diff --git a/DEPLOY.md b/DEPLOY.md
index e2579e0..b6e8e06 100644
--- a/DEPLOY.md
+++ b/DEPLOY.md
@@ -74,14 +74,42 @@ sudo install -d -o fenja -g fenja /opt/fenja/data/bifrost-portal/uploads
 sudo install -d -o fenja -g fenja /opt/fenja/data/bifrost-portal/backups
 ```
 
-## 3. Clone the repo
+## 3. Deploy key + clone
 
-The `fenja` user needs read access to `git.fenja.ai` (a deploy key on its
-account, or your forwarded agent for the first clone):
+The `fenja` user needs read access to this repo on `git.fenja.ai`. Use a
+dedicated, repo-scoped **deploy key** generated on the server (private key never
+leaves the box) plus an SSH alias so it's used only for this repo.
 
 ```bash
-sudo -u fenja git clone ssh://git@git.fenja.ai:2222/joh/project-bifrost-platform.git \
-     /opt/bifrost-portal
+# Generate the keypair (no passphrase — it's for unattended deploys)
+sudo -u fenja install -d -m 700 /home/fenja/.ssh
+sudo -u fenja ssh-keygen -t ed25519 -N "" \
+     -f /home/fenja/.ssh/bifrost_portal_deploy \
+     -C "bifrost-portal-deploy@$(hostname)"
+
+# SSH alias so git uses THIS key only for the portal repo
+sudo -u fenja tee -a /home/fenja/.ssh/config >/dev/null <<'EOF'
+
+Host bifrost-portal-git
+    HostName git.fenja.ai
+    Port 2222
+    User git
+    IdentityFile ~/.ssh/bifrost_portal_deploy
+    IdentitiesOnly yes
+EOF
+sudo -u fenja chmod 600 /home/fenja/.ssh/config
+sudo -u fenja bash -c 'ssh-keyscan -p 2222 git.fenja.ai >> /home/fenja/.ssh/known_hosts 2>/dev/null'
+
+# Print the PUBLIC key to register
+sudo -u fenja cat /home/fenja/.ssh/bifrost_portal_deploy.pub
+```
+
+Upload that public key on `git.fenja.ai`: **Repo → Settings → Deploy Keys →
+Add Deploy Key**, read-only (leave write access off). Then test and clone:
+
+```bash
+sudo -u fenja ssh -T bifrost-portal-git    # expect a greeting, no password prompt
+sudo -u fenja git clone bifrost-portal-git:joh/project-bifrost-platform.git /opt/bifrost-portal
 ```
 
 > **Keep the git checkouts separate.** This portal (`project-bifrost-platform`)
@@ -89,6 +117,8 @@ sudo -u fenja git clone ssh://git@git.fenja.ai:2222/joh/project-bifrost-platform
 > git projects with their own remotes. `/opt/bifrost-portal` is a self-contained
 > checkout — never nest it inside another app's tree, never point its remote at
 > theirs, and only ever run `scripts/deploy.sh` from inside `/opt/bifrost-portal`.
+> Cloning via the `bifrost-portal-git` alias makes `origin` resolve through the
+> dedicated deploy key, which `scripts/deploy.sh` uses transparently.
 
 ## 4. Environment file