diff --git a/.gitignore b/.gitignore
index e81a158..def1e84 100644
--- a/.gitignore
+++ b/.gitignore
@@ -54,7 +54,7 @@ htmlcov/
 
 # Environment
 .env
-.env.*
+.env.local
 *.log
 
 # Distribution
diff --git a/frontends/web/.env.example b/frontends/web/.env.example
new file mode 100644
index 0000000..72d13f9
--- /dev/null
+++ b/frontends/web/.env.example
@@ -0,0 +1,15 @@
+# Stegasoo Web UI Configuration
+# Copy this file to .env and customize
+
+# Authentication (v4.0.2+)
+STEGASOO_AUTH_ENABLED=true
+STEGASOO_HTTPS_ENABLED=false
+STEGASOO_HOSTNAME=localhost
+
+# Channel Key (256-bit hex for private channel isolation)
+# Generate with: python -c "import secrets; print(secrets.token_hex(32))"
+# Leave empty for public mode
+STEGASOO_CHANNEL_KEY=
+
+# Flask settings
+FLASK_ENV=production
diff --git a/src/stegasoo/cli.py b/src/stegasoo/cli.py
index 2b62e5e..80a4dce 100644
--- a/src/stegasoo/cli.py
+++ b/src/stegasoo/cli.py
@@ -398,16 +398,21 @@ def batch_check(ctx, images, recursive):
 @click.option(
     "--pin-length", default=DEFAULT_PIN_LENGTH, help=f"PIN length (default: {DEFAULT_PIN_LENGTH})"
 )
+@click.option(
+    "--channel-key", is_flag=True, help="Also generate a 256-bit channel key"
+)
 @click.pass_context
-def generate(ctx, words, pin_length):
+def generate(ctx, words, pin_length, channel_key):
     """
-    Generate random credentials (passphrase + PIN).
+    Generate random credentials (passphrase + PIN + optional channel key).
 
     Examples:
 
         stegasoo generate
 
         stegasoo generate --words 6 --pin-length 8
+
+        stegasoo generate --channel-key
     """
     import secrets
 
@@ -451,11 +456,17 @@ def generate(ctx, words, pin_length):
         "pin_length": pin_length,
     }
 
+    # Generate channel key if requested
+    if channel_key:
+        result["channel_key"] = secrets.token_hex(32)
+
     if ctx.obj.get("json"):
         click.echo(json.dumps(result, indent=2))
     else:
-        click.echo(f"Passphrase: {passphrase}")
-        click.echo(f"PIN:        {pin}")
+        click.echo(f"Passphrase:   {passphrase}")
+        click.echo(f"PIN:          {pin}")
+        if channel_key:
+            click.echo(f"Channel Key:  {result['channel_key']}")
         click.echo("\n⚠️  Save these credentials securely - they cannot be recovered!")