> ## Documentation Index
> Fetch the complete documentation index at: https://docs.spellguard.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Session Keys

> Ephemeral RAM-only keys for forward secrecy

# Session Key Management

cTLS uses ephemeral session keys for forward secrecy. Keys exist only in Verifier RAM and are destroyed on shutdown.

```mermaid theme={null}
flowchart TB
    A["Verifier Startup<br/>generateSessionKeys()"] --> B["Normal Operation<br/>Sign attestations, derive secrets"]
    B --> C["Verifier Shutdown<br/>destroySessionKeys()"]

    style A fill:#10b981,color:#fff
    style C fill:#ef4444,color:#fff
```

## Session Keys Structure

```typescript theme={null}
interface SessionKeys {
  /** Ed25519 public key shared with clients for signing verification */
  publicKey: string;
  /** Ed25519 private key - RAM-only, never persisted */
  privateKey: string;
  /** X25519 public key for ECDH key agreement (encryption) */
  x25519PublicKey: string;
  /** X25519 private key - RAM-only, never persisted */
  x25519PrivateKey: string;
  /** When the keys were created */
  createdAt: number;
}
```

## Forward Secrecy Guarantees

<Warning>
  Session keys are **never persisted to disk**. They exist only in RAM during the Verifier's lifetime.
</Warning>

This means:

* Each Verifier restart generates fresh keys
* Past communications cannot be decrypted even if storage is compromised
* Agents must re-register after Verifier restarts
