diff --git a/README.md b/README.md
index 723cc6c..c32d6c4 100644
--- a/README.md
+++ b/README.md
@@ -35,6 +35,18 @@ cd tinyboard
 ./setup.sh   # option 1 (configure new spoke)
 ```
 
+### Adding the Spoke's Public Key to the Hub
+
+During `setup-spoke.sh`, a key pair is generated on the spoke for the autossh tunnel. The script will display the public key and pause. Before pressing ENTER, the hub owner must add the public key to the hub user's `authorized_keys`:
+
+```bash
+echo "<paste public key here>" >> ~/.ssh/authorized_keys
+```
+
+Once the key is added, press ENTER on the spoke to continue. The script will test the SSH connection and if successful, bring up the tunnel.
+
+The private key never leaves the spoke — only the public key is shared.
+
 ### Onboarding a Spoke from the Hub
 
 Once the spoke tunnel is up, run on the hub: