diff --git a/CHANGELOG.md b/CHANGELOG.md
index a3db9026..e8d9bf92 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+* Kolide server now requires `--auth_jwt_key` to be specified at startup.
+
+  If no JWT key is provided by the user, the server will print a new suggested random JWT key for use.
+
 * Fix rounding error when showing % of online hosts
 
 ## Kolide 1.0.3 (April 3, 2017)
@@ -33,7 +37,7 @@ See https://wiki.mozilla.org/Security/Server_Side_TLS for more information on th
 
 * The Options Configuration item in the sidebar is now only available to admin users.
 
-  Previously this item was visible to non-admin users and if selected, a blank options page would be displayed since server side authorization constraints prevent regular users from viewing or changing options.  
+  Previously this item was visible to non-admin users and if selected, a blank options page would be displayed since server side authorization constraints prevent regular users from viewing or changing options.
 
 * Improved validation for the Kolide server URL supplied in setup and configuration.
 
diff --git a/cli/serve.go b/cli/serve.go
index 3a4981d0..a8bb6c6b 100644
--- a/cli/serve.go
+++ b/cli/serve.go
@@ -99,6 +99,23 @@ the way that the kolide server works.
 				os.Exit(1)
 			}
 
+			if config.Auth.JwtKey == "" {
+				jwtKey, err := kolide.RandomText(24)
+				if err != nil {
+					initFatal(err, "generating sample jwt key")
+				}
+				fmt.Printf("################################################################################\n"+
+					"# ERROR:\n"+
+					"#   A value must be supplied for --auth_jwt_key. This value is used to create\n"+
+					"#   session tokens for users.\n"+
+					"#\n"+
+					"#   Consider using the following randomly generated key:\n"+
+					"#   %s\n"+
+					"################################################################################\n",
+					jwtKey)
+				os.Exit(1)
+			}
+
 			if initializingDS, ok := ds.(initializer); ok {
 				if err := initializingDS.Initialize(); err != nil {
 					initFatal(err, "loading built in data")
diff --git a/docs/infrastructure/configuring-the-kolide-binary.md b/docs/infrastructure/configuring-the-kolide-binary.md
index 380e1359..c37ef69c 100644
--- a/docs/infrastructure/configuring-the-kolide-binary.md
+++ b/docs/infrastructure/configuring-the-kolide-binary.md
@@ -313,9 +313,9 @@ Whether or not the server should be served over TLS.
 
 ##### `auth_jwt_key`
 
-The [JWT](https://jwt.io/) key to use when signing and validating session keys.
+The [JWT](https://jwt.io/) key to use when signing and validating session keys. If this value is not specified the Kolide server will fail to start and a randomly generated key will be provided for use.
 
-- Default value: `CHANGEME`
+- Default value: None
 - Environment variable: `KOLIDE_AUTH_JWT_KEY`
 - Config file format:
 
diff --git a/server/config/config.go b/server/config/config.go
index 076a7878..484aab37 100644
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -142,8 +142,8 @@ func (man Manager) addConfigs() {
 			TLSProfileModern, TLSProfileIntermediate, TLSProfileOld))
 
 	// Auth
-	man.addConfigString(
-		"auth.jwt_key", "CHANGEME", "JWT session token key")
+	man.addConfigString("auth.jwt_key", "",
+		"JWT session token key (required)")
 	man.addConfigInt("auth.bcrypt_cost", 12,
 		"Bcrypt iterations")
 	man.addConfigInt("auth.salt_key_size", 24,
diff --git a/tools/app/kolide.yaml b/tools/app/kolide.yaml
index b766b657..212ad0f1 100644
--- a/tools/app/kolide.yaml
+++ b/tools/app/kolide.yaml
@@ -2,9 +2,8 @@ server:
   cert: "./tools/osquery/kolide.crt"
   key: "./tools/osquery/kolide.key"
 auth:
-  jwt_key: very secure
+  jwt_key: very secure dev setup jwt key
 osquery:
-  enroll_secret: super secure
   result_log_file: /tmp/osquery_result
   status_log_file: /tmp/osquery_status
 logging:
diff --git a/tools/ci/k8s-templates/branch-deployment.template b/tools/ci/k8s-templates/branch-deployment.template
index 9c603269..7d73e7c0 100644
--- a/tools/ci/k8s-templates/branch-deployment.template
+++ b/tools/ci/k8s-templates/branch-deployment.template
@@ -48,6 +48,8 @@ spec:
               value: kolide_{{ .Name }}
             - name: KOLIDE_REDIS_ADDRESS
               value: redis-kolide-{{ .Name }}:6379
+            - name: KOLIDE_AUTH_JWT_KEY
+              value: changeme_fake_jwt_key
         ports:
         - containerPort: 8080
       - name: cloudsql-proxy
diff --git a/tools/ci/k8s-templates/pr-deployment.template b/tools/ci/k8s-templates/pr-deployment.template
index 186e5fd2..14e250bf 100644
--- a/tools/ci/k8s-templates/pr-deployment.template
+++ b/tools/ci/k8s-templates/pr-deployment.template
@@ -51,6 +51,8 @@ spec:
               value: pr_{{ .Number }}_{{ .RevShort }}
             - name: KOLIDE_REDIS_ADDRESS
               value: redis-kolide-pr-{{ .Number }}:6379
+            - name: KOLIDE_AUTH_JWT_KEY
+              value: changeme_fake_jwt_key
         ports:
         - containerPort: 8080
       - name: cloudsql-proxy