diff --git a/infra/main.tf b/infra/main.tf
index 1b901d7..9982e44 100644
--- a/infra/main.tf
+++ b/infra/main.tf
@@ -6,6 +6,10 @@ terraform {
       source  = "hashicorp/google"
       version = "~> 5.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
   }
 }
 
@@ -15,6 +19,13 @@ provider "google" {
   zone    = var.zone
 }
 
+# --- Auto-generated secrets ---
+
+resource "random_password" "jwt_secret" {
+  length  = 48
+  special = false
+}
+
 # --- Network ---
 
 resource "google_compute_firewall" "data_analyst" {
@@ -69,7 +80,7 @@ locals {
 
     echo "=== Creating .env ==="
     cat > "$APP_DIR/.env" << 'ENVEOF'
-    JWT_SECRET_KEY=${var.jwt_secret}
+    JWT_SECRET_KEY=${random_password.jwt_secret.result}
     DATA_DIR=/data
     DATA_SOURCE=${var.keboola_token != "" ? "keboola" : "local"}
     KEBOOLA_STORAGE_TOKEN=${var.keboola_token}
diff --git a/infra/terraform.tfvars.example b/infra/terraform.tfvars.example
index 5f973c0..2a3fa4a 100644
--- a/infra/terraform.tfvars.example
+++ b/infra/terraform.tfvars.example
@@ -1,15 +1,14 @@
 # Copy to terraform.tfvars and fill in values
-project_id          = "your-gcp-project-id"
-region              = "europe-west1"
-zone                = "europe-west1-b"
+project_id          = "kids-ai-data-analysis"
+region              = "europe-north1"
+zone                = "europe-north1-a"
 machine_type        = "e2-small"       # 2 vCPU, 2GB RAM, ~$7/mo
 disk_size_gb        = 30
 instance_name       = "data-analyst"
 ssh_user            = "deploy"
 ssh_public_key_path = "~/.ssh/id_ed25519.pub"
 
-# App secrets
-jwt_secret          = ""               # Generate: python3 -c "import secrets; print(secrets.token_urlsafe(32))"
+# JWT secret is auto-generated by Terraform (random_password)
 
 # Keboola (optional — leave empty for sample data)
 keboola_token       = ""
diff --git a/infra/variables.tf b/infra/variables.tf
index 559110c..cb21b6b 100644
--- a/infra/variables.tf
+++ b/infra/variables.tf
@@ -45,12 +45,7 @@ variable "ssh_public_key_path" {
   default     = "~/.ssh/id_ed25519.pub"
 }
 
-# App config
-variable "jwt_secret" {
-  description = "JWT secret key (min 32 chars)"
-  type        = string
-  sensitive   = true
-}
+# App config (JWT secret auto-generated by Terraform)
 
 variable "keboola_token" {
   description = "Keboola Storage API token"