Signing & verification

Page stub. Full content lives in the README — Signing & verification.

hexgate policy keygen --out ./keys/dev
hexgate policy build policy.yaml --out ./bundle --sign-key ./keys/dev.private

At runtime:

HEXGATE_LOCAL_POLICY=./bundle \
HEXGATE_BUNDLE_PUBKEY_PATH=./keys/dev.public \
HEXGATE_BUNDLE_REQUIRE_SIGNATURE=true \
hexgate chat --agent researcher

Keys are raw Ed25519, base64url-encoded — the same format the platform’s JWKS endpoint publishes, so production verification reuses the public key your SDK already trusts for biscuit tokens.

WASM bundles Local override (HEXGATE_LOCAL_POLICY)

⌘I