Key pairs
The Sui TypeScript SDK provides Keypair
classes that handle logic for signing and verification
using the cryptographic key pairs associated with a Sui address.
The Sui TypeScript SDK supports three signing schemes:
Sign scheme | Class name | Import folder |
---|---|---|
Ed25519 | Ed25519Keypair | @mysten/sui.js/keypairs/ed25519 |
ECDSA Secp256k1 | Secp256k1Keypair | @mysten/sui.js/keypairs/secp256k1 |
ECDSA Secp256r1 | Secp256r1Keypair | @mysten/sui.js/keypairs/secp256r1 |
For information on these schemes, see the Signatures (opens in a new tab) topic.
To use, import the key pair class your project uses from the @mysten/sui.js/keypairs
folder. For
example, to use the Ed25519 scheme, import the Ed25519Keypair
class from
@mysten/sui.js/keypairs/ed25519
.
import { Ed25519Keypair } from '@mysten/sui.js/keypairs/ed25519';
To create a random key pair (which identifies a Sui address), instantiate a new Keypair
class. To
reference a key pair from an existing secret key, pass the secret to the fromSecretKey
function.
// random Keypair
const keypair = new Ed25519Keypair();
// Keypair from an existing secret key (Uint8Array)
const keypair = Ed25519Keypair.fromSecretKey(secretKey);
With your key pair created, you can reference it when performing actions on the network. For example, you can use it to sign transactions, like the following code that creates and signs a personal message using the public key from the key pair created in the previous code:
const publicKey = keypair.getPublicKey();
const message = new TextEncoder().encode('hello world');
const { signature } = await keypair.signPersonalMessage(message);
const isValid = await publicKey.verifyPersonalMessage(message, signature);
Public keys
Each Keypair
has an associated PublicKey
class. You use the public key to verify signatures or
to retrieve its associated Sui address. You can access a Keypair
from its PublicKey
or construct
it from the bytes (as a Uint8Array
) of the PublicKey
, as in the following code:
import { Ed25519Keypair, Ed25519PublicKey } from '@mysten/sui.js/keypairs/ed25519';
const keypair = new Ed25519Keypair();
const bytes = keypair.getPublicKey().toBytes();
const publicKey = new Ed25519PublicKey(bytes);
const address = publicKey.toSuiAddress();
Verifying signatures without a key pair
When you have an existing public key, you can use it to verify a signature. Verification ensures the signature is valid for the provided message and is signed with the appropriate secret key.
The following code creates a key pair in the Ed25519 scheme, creates and signs a message with it,
then verifies the message to retrieve the public key. The code then uses toSuiAddress()
to check
if the address associated with the public key matches the address that the key pair defines.
import { Ed25519Keypair } from '@mysten/sui.js/keypairs/ed25519';
import { verifyPersonalMessage } from '@mysten/sui.js/verify';
const keypair = new Ed25519Keypair();
const message = new TextEncoder().encode('hello world');
const { signature } = await keypair.signPersonalMessage(message);
const publicKey = await verifyPersonalMessage(message, signature);
if (publicKey.toSuiAddress() !== keypair.getPublicKey().toSuiAddress()) {
throw new Error('Signature was valid, but was signed by a different key pair');
}
Verifying transaction blocks
Verifying transaction blocks is similar to signature verification, except you use
verifyTransactionBlock
:
// import SuiClient to create a network client and the getFullnodeUrl helper function
import { getFullnodeUrl, SuiClient } from '@mysten/sui.js/client';
import { Ed25519Keypair } from '@mysten/sui.js/keypairs/ed25519';
import { verifyTransactionBlock } from '@mysten/sui.js/verify';
// see Network Interactions with SuiClient for more info on creating clients
const client = new SuiClient({ url: getFullnodeUrl('testnet') });
const txb = new TransactionBlock();
// ... add some transactions...
const bytes = await txb.build({ client });
const keypair = new Ed25519Keypair();
const { signature } = await keypair.signTransactionBlock(bytes);
// if you have a public key, you can verify it
// const isValid = await publicKey.verifyTransactionBlock(bytes, signature);
// or get the public key from the transaction block
const publicKey = await verifyTransactionBlock(bytes, signature);
if (publicKey.toSuiAddress() !== keypair.getPublicKey().toSuiAddress()) {
throw new Error('Signature was valid, but was signed by a different keyPair');
}
Deriving a key pair from a mnemonic
The Sui TypeScript SDK supports deriving a key pair from a mnemonic phrase. This can be useful when building wallets or other tools that allow a user to import their private keys.
const exampleMnemonic = 'result crisp session latin ...';
const keyPair = Ed25519Keypair.deriveKeypair(exampleMnemonic);
Deriving a Keypair
from a Bech32 encoded secret key
You can derive a Keypair
by converting the 33-byte secret key encoded in Bech32 string to a
Uint8Array
and passing it to the fromSecretKey
method of a Keypair
class.
import { decodeSuiPrivateKey, encodeSuiPrivateKey } from '@mysten/sui.js/cryptography/keypair';
import { Ed25519Keypair } from '@mysten/sui.js/keypairs/ed25519';
const encoded = encodeSuiPrivateKey(
[
59, 148, 11, 85, 134, 130, 61, 253, 2, 174, 59, 70, 27, 180, 51, 107, 94, 203, 174, 253, 102,
39, 170, 146, 46, 252, 4, 143, 236, 12, 136, 28,
],
'ED25519',
);
const { schema, secretKey } = decodeSuiPrivateKey(encoded);
// use schema to choose the correct key pair
const keypair = Ed25519Keypair.fromSecretKey(secretKey);
See SIP-15 (opens in a new tab) for additional context and motivation.
Deriving a Keypair
from a hex encoded secret key
If you have an existing secret key formatted as a hex encoded string, you can derive a Keypair
by
converting the secret key to a Uint8Array
and passing it to the fromSecretKey
method of a
Keypair
class.
import { Ed25519Keypair } from '@mysten/sui.js/keypairs/ed25519';
import { fromHex } from '@mysten/sui.js/utils';
const secret = '0x...';
const keypair = Ed25519Keypair.fromSecretKey(fromHex(secret));