encrypt cookies and generate cryptogra
 
 If not specified, it uses a hash for all configuration options, including OAuth Client ID / Secrets for entropy. Although if the user does not use such a provider, the configuration might be guessed.
 
+You can quickly create a valid secret on the command line via this `openssl` command.
+
+```bash
+$ openssl rand -base64 32
+```
+
 :::warning
 The default behaviour is volatile, and it is strongly recommended you explicitly specify a value. If `secret` is omitted in production, we will throw an error.
 :::

diff --git a/docs/faq.md b/docs/faq.md
@@ -218,6 +218,8 @@ You can then look them up from the database or persist them to the JSON Web Toke
 
 Note: NextAuth.js does not currently handle Access Token rotation for OAuth providers for you, however you can check out [this tutorial](/tutorials/refresh-token-rotation) if you want to implement it.
 
+We also have an [example repository](https://github.com/nextauthjs/next-auth-refresh-token-example) / project based upon NextAuth.js v4 where we demonstrate how to use a refresh token to refresh the provided access token.
+
 </p>
 </details>
 

diff --git a/docs/getting-started/upgrade-to-v4.md b/docs/getting-started/upgrade-to-v4.md
@@ -385,13 +385,33 @@ For more info, see the [Models page](/adapters/models).
 
 NextAuth.js used to generate a secret for convenience, when the user did not define one. This might have been useful in development, but can be a concern in production. We have always been clear about that in the docs, but from now on, if you forget to define a `secret` property in production, we will show the user an error page. Read more about this option [here](https://next-auth.js.org/configuration/options#secret)
 
+You can generate a secret to be placed in the `secret` configuration option via the following command:
+
+```bash
+$ openssl rand -base64 32
+```
+
+Therefore, you're NextAuth.js config should look something like this:
+
+```javascript title="/pages/api/auth/[...nextauth].js"
+...
+export default NextAuth({
+  ...
+  providers: [...],
+  secret: "LlKq6ZtYbr+hTC073mAmAh9/h2HwMfsFo4hrfCx5mLg=",
+  ...
+})
+```
+
 Introduced in https://github.com/nextauthjs/next-auth/issues/3143
 
 ## Session `strategy`
 
-We have always supported two different session strategies. The more popular (and our default) JWT based, and a Database persisted session. Both have their advantages/disadvantages, you can learn more about the in the [FAQ](https://next-auth.js.org/faq) page.
+We have always supported two different session strategies. The first being our most popular and default strategy - the JWT based one. The second is the database adapter persisted session strategy. Both have their advantages/disadvantages, you can learn more about them on the [FAQ](https://next-auth.js.org/faq) page.
+
+Previously, the way you configured this was through the `jwt: boolean` flag in the `session` option. The names `session` and `jwt` might have been a bit overused in the options, and so for a clearer message, we renamed this option to `strategy: "jwt" | "database"`, it is still in the `session` object. This will hopefully better indicate the purpose of this option as well as make very explicit which type of session you are going to use.
 
-The way you configured this has been through the `jwt: boolean` flag in the `session` option. The names `session` and `jwt` might be a bit overused in the options, and so for a clearer message, we renamed that option to `strategy: "jwt" | "database"`. This will hopefully better indicate the type of session you are going to use. See the [`session` option docs](https://next-auth.js.org/configuration/options#session) for more details.
+See the [`session` option docs](https://next-auth.js.org/configuration/options#session) for more details.
 
 Introduced in https://github.com/nextauthjs/next-auth/pull/3144
 

diff --git a/docs/tutorials/refresh-token-rotation.md b/docs/tutorials/refresh-token-rotation.md
@@ -7,7 +7,7 @@ While NextAuth.js doesn't automatically handle access token rotation for OAuth p
 
 ## Source Code
 
-_A working example can be accessed [here](https://github.com/lawrencecchen/next-auth-refresh-tokens)._
+A working example can be accessed [here](https://github.com/nextauthjs/next-auth-refresh-token-example).
 
 ## Implementation
-Original file line number
+Diff line change
@@ Expand Up @@
     Note: NextAuth.js does not currently handle Access Token rotation for OAuth providers for you, however you can check out [this tutorial](/tutorials/refresh-token-rotation) if you want to implement it.
+    We also have an [example repository](https://github.com/nextauthjs/next-auth-refresh-token-example) / project based upon NextAuth.js v4 where we demonstrate how to use a refresh token to refresh the provided access token.
     </p>
     </details>
@@ Expand Down @@