diff --git a/gen/es/proto/splitsecure/teamresource/v1/team_base_info_pb.ts b/gen/es/proto/splitsecure/teamresource/v1/team_base_info_pb.ts
index c1a9fba..6888afd 100644
--- a/gen/es/proto/splitsecure/teamresource/v1/team_base_info_pb.ts
+++ b/gen/es/proto/splitsecure/teamresource/v1/team_base_info_pb.ts
@@ -4,13 +4,15 @@
 
 import type { GenFile, GenMessage } from "@bufbuild/protobuf/codegenv2";
 import { fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv2";
+import type { HybridKeySetWithDetachedKeys } from "../../hybridkeyset/v1/hybrid_key_set_with_detached_keys_pb";
+import { file_splitsecure_hybridkeyset_v1_hybrid_key_set_with_detached_keys } from "../../hybridkeyset/v1/hybrid_key_set_with_detached_keys_pb";
 import type { Message } from "@bufbuild/protobuf";
 
 /**
  * Describes the file splitsecure/teamresource/v1/team_base_info.proto.
  */
 export const file_splitsecure_teamresource_v1_team_base_info: GenFile = /*@__PURE__*/
-  fileDesc("CjBzcGxpdHNlY3VyZS90ZWFtcmVzb3VyY2UvdjEvdGVhbV9iYXNlX2luZm8ucHJvdG8SG3NwbGl0c2VjdXJlLnRlYW1yZXNvdXJjZS52MSJACgxUZWFtQmFzZUluZm8SEAoIaWRlbnRpdHkYASABKAwSHgoWbWlzc2luZ19waWVjZV9jaGVja3N1bRgCIAEoDEKXAgofY29tLnNwbGl0c2VjdXJlLnRlYW1yZXNvdXJjZS52MUIRVGVhbUJhc2VJbmZvUHJvdG9QAVpTZ2l0aHViLmNvbS9zcGxpdHNlY3VyZS9hcGlzL2dlbi9nby9wcm90by9zcGxpdHNlY3VyZS90ZWFtcmVzb3VyY2UvdjE7dGVhbXJlc291cmNldjGiAgNTVFiqAhtTcGxpdHNlY3VyZS5UZWFtcmVzb3VyY2UuVjHKAhtTcGxpdHNlY3VyZVxUZWFtcmVzb3VyY2VcVjHiAidTcGxpdHNlY3VyZVxUZWFtcmVzb3VyY2VcVjFcR1BCTWV0YWRhdGHqAh1TcGxpdHNlY3VyZTo6VGVhbXJlc291cmNlOjpWMWIGcHJvdG8z");
+  fileDesc("CjBzcGxpdHNlY3VyZS90ZWFtcmVzb3VyY2UvdjEvdGVhbV9iYXNlX2luZm8ucHJvdG8SG3NwbGl0c2VjdXJlLnRlYW1yZXNvdXJjZS52MSKUAQoMVGVhbUJhc2VJbmZvEhAKCGlkZW50aXR5GAEgASgMEh4KFm1pc3NpbmdfcGllY2VfY2hlY2tzdW0YAiABKAwSUgoPZXhjaGFuZ2VfaGtzd2RrGAMgASgLMjkuc3BsaXRzZWN1cmUuaHlicmlka2V5c2V0LnYxLkh5YnJpZEtleVNldFdpdGhEZXRhY2hlZEtleXNClwIKH2NvbS5zcGxpdHNlY3VyZS50ZWFtcmVzb3VyY2UudjFCEVRlYW1CYXNlSW5mb1Byb3RvUAFaU2dpdGh1Yi5jb20vc3BsaXRzZWN1cmUvYXBpcy9nZW4vZ28vcHJvdG8vc3BsaXRzZWN1cmUvdGVhbXJlc291cmNlL3YxO3RlYW1yZXNvdXJjZXYxogIDU1RYqgIbU3BsaXRzZWN1cmUuVGVhbXJlc291cmNlLlYxygIbU3BsaXRzZWN1cmVcVGVhbXJlc291cmNlXFYx4gInU3BsaXRzZWN1cmVcVGVhbXJlc291cmNlXFYxXEdQQk1ldGFkYXRh6gIdU3BsaXRzZWN1cmU6OlRlYW1yZXNvdXJjZTo6VjFiBnByb3RvMw", [file_splitsecure_hybridkeyset_v1_hybrid_key_set_with_detached_keys]);
 
 /**
  * TeamBaseInfo carries fields that persist across team rotations.
@@ -36,6 +38,18 @@ export type TeamBaseInfo = Message<"splitsecure.teamresource.v1.TeamBaseInfo"> &
    * @generated from field: bytes missing_piece_checksum = 2;
    */
   missingPieceChecksum: Uint8Array;
+
+  /**
+   * exchange_hkswdk is the team's public exchange keyset. The private side
+   * is deterministically derived from the same team root as the team's
+   * signing keyset, so it is reconstructible by the team's threshold via
+   * the existing share material — no new shares are introduced. Used to
+   * IES-encrypt data targeted at the team. Persists through all team
+   * rotations (per-team, not per-version).
+   *
+   * @generated from field: splitsecure.hybridkeyset.v1.HybridKeySetWithDetachedKeys exchange_hkswdk = 3;
+   */
+  exchangeHkswdk?: HybridKeySetWithDetachedKeys;
 };
 
 /**
diff --git a/gen/go/proto/splitsecure/teamresource/v1/team_base_info.pb.go b/gen/go/proto/splitsecure/teamresource/v1/team_base_info.pb.go
index 342903f..a3bb59b 100644
--- a/gen/go/proto/splitsecure/teamresource/v1/team_base_info.pb.go
+++ b/gen/go/proto/splitsecure/teamresource/v1/team_base_info.pb.go
@@ -7,6 +7,7 @@
 package teamresourcev1
 
 import (
+	v1 "github.com/splitsecure/apis/gen/go/proto/splitsecure/hybridkeyset/v1"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
@@ -33,8 +34,15 @@ type TeamBaseInfo struct {
 	// Empty when the team does not use this feature.
 	// This persists through all team rotations (per-team, not per-version).
 	MissingPieceChecksum []byte `protobuf:"bytes,2,opt,name=missing_piece_checksum,json=missingPieceChecksum,proto3" json:"missing_piece_checksum,omitempty"`
-	unknownFields        protoimpl.UnknownFields
-	sizeCache            protoimpl.SizeCache
+	// exchange_hkswdk is the team's public exchange keyset. The private side
+	// is deterministically derived from the same team root as the team's
+	// signing keyset, so it is reconstructible by the team's threshold via
+	// the existing share material — no new shares are introduced. Used to
+	// IES-encrypt data targeted at the team. Persists through all team
+	// rotations (per-team, not per-version).
+	ExchangeHkswdk *v1.HybridKeySetWithDetachedKeys `protobuf:"bytes,3,opt,name=exchange_hkswdk,json=exchangeHkswdk,proto3" json:"exchange_hkswdk,omitempty"`
+	unknownFields  protoimpl.UnknownFields
+	sizeCache      protoimpl.SizeCache
 }
 
 func (x *TeamBaseInfo) Reset() {
@@ -81,14 +89,22 @@ func (x *TeamBaseInfo) GetMissingPieceChecksum() []byte {
 	return nil
 }
 
+func (x *TeamBaseInfo) GetExchangeHkswdk() *v1.HybridKeySetWithDetachedKeys {
+	if x != nil {
+		return x.ExchangeHkswdk
+	}
+	return nil
+}
+
 var File_splitsecure_teamresource_v1_team_base_info_proto protoreflect.FileDescriptor
 
 const file_splitsecure_teamresource_v1_team_base_info_proto_rawDesc = "" +
 	"\n" +
-	"0splitsecure/teamresource/v1/team_base_info.proto\x12\x1bsplitsecure.teamresource.v1\"`\n" +
+	"0splitsecure/teamresource/v1/team_base_info.proto\x12\x1bsplitsecure.teamresource.v1\x1aCsplitsecure/hybridkeyset/v1/hybrid_key_set_with_detached_keys.proto\"\xc4\x01\n" +
 	"\fTeamBaseInfo\x12\x1a\n" +
 	"\bidentity\x18\x01 \x01(\fR\bidentity\x124\n" +
-	"\x16missing_piece_checksum\x18\x02 \x01(\fR\x14missingPieceChecksumB\x97\x02\n" +
+	"\x16missing_piece_checksum\x18\x02 \x01(\fR\x14missingPieceChecksum\x12b\n" +
+	"\x0fexchange_hkswdk\x18\x03 \x01(\v29.splitsecure.hybridkeyset.v1.HybridKeySetWithDetachedKeysR\x0eexchangeHkswdkB\x97\x02\n" +
 	"\x1fcom.splitsecure.teamresource.v1B\x11TeamBaseInfoProtoP\x01ZSgithub.com/splitsecure/apis/gen/go/proto/splitsecure/teamresource/v1;teamresourcev1\xa2\x02\x03STX\xaa\x02\x1bSplitsecure.Teamresource.V1\xca\x02\x1bSplitsecure\\Teamresource\\V1\xe2\x02'Splitsecure\\Teamresource\\V1\\GPBMetadata\xea\x02\x1dSplitsecure::Teamresource::V1b\x06proto3"
 
 var (
@@ -105,14 +121,16 @@ func file_splitsecure_teamresource_v1_team_base_info_proto_rawDescGZIP() []byte
 
 var file_splitsecure_teamresource_v1_team_base_info_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
 var file_splitsecure_teamresource_v1_team_base_info_proto_goTypes = []any{
-	(*TeamBaseInfo)(nil), // 0: splitsecure.teamresource.v1.TeamBaseInfo
+	(*TeamBaseInfo)(nil),                    // 0: splitsecure.teamresource.v1.TeamBaseInfo
+	(*v1.HybridKeySetWithDetachedKeys)(nil), // 1: splitsecure.hybridkeyset.v1.HybridKeySetWithDetachedKeys
 }
 var file_splitsecure_teamresource_v1_team_base_info_proto_depIdxs = []int32{
-	0, // [0:0] is the sub-list for method output_type
-	0, // [0:0] is the sub-list for method input_type
-	0, // [0:0] is the sub-list for extension type_name
-	0, // [0:0] is the sub-list for extension extendee
-	0, // [0:0] is the sub-list for field type_name
+	1, // 0: splitsecure.teamresource.v1.TeamBaseInfo.exchange_hkswdk:type_name -> splitsecure.hybridkeyset.v1.HybridKeySetWithDetachedKeys
+	1, // [1:1] is the sub-list for method output_type
+	1, // [1:1] is the sub-list for method input_type
+	1, // [1:1] is the sub-list for extension type_name
+	1, // [1:1] is the sub-list for extension extendee
+	0, // [0:1] is the sub-list for field type_name
 }
 
 func init() { file_splitsecure_teamresource_v1_team_base_info_proto_init() }
diff --git a/proto/splitsecure/teamresource/v1/team_base_info.proto b/proto/splitsecure/teamresource/v1/team_base_info.proto
index 5b46610..50e9c9e 100644
--- a/proto/splitsecure/teamresource/v1/team_base_info.proto
+++ b/proto/splitsecure/teamresource/v1/team_base_info.proto
@@ -1,6 +1,8 @@
 syntax = "proto3";
 package splitsecure.teamresource.v1;
 
+import "splitsecure/hybridkeyset/v1/hybrid_key_set_with_detached_keys.proto";
+
 // TeamBaseInfo carries fields that persist across team rotations.
 message TeamBaseInfo {
   // serialized splitsecure.delegationgraph.v1.IdentityVertex
@@ -13,4 +15,12 @@ message TeamBaseInfo {
   // Empty when the team does not use this feature.
   // This persists through all team rotations (per-team, not per-version).
   bytes missing_piece_checksum = 2;
+
+  // exchange_hkswdk is the team's public exchange keyset. The private side
+  // is deterministically derived from the same team root as the team's
+  // signing keyset, so it is reconstructible by the team's threshold via
+  // the existing share material — no new shares are introduced. Used to
+  // IES-encrypt data targeted at the team. Persists through all team
+  // rotations (per-team, not per-version).
+  splitsecure.hybridkeyset.v1.HybridKeySetWithDetachedKeys exchange_hkswdk = 3;
 }