APP_KEY is used for encryption and not hashing. Every Data you encrypt in your application is using APP_KEY behind the scene. Do remember that encrypted data can be decrypted but hashed data cannot be decrypted.

A common misconception of APP_KEY is that it is related to Password hashing, the truth is it's not. and here is the proof.

taylor's tweet

You can see in the above tweet that APP_KEY has nothing to do with HASHED data

The comment here says it's used in the ecrypter. I found it here and here used with openssl_encrypt and openssl_decrypt. Without that key you cannot decrypt anything encrypted with those two functions, like sessions cookies stored on the user computer. If they weren't encrypt anyone with access to them could log in to the application as you.

Where it is used:

Every laravel component using encyption (not hashing) in your application uses APP_KEY. (Sessions, CSRF tokens and Cookies).

Where it is not used:

Where larvel using hashing, like Passwords, password_reset_token.

So, changing APP_KEY doesn't make any problems for your passwords or password_reset tokens.

How it works:

APP_KEY is a private string (encryption_key) in your application that nobody knows about. So, if only your application knows the key, only your application can decrypt data that is encrypted by this key. This is how its security works.

** For more information about how it functionally works you can simply check this file in your project: EncryptionServiceProvider.php

Some best practices are:

• Only store it in .env file. (Do not store it in config/app.php or any GIT tracked files)
• Change it only when these situations appears:
  • You find out that your key may be leaked. (So others can decrypt your data)
  • You want to logout all users (users managed by session not api tokens)
  • You want to invalidate cookies.