# Polkadot Key Derivation Paths All paths as per `subkey` standard. ## Overview Mnemonic (BIP32) -> Seed -> Root-Secret (/Root-Public) -> Derive to account keys Root-Public key should be shown in UI as an SS58 with a prefix index of 1 (BareSr25519) or 3 (BareEd25519) - depending on crypto used. Root-Secret should never be shown or exported from UI (only the mnemonic, if needed). Derivations should be based on networks: - `//polkadot` -> Polkadot top-level and primary full-security key. This key and others derived under this should be shown using SS58 with a 0 (Polkadot) prefix and with a Polkadot identicon. - `//kusama` -> Kusama top-level and primary high-security key. This key and others derived under this should be shown using SS58 with a 2 (Kusama) prefix and with a Polkadot identicon. - Generally `//<network_id>` for the top-level key for any given network, where `<network_id>` is exactly the `id` field in the network's chain spec. Other standard paths for more sophisticated wallets: - `//<network>//0`, `//<network>//1`, ...: Secondary full-security keys. - `//<network>//hot`: Primary partial-security key. On Polkadot Vault, this could coventionally be exported for use on a hot device such as a desktop. If compromised it does not compromise the Vault, but if lost it can be recovered from the Vault. Apps which expect internet connectivity and store the key locally might have a initialization option which is to scan a Vault hot key. - `//<network>//pub`: Primary public account. Any secondary paths from here can be *soft* derived in order to create a provable connection between the public keys. Wallets may choose to associate this with some on-chain identity.