diff --git a/app/src/main/java/com/inou/clawdnode/security/DeviceIdentity.kt b/app/src/main/java/com/inou/clawdnode/security/DeviceIdentity.kt
index 13d0744..d6b93e7 100644
--- a/app/src/main/java/com/inou/clawdnode/security/DeviceIdentity.kt
+++ b/app/src/main/java/com/inou/clawdnode/security/DeviceIdentity.kt
@@ -97,10 +97,19 @@ class DeviceIdentity(context: Context) {
             ?: throw IllegalStateException("No private key available")
         val privateKeyBytes = base64UrlDecode(privateKeyBase64)
         
-        // Create EdDSA private key
+        // Create EdDSA private key from seed
         val privateKeySpec = EdDSAPrivateKeySpec(privateKeyBytes, ed25519Spec)
         val privateKey = EdDSAPrivateKey(privateKeySpec)
         
+        // Verify the derived public key matches stored public key
+        val derivedPubKey = privateKey.abyte
+        val storedPubKeyBase64 = prefs.getString(keyPublic, null)
+        val storedPubKey = storedPubKeyBase64?.let { base64UrlDecode(it) }
+        
+        Log.d(tag, "Stored pubkey:  ${storedPubKeyBase64?.take(20)}...")
+        Log.d(tag, "Derived pubkey: ${base64UrlEncode(derivedPubKey).take(20)}...")
+        Log.d(tag, "Keys match: ${derivedPubKey.contentEquals(storedPubKey)}")
+        
         // Sign the payload using standard Ed25519 (not prehashed Ed25519ph)
         val signature = EdDSAEngine().apply {
             initSign(privateKey)