Skip to content

Security Credentials

Status: Current

Last reviewed: 2026-05-13

Route: /gateway/credentials

Security credentials are reusable transport secrets and profiles for L4 chains and L3 tunnels. The page uses tabs for TLS, X25519, and REALITY. All three tabs call the unified /api/credentials API.

Credential Types

TypeUse
X25519Reusable X25519 keypair. UDP Noise and REALITY can both reference it.
REALITYTarget/SNI/short ID profile that references one X25519 key.
TLS CertTLS credential stored in the unified credential table for transport selection.

Creating, editing, or deleting credentials requires admin.

Credential Table

ColumnMeaning
NameDisplay label. REALITY profiles use the configured name directly.
TypeCredential type.
DetailX25519 public key, TLS domain, or REALITY target.
FingerprintSHA-256 fingerprint of public material. Can be copied where shown.
ActionsEdit or delete credential.

Create X25519 Key

  1. Open the X25519 tab.
  2. Click New X25519 Key.
  3. Enter a name.
  4. Click Create.

The backend generates the key material and shows the public key for debugging. Editing an X25519 key changes its display name; it does not rotate the key.

Create REALITY Profile

  1. Open the REALITY tab.
  2. Click New REALITY Profile.
  3. Enter a name.
  4. Select an X25519 key.
  5. Enter target website host.
  6. Enter target port, usually 443.
  7. Enter server names as a comma-separated list. If omitted, the target host is used.
  8. Enter short IDs as comma-separated hex values, or leave empty for the empty short ID.
  9. Click Create.

Validation rules:

  • Target port must be 1 through 65535.
  • Short IDs must be even-length hex strings up to 16 characters.
  • A REALITY profile cannot duplicate an existing server_name + short_id route key.

Editing a REALITY profile can change the target, server names, short IDs, and selected X25519 key.

Create TLS Cert Credential

  1. Open the TLS tab.
  2. Click Add.
  3. Upload certificate and private key PEM, or switch to the generate tab.
  4. For generated certificates, enter the domain, optional SANs, and validity.
  5. Click Create or Generate.

The backend validates that uploaded certificate and private key material match. Existing TLS certificates can be edited by uploading replacement PEM material or generating a replacement self-signed certificate.

Delete Credential

Deleting a credential can break chains or tunnels that reference it. Check:

  • L4 chains using TLS, REALITY, or Noise transports.
  • L3 tunnels using the REALITY profile.
  • REALITY profiles referencing an X25519 key before deleting that key.

NexusNet documentation