diff --git a/README.md b/README.md
index be16210c..79ea580f 100644
--- a/README.md
+++ b/README.md
@@ -93,6 +93,7 @@
 - `AP_DEBUG` (`1` or `true` enables debug dashboard)
 - `AP_DEBUG_PASSWORD` (required when debug dashboard is enabled)
 - `REDIS_URL` (recommended for production delivery queue durability)
+- Startup preflight `scripts/preflight-activitypub-rsa-key.mjs` ensures `ap_keys` contains a usable RSA key pair (`publicKeyPem` + `privateKeyPem`) so outgoing inbox deliveries are HTTP-signed and not rejected with `Request not signed`.
 - Startup preflight `scripts/preflight-activitypub-profile-urls.mjs` normalizes existing ActivityPub profile URL fields in MongoDB (`url`, `icon`, `image`, `alsoKnownAs`) so WebFinger/actor responses do not fail on invalid URL values.
 - The ActivityPub locale patch creates/repairs `locales/de.json` from `locales/en.json` so backend UI keys do not render as raw `activitypub.*` translation strings when `SITE_LOCALE=de`.
 - Quick verification commands:
@@ -106,10 +107,11 @@
 - `start.sh` is intentionally ignored by Git (`.gitignore`) so server secrets are not committed.
 - Use `start.example.sh` as the tracked template and keep real credentials in environment variables (or `.env` on the server).
 - Startup scripts parse `.env` with the `dotenv` parser (not shell `source`), so values containing spaces are handled safely.
-- Startup scripts run preflight + patch helpers before boot (`scripts/preflight-production-security.mjs`, `scripts/preflight-mongo-connection.mjs`, `scripts/preflight-activitypub-profile-urls.mjs`, `scripts/patch-lightningcss.mjs`, `scripts/patch-endpoint-media-scope.mjs`, `scripts/patch-endpoint-media-sharp-runtime.mjs`, `scripts/patch-frontend-sharp-runtime.mjs`, `scripts/patch-endpoint-files-upload-route.mjs`, `scripts/patch-endpoint-files-upload-locales.mjs`, `scripts/patch-endpoint-activitypub-locales.mjs`, `scripts/patch-frontend-serviceworker-file.mjs`, `scripts/patch-conversations-collection-guards.mjs`, `scripts/patch-indiekit-routes-rate-limits.mjs`, `scripts/patch-indiekit-error-production-stack.mjs`, `scripts/patch-indieauth-devmode-guard.mjs`, `scripts/patch-listening-endpoint-runtime-guards.mjs`).
+- Startup scripts run preflight + patch helpers before boot (`scripts/preflight-production-security.mjs`, `scripts/preflight-mongo-connection.mjs`, `scripts/preflight-activitypub-rsa-key.mjs`, `scripts/preflight-activitypub-profile-urls.mjs`, `scripts/patch-lightningcss.mjs`, `scripts/patch-endpoint-media-scope.mjs`, `scripts/patch-endpoint-media-sharp-runtime.mjs`, `scripts/patch-frontend-sharp-runtime.mjs`, `scripts/patch-endpoint-files-upload-route.mjs`, `scripts/patch-endpoint-files-upload-locales.mjs`, `scripts/patch-endpoint-activitypub-locales.mjs`, `scripts/patch-frontend-serviceworker-file.mjs`, `scripts/patch-conversations-collection-guards.mjs`, `scripts/patch-indiekit-routes-rate-limits.mjs`, `scripts/patch-indiekit-error-production-stack.mjs`, `scripts/patch-indieauth-devmode-guard.mjs`, `scripts/patch-listening-endpoint-runtime-guards.mjs`).
 - The production security preflight blocks startup on insecure auth/session configuration and catches empty-password bcrypt hashes.
 - One-time recovery mode is available with `INDIEKIT_ALLOW_PASSWORD_SETUP=1` to bootstrap/reset `PASSWORD_SECRET` when locked out. Remove this flag after setting a valid hash.
 - The media scope patch fixes a known upstream issue where file uploads can fail if the token scope is `create update delete` without explicit `media`.
+- The ActivityPub RSA key preflight repairs or creates a usable `type="rsa"` key document in `ap_keys`, so outgoing federation requests can be signed and accepted by stricter inboxes.
 - The ActivityPub profile URL preflight repairs invalid URL fields in the `ap_profile` document (for example relative `icon` paths), preventing `/.well-known/webfinger` and actor responses from failing with `TypeError: Invalid URL`.
 - The media sharp runtime patch makes image transformation resilient on FreeBSD: if `sharp` cannot load, uploads continue without resize/rotation instead of crashing the server process.
 - The frontend sharp runtime patch makes icon generation non-fatal on FreeBSD when `sharp` cannot load, preventing startup crashes in asset controller imports.
diff --git a/package.json b/package.json
index 1bbe3c40..db475921 100644
--- a/package.json
+++ b/package.json
@@ -5,7 +5,7 @@
   "main": "index.js",
   "scripts": {
     "postinstall": "node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs",
-    "serve": "export NODE_ENV=${NODE_ENV:-production} INDIEKIT_DEBUG=${INDIEKIT_DEBUG:-0} && node scripts/preflight-production-security.mjs && node scripts/preflight-mongo-connection.mjs && node scripts/preflight-activitypub-profile-urls.mjs && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs && node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs",
+    "serve": "export NODE_ENV=${NODE_ENV:-production} INDIEKIT_DEBUG=${INDIEKIT_DEBUG:-0} && node scripts/preflight-production-security.mjs && node scripts/preflight-mongo-connection.mjs && node scripts/preflight-activitypub-rsa-key.mjs && node scripts/preflight-activitypub-profile-urls.mjs && node scripts/patch-lightningcss.mjs && node scripts/patch-endpoint-media-scope.mjs && node scripts/patch-endpoint-media-sharp-runtime.mjs && node scripts/patch-frontend-sharp-runtime.mjs && node scripts/patch-endpoint-files-upload-route.mjs && node scripts/patch-endpoint-files-upload-locales.mjs && node scripts/patch-endpoint-activitypub-locales.mjs && node scripts/patch-frontend-serviceworker-file.mjs && node scripts/patch-conversations-collection-guards.mjs && node scripts/patch-indiekit-routes-rate-limits.mjs && node scripts/patch-indiekit-error-production-stack.mjs && node scripts/patch-indieauth-devmode-guard.mjs && node scripts/patch-listening-endpoint-runtime-guards.mjs && node node_modules/@indiekit/indiekit/bin/cli.js serve --config indiekit.config.mjs",
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "keywords": [],
diff --git a/scripts/preflight-activitypub-rsa-key.mjs b/scripts/preflight-activitypub-rsa-key.mjs
new file mode 100644
index 00000000..e08071f2
--- /dev/null
+++ b/scripts/preflight-activitypub-rsa-key.mjs
@@ -0,0 +1,130 @@
+import { generateKeyPairSync } from "node:crypto";
+
+import { MongoClient } from "mongodb";
+
+import config from "../indiekit.config.mjs";
+
+const strictMode = process.env.REQUIRE_MONGO !== "0";
+const mongodbUrl = config.application?.mongodbUrl;
+
+function hasPublicPem(value) {
+  return (
+    typeof value === "string" &&
+    value.includes("-----BEGIN PUBLIC KEY-----") &&
+    value.includes("-----END PUBLIC KEY-----")
+  );
+}
+
+function hasPrivatePem(value) {
+  return (
+    typeof value === "string" &&
+    value.includes("-----BEGIN PRIVATE KEY-----") &&
+    value.includes("-----END PRIVATE KEY-----")
+  );
+}
+
+function hasValidRsaPem(doc) {
+  return hasPublicPem(doc?.publicKeyPem) && hasPrivatePem(doc?.privateKeyPem);
+}
+
+function createRsaPemPair() {
+  const { publicKey, privateKey } = generateKeyPairSync("rsa", {
+    modulusLength: 2048,
+    publicKeyEncoding: { type: "spki", format: "pem" },
+    privateKeyEncoding: { type: "pkcs8", format: "pem" },
+  });
+
+  return { publicKeyPem: publicKey, privateKeyPem: privateKey };
+}
+
+if (!mongodbUrl) {
+  console.warn(
+    "[preflight] ActivityPub RSA key sync skipped: MongoDB URL is not configured.",
+  );
+  process.exit(0);
+}
+
+const client = new MongoClient(mongodbUrl, { connectTimeoutMS: 5000 });
+
+try {
+  await client.connect();
+
+  const apKeys = client.db().collection("ap_keys");
+  const now = new Date().toISOString();
+  const typedRsaDoc = await apKeys.findOne({ type: "rsa" });
+
+  if (hasValidRsaPem(typedRsaDoc)) {
+    console.log("[preflight] ActivityPub RSA key pair already present");
+    process.exit(0);
+  }
+
+  if (typedRsaDoc) {
+    const rsaPair = createRsaPemPair();
+
+    await apKeys.updateOne(
+      { _id: typedRsaDoc._id },
+      {
+        $set: {
+          type: "rsa",
+          ...rsaPair,
+          updatedAt: now,
+        },
+      },
+    );
+
+    console.log(
+      "[preflight] Repaired ActivityPub RSA key pair in existing type='rsa' document",
+    );
+    process.exit(0);
+  }
+
+  const legacyPemDoc = await apKeys.findOne({
+    publicKeyPem: { $exists: true },
+    privateKeyPem: { $exists: true },
+  });
+
+  if (hasValidRsaPem(legacyPemDoc)) {
+    if (legacyPemDoc.type !== "rsa") {
+      await apKeys.updateOne(
+        { _id: legacyPemDoc._id },
+        {
+          $set: {
+            type: "rsa",
+            updatedAt: now,
+          },
+        },
+      );
+
+      console.log("[preflight] Marked existing ActivityPub PEM key as type='rsa'");
+    } else {
+      console.log("[preflight] ActivityPub legacy RSA PEM key already usable");
+    }
+
+    process.exit(0);
+  }
+
+  const rsaPair = createRsaPemPair();
+
+  await apKeys.insertOne({
+    type: "rsa",
+    ...rsaPair,
+    createdAt: now,
+  });
+
+  console.log("[preflight] Generated and stored ActivityPub RSA key pair");
+} catch (error) {
+  const message = `[preflight] ActivityPub RSA key sync failed: ${error.message}`;
+
+  if (strictMode) {
+    console.error(message);
+    process.exit(1);
+  }
+
+  console.warn(`${message} Continuing because strict mode is disabled.`);
+} finally {
+  try {
+    await client.close();
+  } catch {
+    // no-op
+  }
+}
diff --git a/start.example.sh b/start.example.sh
index cf76273f..b3409c0f 100644
--- a/start.example.sh
+++ b/start.example.sh
@@ -45,6 +45,9 @@ unset DEBUG
 # Verify MongoDB credentials/connectivity before launching server.
 /usr/local/bin/node scripts/preflight-mongo-connection.mjs
 
+# Ensure ActivityPub has an RSA keypair for HTTP Signature delivery.
+/usr/local/bin/node scripts/preflight-activitypub-rsa-key.mjs
+
 # Normalize ActivityPub profile URL fields (icon/image/aliases) in MongoDB.
 /usr/local/bin/node scripts/preflight-activitypub-profile-urls.mjs