diff --git a/README.md b/README.md
index 537aeb3..6e214cc 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ version      Show current version
       --metrics                    enable prometheus
   -h, --help                       show help
   -v, --version                    show version
-      --key string                 "generated" to generate key, path to private key file, hex string or wif (default "generated")
+      --key string                 path to private key file, hex string or wif (the key will be autogenerated if not specified)
       --verbose                    debug gRPC connections
       --request_timeout duration   gRPC request timeout (default 5s)
       --connect_timeout duration   gRPC connect timeout (default 30s)
diff --git a/app.go b/app.go
index bcb2537..1144de0 100644
--- a/app.go
+++ b/app.go
@@ -56,6 +56,11 @@ func WithConfig(c *viper.Viper) Option {
 }
 
 func newApp(ctx context.Context, opt ...Option) App {
+	var (
+		creds neofs.Credentials
+		err   error
+	)
+
 	a := &app{
 		log:       zap.L(),
 		cfg:       viper.GetViper(),
@@ -86,7 +91,13 @@ func newApp(ctx context.Context, opt ...Option) App {
 	a.webServer.DisablePreParseMultipartForm = true
 	a.webServer.StreamRequestBody = a.cfg.GetBool(cfgWebStreamRequestBody)
 	// -- -- -- -- -- -- -- -- -- -- -- -- -- --
-	creds, err := neofs.NewCredentials(a.cfg.GetString(cmdNeoFSKey))
+	keystring := a.cfg.GetString(cmdNeoFSKey)
+	if len(keystring) == 0 {
+		a.log.Info("no key specified, creating one automatically for this run")
+		creds, err = neofs.NewEphemeralCredentials()
+	} else {
+		creds, err = neofs.NewCredentials(keystring)
+	}
 	if err != nil {
 		a.log.Fatal("failed to get neofs credentials", zap.Error(err))
 	}
diff --git a/neofs/credentials.go b/neofs/credentials.go
index 20b8c9b..990aa96 100644
--- a/neofs/credentials.go
+++ b/neofs/credentials.go
@@ -2,6 +2,9 @@ package neofs
 
 import (
 	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"math/big"
 
 	"github.com/nspcc-dev/neofs-api-go/pkg/owner"
 	crypto "github.com/nspcc-dev/neofs-crypto"
@@ -33,6 +36,25 @@ func NewCredentials(secret string) (Credentials, error) {
 	return setFromPrivateKey(key)
 }
 
+// NewEphemeralCredentials creates new private key and Credentials based on that
+// key.
+func NewEphemeralCredentials() (Credentials, error) {
+	c := elliptic.P256()
+	priv, x, y, err := elliptic.GenerateKey(c, rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+	key := &ecdsa.PrivateKey{
+		PublicKey: ecdsa.PublicKey{
+			Curve: c,
+			X:     x,
+			Y:     y,
+		},
+		D: new(big.Int).SetBytes(priv),
+	}
+	return setFromPrivateKey(key)
+}
+
 // PrivateKey returns ecdsa.PrivateKey.
 func (c *credentials) PrivateKey() *ecdsa.PrivateKey {
 	return c.key
diff --git a/settings.go b/settings.go
index 7844293..32326cd 100644
--- a/settings.go
+++ b/settings.go
@@ -104,7 +104,7 @@ func settings() *viper.Viper {
 	help := flags.BoolP(cmdHelp, "h", false, "show help")
 	version := flags.BoolP(cmdVersion, "v", false, "show version")
 
-	flags.String(cmdNeoFSKey, "", `path to private key file, hex string or wif`)
+	flags.String(cmdNeoFSKey, "", `path to private key file, hex string or wif (autogenerated key will be used if not specified)`)
 
 	flags.Bool(cmdVerbose, false, "debug gRPC connections")
 	flags.Duration(cfgConTimeout, defaultConnectTimeout, "gRPC connect timeout")