diff --git a/modules/common/src/main/scala/docspell/common/pureconfig/Implicits.scala b/modules/common/src/main/scala/docspell/common/pureconfig/Implicits.scala
index 4d48454e..b2c1452d 100644
--- a/modules/common/src/main/scala/docspell/common/pureconfig/Implicits.scala
+++ b/modules/common/src/main/scala/docspell/common/pureconfig/Implicits.scala
@@ -27,9 +27,9 @@ object Implicits {
     ConfigReader[String].emap(reason(str => {
       if (str.startsWith("hex:")) ByteVector.fromHex(str.drop(4)).toRight("Invalid hex value.")
       else if (str.startsWith("b64:")) ByteVector.fromBase64(str.drop(4)).toRight("Invalid Base64 string.")
-      else ByteVector.fromHex(str).toRight("Invalid hex value.")
+      else ByteVector.encodeUtf8(str).left.map(ex => s"Invalid utf8 string: ${ex.getMessage}")
     }))
 
   def reason[A: ClassTag](f: String => Either[String, A]): String => Either[FailureReason, A] =
     in => f(in).left.map(str => CannotConvert(in, implicitly[ClassTag[A]].runtimeClass.toString, str))
-}
\ No newline at end of file
+}
diff --git a/modules/microsite/docs/doc/configure.md b/modules/microsite/docs/doc/configure.md
index 3eafed62..8c61d431 100644
--- a/modules/microsite/docs/doc/configure.md
+++ b/modules/microsite/docs/doc/configure.md
@@ -187,7 +187,8 @@ The `server-secret` is used to sign the token. If multiple REST
 servers are deployed, all must share the same server secret. Otherwise
 tokens from one instance are not valid on another instance. The secret
 can be given as Base64 encoded string or in hex form. Use the prefix
-`hex:` and `b64:`, respectively.
+`hex:` and `b64:`, respectively. If no prefix is given, the UTF8 bytes
+of the string are used.
 
 The `session-valid` deterimens how long a token is valid. This can be
 just some minutes, the web application obtains new ones