diff --git a/lib/session.ts b/lib/session.ts
index bf8bcf3..cbff36c 100644
--- a/lib/session.ts
+++ b/lib/session.ts
@@ -4,11 +4,11 @@ import { SignJWT, jwtVerify } from 'jose';
 const SESSION_COOKIE_NAME = 'logbuch_session';
 const SESSION_DURATION = 60 * 60 * 1000;
 
-const secretKey = process.env.AUTH_SECRET;
-if (!secretKey) {
-  throw new Error('AUTH_SECRET Umgebungsvariable ist nicht gesetzt!');
+function getKey(): Uint8Array {
+  const secretKey = process.env.AUTH_SECRET;
+  if (!secretKey) throw new Error('AUTH_SECRET Umgebungsvariable ist nicht gesetzt!');
+  return new TextEncoder().encode(secretKey);
 }
-const key = new TextEncoder().encode(secretKey);
 
 export interface SessionData {
   kuerzel: string;
@@ -25,12 +25,12 @@ async function encrypt(payload: SessionData): Promise<string> {
     .setProtectedHeader({ alg: 'HS256' })
     .setIssuedAt()
     .setExpirationTime(new Date(payload.expiresAt))
-    .sign(key);
+    .sign(getKey());
 }
 
 async function decrypt(token: string): Promise<SessionData | null> {
   try {
-    const { payload } = await jwtVerify(token, key, { algorithms: ['HS256'] });
+    const { payload } = await jwtVerify(token, getKey(), { algorithms: ['HS256'] });
     return payload as unknown as SessionData;
   } catch {
     return null;