Vaulthalla Logo

Key Generation

Generate Ed25519 keys for signed docs sync requests.

Key Generation

The signed sync endpoint uses Ed25519 request signatures. Generate a key pair with the CLI:

1pnpm exec payload-markdown-docs keygen --out .docs-sync

This writes:

  • .docs-sync/docs-sync-private.pem
  • .docs-sync/docs-sync-public.pem
Do not commit the private key

The public key belongs in Docs Globals > Keys. The private key belongs in local secret storage or a CI secret such as DOCS_SYNC_PRIVATE_KEY.

The CLI also accepts unencrypted OpenSSH Ed25519 private keys, for example a dedicated ssh-keygen -t ed25519 key. If you use an OpenSSH key, paste the matching ssh-ed25519 ... public key into Docs Globals > Keys.

Configure The Public Key

1Docs Globals -> Keys2 3keyId: github-actions-main4publicKey: contents of .docs-sync/docs-sync-public.pem

Use The Private Key

  1. 1

    Local dry-run

    Use --private-key-file .docs-sync/docs-sync-private.pem.

  2. 2

    CI dry-run or publish

    Store the PEM as DOCS_SYNC_PRIVATE_KEY and use --private-key-env DOCS_SYNC_PRIVATE_KEY.

  3. 3

    Rotate keys

    Add the new public key to Keys, then switch CI to the new private key.

Read the security model before exposing the endpoint publicly.