diff --git a/.env b/.env
index d1ce30c..76cd61d 100644
--- a/.env
+++ b/.env
@@ -76,3 +76,4 @@ OAUTH_KEYCLOAK_REALM=e-cosplay
 # MAILER_DSN=ses://ACCESS_KEY:SECRET_KEY@default?region=eu-west-1
 # MAILER_DSN=ses+smtp://ACCESS_KEY:SECRET_KEY@default?region=eu-west-1
 ###< symfony/amazon-mailer ###
+SECRET_ANALYTICS=dev_analytics_secret_change_me
diff --git a/.env.test b/.env.test
index 5bb2f14..3a9ed9b 100644
--- a/.env.test
+++ b/.env.test
@@ -16,3 +16,4 @@ SESSION_HANDLER_DSN=redis://:e_ticket@redis:6379/1
 REDIS_CACHE_DSN=redis://:e_ticket@redis:6379/2
 SMIME_PASSPHRASE=test
 ADMIN_EMAIL=contact@test.com
+SECRET_ANALYTICS=test_analytics_secret
diff --git a/ansible/deploy.yml b/ansible/deploy.yml
index 7279292..e53207d 100644
--- a/ansible/deploy.yml
+++ b/ansible/deploy.yml
@@ -21,6 +21,10 @@
       set_fact:
         docker_gid: "{{ docker_sock.stat.gid }}"
 
+    - name: Generate analytics secret
+      set_fact:
+        analytics_secret: "{{ lookup('password', '/dev/null chars=ascii_lowercase,digits length=32') }}"
+
   tasks:
     - name: Deploy .env.local
       template:
diff --git a/ansible/env.local.j2 b/ansible/env.local.j2
index 971b8d1..80992ae 100644
--- a/ansible/env.local.j2
+++ b/ansible/env.local.j2
@@ -24,3 +24,4 @@ OAUTH_KEYCLOAK_CLIENT_ID=e-ticket
 OAUTH_KEYCLOAK_CLIENT_SECRET=1oLwbhJDNVmGH8CES1OdQtzR7dECOlII
 OAUTH_KEYCLOAK_URL=https://auth.esy-web.dev
 OAUTH_KEYCLOAK_REALM=e-cosplay
+SECRET_ANALYTICS={{ analytics_secret }}
diff --git a/src/Controller/AnalyticsController.php b/src/Controller/AnalyticsController.php
index 0253292..2456f2a 100644
--- a/src/Controller/AnalyticsController.php
+++ b/src/Controller/AnalyticsController.php
@@ -19,13 +19,13 @@ class AnalyticsController extends AbstractController
     #[Route('/t/{token}', name: 'app_analytics_track', methods: ['POST'])]
     public function track(
         string $token,
-        #[Autowire('%kernel.secret%')] string $appSecret,
+        #[Autowire(env: 'SECRET_ANALYTICS')] string $analyticsSecret,
         Request $request,
         AnalyticsCryptoService $crypto,
         EntityManagerInterface $em,
         MessageBusInterface $bus,
     ): Response {
-        $expectedToken = substr(hash('sha256', $appSecret.'_endpoint'), 0, 8);
+        $expectedToken = substr(hash('sha256', $analyticsSecret.'_endpoint'), 0, 8);
         if (!hash_equals($expectedToken, $token)) {
             return new Response('', 404);
         }
diff --git a/src/Service/AnalyticsCryptoService.php b/src/Service/AnalyticsCryptoService.php
index 130c66c..9fee7d3 100644
--- a/src/Service/AnalyticsCryptoService.php
+++ b/src/Service/AnalyticsCryptoService.php
@@ -9,9 +9,9 @@ class AnalyticsCryptoService
     private string $key;
 
     public function __construct(
-        #[Autowire('%kernel.secret%')] string $appSecret,
+        #[Autowire(env: 'SECRET_ANALYTICS')] private string $analyticsSecret,
     ) {
-        $this->key = substr(hash('sha256', $appSecret.'_analytics', true), 0, 32);
+        $this->key = substr(hash('sha256', $this->analyticsSecret, true), 0, 32);
     }
 
     public function encrypt(array $data): string
diff --git a/src/Twig/AnalyticsExtension.php b/src/Twig/AnalyticsExtension.php
index b7e8a82..c38575e 100644
--- a/src/Twig/AnalyticsExtension.php
+++ b/src/Twig/AnalyticsExtension.php
@@ -13,9 +13,9 @@ class AnalyticsExtension extends AbstractExtension implements GlobalsInterface
 
     public function __construct(
         private AnalyticsCryptoService $crypto,
-        #[Autowire('%kernel.secret%')] string $appSecret,
+        #[Autowire(env: 'SECRET_ANALYTICS')] string $analyticsSecret,
     ) {
-        $this->endpointToken = substr(hash('sha256', $appSecret.'_endpoint'), 0, 8);
+        $this->endpointToken = substr(hash('sha256', $analyticsSecret.'_endpoint'), 0, 8);
     }
 
     public function getGlobals(): array