§ docs · portal · multi-keypair
Multi-keypair management.
Several signing keys under one portal identity. Used when Ed25519 and secp256k1 surfaces need to coexist — e.g. a Solana-native agent sharing a locker with an EVM-only peer.
Every locker has a primary signing key. Secondary keys can be attached for specific roles — one key per algorithm, one per device, one per delegated agent. All signatures are recorded with their algorithm tag so the verification path remains unambiguous.
Common shapes:
primary(Ed25519) +delegated(Ed25519) — two devices, same algorithm.primary(Ed25519) +peer(secp256k1) — EVM counterparty shares a locker.primary(Ed25519) +archive(Ed25519, read-only) — separate key for long-term retrievals.
Rotation and revocation are per-key and instant. The locker's merkle history is unaffected — rotating a key changes who can write to the locker going forward, not what has been committed.