diff --git a/apps/api/src/federation/federation.service.spec.ts b/apps/api/src/federation/federation.service.spec.ts
index fb85ea8..3914270 100644
--- a/apps/api/src/federation/federation.service.spec.ts
+++ b/apps/api/src/federation/federation.service.spec.ts
@@ -198,6 +198,18 @@ describe("FederationService", () => {
       expect(result1.publicKey).not.toEqual(result2.publicKey);
       expect(result1.privateKey).not.toEqual(result2.privateKey);
     });
+
+    it("should generate RSA-4096 key pairs for future-proof security", () => {
+      // Act
+      const result = service.generateKeypair();
+
+      // Assert - Verify key size by checking approximate length
+      // RSA-4096 keys are significantly larger than RSA-2048
+      // Private key in PKCS8 format: RSA-2048 ≈ 1700 bytes, RSA-4096 ≈ 3200 bytes
+      // Public key in SPKI format: RSA-2048 ≈ 400 bytes, RSA-4096 ≈ 800 bytes
+      expect(result.privateKey.length).toBeGreaterThan(3000);
+      expect(result.publicKey.length).toBeGreaterThan(700);
+    });
   });
 
   describe("regenerateKeypair", () => {
diff --git a/apps/api/src/federation/federation.service.ts b/apps/api/src/federation/federation.service.ts
index 390aec3..1e7e03a 100644
--- a/apps/api/src/federation/federation.service.ts
+++ b/apps/api/src/federation/federation.service.ts
@@ -57,10 +57,11 @@ export class FederationService {
 
   /**
    * Generate a new RSA key pair for instance signing
+   * Uses RSA-4096 for future-proof security (NIST recommendation)
    */
   generateKeypair(): KeyPair {
     const { publicKey, privateKey } = generateKeyPairSync("rsa", {
-      modulusLength: 2048,
+      modulusLength: 4096,
       publicKeyEncoding: {
         type: "spki",
         format: "pem",