MystenLabs · jessiemongeon1 · May 26, 2026 · May 26, 2026 · May 26, 2026
diff --git a/docs/content/KeyServerCommitteeOps.mdx b/docs/content/KeyServerCommitteeOps.mdx
@@ -129,6 +129,8 @@ Run the publish-and-init command:
 cargo run --bin seal-committee-cli -- publish-and-init
 ```
 
+Use `--unsigned` to print the unsigned transaction data. Sign and execute the transaction elsewhere to complete this step.
+
 This command:
 
 - Publishes the `seal_committee` package onchain with upgrade capability
@@ -376,6 +378,8 @@ init-rotation-params:
 cargo run --bin seal-committee-cli -- init-rotation
 ```
 
+Use `--unsigned` to print the unsigned transaction data. Sign and execute the transaction elsewhere to complete this step.
+
 This command:
 
 - Fetches the current key server object to determine the existing committee ID and package ID.
@@ -712,7 +716,7 @@ cargo run --bin seal-committee-cli -- authorize-and-upgrade \
   -n <NETWORK>
 ```
 
-Use `--unsigned` to print the unsigned transaction data. Sign and execute the transaction elsewhere to complete this phase.
+Use `--unsigned` to print the unsigned transaction data. Sign and execute the transaction elsewhere to complete this step.
 
 This command:
 - Authorizes the upgrade (gets an UpgradeTicket).
@@ -738,4 +742,4 @@ This command:
 
 The decentralized key server is initialized with a master share generated during the DKG ceremony, which must be kept secure. You can store it using a cloud-based Key Management System (KMS), or in a self-managed software or hardware vault.
 
-<InfrastructureRequirements />
+<InfrastructureRequirements />
diff --git a/docs/content/KeyServerOps.mdx b/docs/content/KeyServerOps.mdx
@@ -35,6 +35,12 @@ Use the relevant package ID `<SEAL_PACKAGE_ID>` to register your key server on t
 | Testnet | `0x8d90881fc48eb30d4422db68083b49e7d0f879658444e3a0ed85ce47feaa54b2` |
 | Mainnet | `0xa212c4c6c7183b911d0be8768f4cb1df7a383025b5d0ba0c014009f0f30f5f8d` |
 
+## Using an external wallet for signing
+
+All onchain CLI operations, including key server registration, updates, transfers, and upgrades, support an `--unsigned` flag. When you provide this flag, the CLI outputs an unsigned transaction as a base64-encoded `TransactionKind` instead of signing and submitting it. This allows you to sign the transaction with your own wallet or custody solution rather than relying on the Sui CLI keystore.
+
+For example, you can append `--unsigned` to any `seal-cli` onchain command or `sui client call` command shown in this guide. The output is a serialized unsigned transaction that you can then sign and submit through your preferred signing workflow.
+
 ## Independent server type modes
 
 When running an independent server, you can choose between Open or Permissioned mode:
@@ -66,6 +72,12 @@ sui client call --function <FUNCTION_NAME> --module key_server --package <SEAL_P
 # outputs object of type key_server::KeyServer <KEY_SERVER_OBJECT_ID> (may output additional objects)
 ```
 
+:::tip
+
+You can append `--unsigned` to the preceding command to produce an unsigned transaction for signing with an external wallet. See [Using an external wallet for signing](#using-an-external-wallet-for-signing) for details.
+
+:::
+
 To start the key server in Open mode, run the command `cargo run --bin key-server`, but before running the server, set the following environment variables:
 
 - `MASTER_KEY`: The master secret key generated using the `seal-cli` tool.
@@ -147,6 +159,12 @@ sui client call --function <FUNCTION_NAME> --module key_server --package <SEAL_P
 # outputs object of type key_server::KeyServer <KEY_SERVER_OBJECT_ID_<INDEX>> (may output additional objects)
 ```
 
+:::tip
+
+You can append `--unsigned` to the preceding command to produce an unsigned transaction for signing with an external wallet. See [Using an external wallet for signing](#using-an-external-wallet-for-signing) for details.
+
+:::
+
 - Add an entry in config file:
     - Set `client_master_key` to type `Derived`.
     - Set `derivation_index` as `<INDEX>` (use `0` for the first client; for the nth client, use `n-1`).
@@ -230,6 +248,12 @@ The owner of `<NEW_OWNER_ADDRESS>` can now run:
 sui client call --function update --module key_server --package <SEAL_PACKAGE_ID> --args <KEY_SERVER_OBJECT_ID_0> https://<NEW_URL>
 ```
 
+:::tip
+
+Both the `sui transfer` and `sui client call` commands above support the `--unsigned` flag to produce an unsigned transaction for signing with an external wallet. See [Using an external wallet for signing](#using-an-external-wallet-for-signing) for details.
+
+:::
+
 - The new key server owner can now add it to their config file:
     - `client_master_key` set to type `Imported`.
     - The name of the environment variable containing the key, for example, `BOB_BLS_KEY`. This name is used later.

diff --git a/docs/content/SealCLI.mdx b/docs/content/SealCLI.mdx
@@ -185,4 +185,68 @@ cargo run --bin seal-cli fetch-keys --request <ENCODED_REQUEST> \
 
 Encoded seal responses:
 <ENCODED_SEAL_RESPONSES>
-```
+```
+
+## 8. On-chain operations
+
+The Seal CLI provides several commands that submit transactions to the Sui network. These commands handle key server administration tasks such as generating and registering keys, processing pending requests, proposing configuration changes, and managing upgrades.
+
+### Generate key and register
+
+The `genkey` command generates a new key pair. When used with on-chain registration options, it also registers the generated public key with a key server object on the Sui network.
+
+```shell
+cargo run --bin seal-cli genkey
+```
+
+### Process all pending requests
+
+The `process-all` command processes all pending key requests for a key server. This is an administrative operation that a key server operator runs to handle queued requests.
+
+```shell
+cargo run --bin seal-cli process-all
+```
+
+### Propose configuration changes
+
+The `propose` command creates a proposal for configuration changes to a key server. Proposals require approval from the appropriate parties before they take effect.
+
+```shell
+cargo run --bin seal-cli propose
+```
+
+### Approve an upgrade
+
+The `approve-upgrade` command approves a pending upgrade proposal for a key server.
+
+```shell
+cargo run --bin seal-cli approve-upgrade
+```
+
+### Reject an upgrade
+
+The `reject-upgrade` command rejects a pending upgrade proposal for a key server.
+
+```shell
+cargo run --bin seal-cli reject-upgrade
+```
+
+### Authorize an upgrade
+
+The `authorize-upgrade` command authorizes an approved upgrade to proceed for a key server.
+
+```shell
+cargo run --bin seal-cli authorize-upgrade
+```
+
+### Using `--unsigned` for external signing
+
+All on-chain CLI operations support the `--unsigned` flag. When you provide this flag, the CLI outputs the unsigned transaction bytes (base64-encoded) instead of signing and submitting the transaction through the local Sui keystore. This allows you to sign the transaction with your own wallet or external signing infrastructure.
+
+For example, to generate a key and output the unsigned registration transaction:
+
+```shell
+cargo run --bin seal-cli genkey --unsigned
+```
+
+You can then take the output transaction bytes and sign them using your preferred wallet or signing tool before submitting the signed transaction to the network.