llms.txt
@mysten/sui v2.0 and a new dApp Kit are here! Check out the migration guide
Mysten Labs SDKs
Cryptography

Key pairs

Create Ed25519, Secp256k1, and Secp256r1 keypairs and derive them from mnemonics and secret keys

A Keypair holds a Sui private key in process and signs with it. It is the easiest Signer to use. It is ideal for scripts, backends, and tests where you manage the secret key yourself. For the signing and verification API shared by all signers, see Cryptography; this page focuses on creating keypairs and deriving them from mnemonics and secret keys.

Each signing scheme has a corresponding Keypair class:

Sign schemeClass nameImport folder
Ed25519Ed25519Keypair@mysten/sui/keypairs/ed25519
ECDSA Secp256k1Secp256k1Keypair@mysten/sui/keypairs/secp256k1
ECDSA Secp256r1Secp256r1Keypair@mysten/sui/keypairs/secp256r1

To use, import the key pair class your project uses from the @mysten/sui/keypairs folder. For example, to use the Ed25519 scheme, import the Ed25519Keypair class from @mysten/sui/keypairs/ed25519.

import { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';

Creating a key pair

To create a random key pair (which identifies a Sui address), instantiate a new Keypair class. To reference a key pair from an existing secret key, pass the secret to the fromSecretKey function.

// random Keypair
const keypair = new Ed25519Keypair();

// or, a Keypair from an existing secret key (Uint8Array)
const fromSecret = Ed25519Keypair.fromSecretKey(secretKey);

With your key pair created, you can derive its address and sign with it. The following signs a personal message and verifies it with the public key:

const publicKey = keypair.getPublicKey();
const address = keypair.toSuiAddress();

const message = new TextEncoder().encode('hello world');
const { signature } = await keypair.signPersonalMessage(message);
const isValid = await publicKey.verifyPersonalMessage(message, signature);

See Cryptography for the full signing and verification API, including verifying signatures without the original key pair.

Public keys

Each Keypair has an associated PublicKey, which you use to verify signatures or to retrieve its Sui address. Access it from a Keypair with getPublicKey(). To recreate a keypair, and therefore its public key, from saved key material, reconstruct it from the secret key:

import { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';

// Recreate the keypair from its secret key (Uint8Array)
const keypair = Ed25519Keypair.fromSecretKey(secretKey);

// Access the public key and derive the address
const publicKey = keypair.getPublicKey();
const address = publicKey.toSuiAddress();
// or derive the address directly from the keypair
const sameAddress = keypair.toSuiAddress();

See Deriving a Keypair from a Bech32 encoded secret key for working with encoded secret-key formats.

Deriving a key pair from a mnemonic

The Sui TypeScript SDK supports deriving a key pair from a mnemonic phrase. This can be useful when building wallets or other tools that allow a user to import their private keys.

const exampleMnemonic = 'result crisp session latin ...';

const keyPair = Ed25519Keypair.deriveKeypair(exampleMnemonic);

Deriving a Keypair from a Bech32 encoded secret key

If you know the Keypair scheme for your secret key, you can use the fromSecretKey method of the appropriate Keypair class to derive the keypair from the secret key.

import { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';

// Example bech32 encoded secret key (which always starts with 'suiprivkey')
const secretKey = 'suiprivkey1qzse89atw7d3zum8ujep76d2cxmgduyuast0y9fu23xcl0mpafgkktllhyc';

const keypair = Ed25519Keypair.fromSecretKey(secretKey);

You can also use the decodeSuiPrivateKey function to decode the secret key and determine the keyScheme, and get the key pair's private key bytes, which you can use to instantiate the appropriate Keypair class.

import { decodeSuiPrivateKey } from '@mysten/sui/cryptography';
import { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';
import { Secp256r1Keypair } from '@mysten/sui/keypairs/secp256r1';
import { Secp256k1Keypair } from '@mysten/sui/keypairs/secp256k1';

const encoded = 'suiprivkey1qzse89atw7d3zum8ujep76d2cxmgduyuast0y9fu23xcl0mpafgkktllhyc';
const { scheme, secretKey } = decodeSuiPrivateKey(encoded);

// use scheme to choose the correct key pair
let keypair;
switch (scheme) {
	case 'ED25519':
		keypair = Ed25519Keypair.fromSecretKey(secretKey);
		break;
	case 'Secp256r1':
		keypair = Secp256r1Keypair.fromSecretKey(secretKey);
		break;
	case 'Secp256k1':
		keypair = Secp256k1Keypair.fromSecretKey(secretKey);
		break;
	default:
		throw new Error(`Unsupported key pair scheme: ${scheme}`);
}

See SIP-15 for additional context and motivation.

You can export a keypair to a Bech32 encoded secret key using the getSecretKey method.

const secretKey = keypair.getSecretKey();

If you have only the raw private key bytes for your keypair, you can encode to the Bech32 format using the encodeSuiPrivateKey function.

import { encodeSuiPrivateKey } from '@mysten/sui/cryptography';

const encoded = encodeSuiPrivateKey(
	new Uint8Array([
		59, 148, 11, 85, 134, 130, 61, 253, 2, 174, 59, 70, 27, 180, 51, 107, 94, 203, 174, 253, 102,
		39, 170, 146, 46, 252, 4, 143, 236, 12, 136, 28,
	]),
	'ED25519',
);

Deriving a Keypair from a hex encoded secret key

If you have an existing secret key formatted as a hex encoded string, you can derive a Keypair by converting the secret key to a Uint8Array and passing it to the fromSecretKey method of a Keypair class.

import { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';
import { fromHex } from '@mysten/sui/utils';

const secret = '0x...';
const keypair = Ed25519Keypair.fromSecretKey(fromHex(secret));

On this page