# Polkadot Key Derivation Paths
All paths as per `subkey` standard.
## Overview
Mnemonic (BIP32) -> Seed -> Root-Secret (/Root-Public) -> Derive to account keys
Root-Public key should be shown in UI as an SS58 with a prefix index of 1 (BareSr25519) or 3 (BareEd25519) - depending on crypto used.
Root-Secret should never be shown or exported from UI (only the mnemonic, if needed).
Derivations should be based on networks:
- `//polkadot` -> Polkadot top-level and primary full-security key. This key and others derived under this should be shown using SS58 with a 0 (Polkadot) prefix and with a Polkadot identicon.
- `//kusama` -> Kusama top-level and primary high-security key. This key and others derived under this should be shown using SS58 with a 2 (Kusama) prefix and with a Polkadot identicon.
- Generally `//<network_id>` for the top-level key for any given network, where `<network_id>` is exactly the `id` field in the network's chain spec.
Other standard paths for more sophisticated wallets:
- `//<network>//0`, `//<network>//1`, ...: Secondary full-security keys.
- `//<network>//hot`: Primary partial-security key. On Polkadot Vault, this could coventionally be exported for use on a hot device such as a desktop. If compromised it does not compromise the Vault, but if lost it can be recovered from the Vault. Apps which expect internet connectivity and store the key locally might have a initialization option which is to scan a Vault hot key.
- `//<network>//pub`: Primary public account. Any secondary paths from here can be *soft* derived in order to create a provable connection between the public keys. Wallets may choose to associate this with some on-chain identity.