Authentication API

Hi everyone,
I’m writing this post because after reading the documentation and set up my client to connect to the authentication API, I have some questions which i would like to clarify some points in order to improve the security in my app.

The documentation says that there are 2 sections for the authentication API, for the admin panel and the content and here is where i am lost which the differents configuration that strapi has.

For the admin panel, you can set up the API token to make a request to strapi. Currently, I have this configuration

// config/admin.js
module.exports = ({ env }) => ({
  auth: {
    secret: env("ADMIN_JWT_SECRET", "000000000000000000000"),

Because i am in the local environment, the ADMIN_JWT_SECRET variable is public but if i would like to make a request to the admin panel in production i should change the config for something like this, is it correct?

module.exports = ({ env }) => ({
  auth: {
      process.env.ADMIN_JWT_SECRET ||
      env("ADMIN_JWT_SECRET", "000000000000000000000"),

And the value of ADMIN_JWT_SECRET should be generated in the admin panel ( Settings > API Token), right?

After installing strapi, it generated a .env file which the variables JWT_SECRET and API_TOKEN_SALT. Let me know if i am wrong, the API_TOKEN_SALT variable is used to generate the jwt token, but i don’t know if for the admin panel or the content. The JWT_SECRET variable is used to sign the jwt token (Roles & Permissions - Strapi Developer Docs) , but it is not necessary to change it, right?

On the other hand, it is the authentication API for the content and it can be set up thanks the “user & permission” plugin, which bind the content with roles and permission. I created a user in strapi and i am using the jwt return by strapi after login in the app to make authentication API requests. Its configuration can be customised Roles & Permissions - Strapi Developer Docs , fe to set the out of date for the token,

I would like you to confirm if what I have commented is correct and if there is something that I have not understood well,

In extensions / config

I created a jwt.js file
and in there I put this

module.exports = {
  jwtSecret: process.env.JWT_SECRET

and after I restart my server and after a .env file has been created and the inside is to inform

JWT_SECRET = (the value here)

API_TOKEN_SALT = (the value here)