Security Credentials
Status: Current
Last reviewed: 2026-05-13
Route: /gateway/credentials
Security credentials are reusable transport secrets and profiles for L4 chains and L3 tunnels. The page uses tabs for TLS, X25519, and REALITY. All three tabs call the unified /api/credentials API.
Credential Types
| Type | Use |
|---|---|
X25519 | Reusable X25519 keypair. UDP Noise and REALITY can both reference it. |
REALITY | Target/SNI/short ID profile that references one X25519 key. |
TLS Cert | TLS credential stored in the unified credential table for transport selection. |
Creating, editing, or deleting credentials requires admin.
Credential Table
| Column | Meaning |
|---|---|
| Name | Display label. REALITY profiles use the configured name directly. |
| Type | Credential type. |
| Detail | X25519 public key, TLS domain, or REALITY target. |
| Fingerprint | SHA-256 fingerprint of public material. Can be copied where shown. |
| Actions | Edit or delete credential. |
Create X25519 Key
- Open the X25519 tab.
- Click New X25519 Key.
- Enter a name.
- Click Create.
The backend generates the key material and shows the public key for debugging. Editing an X25519 key changes its display name; it does not rotate the key.
Create REALITY Profile
- Open the REALITY tab.
- Click New REALITY Profile.
- Enter a name.
- Select an X25519 key.
- Enter target website host.
- Enter target port, usually
443. - Enter server names as a comma-separated list. If omitted, the target host is used.
- Enter short IDs as comma-separated hex values, or leave empty for the empty short ID.
- Click Create.
Validation rules:
- Target port must be
1through65535. - Short IDs must be even-length hex strings up to 16 characters.
- A REALITY profile cannot duplicate an existing
server_name + short_idroute key.
Editing a REALITY profile can change the target, server names, short IDs, and selected X25519 key.
Create TLS Cert Credential
- Open the TLS tab.
- Click Add.
- Upload certificate and private key PEM, or switch to the generate tab.
- For generated certificates, enter the domain, optional SANs, and validity.
- Click Create or Generate.
The backend validates that uploaded certificate and private key material match. Existing TLS certificates can be edited by uploading replacement PEM material or generating a replacement self-signed certificate.
Delete Credential
Deleting a credential can break chains or tunnels that reference it. Check:
- L4 chains using TLS, REALITY, or Noise transports.
- L3 tunnels using the REALITY profile.
- REALITY profiles referencing an X25519 key before deleting that key.