`@parity/product-sdk-keys`

Derive application keys from a user’s account without touching their seed phrase.

KeyManager holds a master key (typically derived from a one-time signature) and produces deterministic child keys via HKDF-SHA256, so an app can scope its own keys without ever asking for the user’s mnemonic. SessionKeyManager is a separate, storage-backed mechanism: it generates a fresh BIP39 mnemonic, keeps it in a LocalKvStore, and derives an sr25519 account from it — useful for persistent session signers. seedToAccount is the dev/test escape hatch that turns a mnemonic and derivation path into a ready-to-use signer.


npm install @parity/product-sdk-keys


pnpm add @parity/product-sdk-keys


yarn add @parity/product-sdk-keys


bun add @parity/product-sdk-keys

Exports

Classes

Name	Summary
`KeyManager`	Hierarchical key manager.
`SessionKeyManager`	Manages an sr25519 account derived from a BIP39 mnemonic.

Functions

Name	Summary
`createChainCode()`	—
`deriveProductAccountPublicKey()`	—
`seedToAccount()`	Derive a DerivedAccount from a BIP39 mnemonic phrase.

Interfaces

Name	Summary
`DerivedAccount`	Derivation result for a Substrate/EVM account from seed material.
`DerivedKeypairs`	NaCl encryption + signing keypairs derived from a master key.
`SessionKeyInfo`	Session key info returned by SessionKeyManager.

Classes

`class KeyManager`

Hierarchical key manager.

Holds a 32-byte master key in memory and derives child keys via HKDF-SHA256. Does not persist anything — persistence is the consumer’s responsibility.

Methods

`deriveAccount`

Derive a Substrate sr25519 account for a given context string.

HKDF(masterKey, "", “account:” + context) → 32-byte seed → sr25519 keypair


deriveAccount(context: string, ss58Prefix: number = 42): DerivedAccount

`deriveKeypairs`

Derive NaCl encryption and signing keypairs from the master key.

Encryption: HKDF(masterKey, "", “encryption-keypair”) → nacl.box.keyPair.fromSecretKey
Signing: HKDF(masterKey, "", “signing-keypair”) → nacl.sign.keyPair.fromSeed


deriveKeypairs(): DerivedKeypairs

`deriveSymmetricKey`

Derive a 32-byte symmetric key for a given context string.

Uses HKDF-SHA256: IKM=masterKey, salt="", info=context


deriveSymmetricKey(context: string): Uint8Array

`exportKey`

Export the raw master key bytes for consumer-managed persistence.


exportKey(): Uint8Array

`fromRawKey`

Create a KeyManager from raw 32-byte key material. For restoring from storage, testing, etc.


fromRawKey(masterKey: Uint8Array): KeyManager

`fromSignature`

Create a KeyManager from a cryptographic signature.

Derives master key via HKDF-SHA256: IKM = signatureBytes, salt = options.salt (default “product-sdk-keys-v1”), info = signerAddress


fromSignature(signature: string | Uint8Array<ArrayBufferLike>, signerAddress: string, options?: { salt?: string }): KeyManager

Parameters

signature: Hex string (with/without 0x prefix) or raw bytes
signerAddress: SS58 address of the signer

`class SessionKeyManager`

Manages an sr25519 account derived from a BIP39 mnemonic.

Examples


const store = await createLocalKvStore({ prefix: "session-key" });
const skm = new SessionKeyManager({ store });
const key = await skm.getOrCreate();

Constructors

`constructor`


new SessionKeyManager(options: { name?: string; store: LocalKvStore }): SessionKeyManager

Methods

`clear`

Clear the stored mnemonic from the store.


clear(): Promise<void>

`create`

Create a new session key from a fresh mnemonic. Persists the mnemonic to the store.


create(): Promise<SessionKeyInfo>

`fromMnemonic`

Derive a session key from an explicit mnemonic (no storage interaction).


fromMnemonic(mnemonic: string): SessionKeyInfo

`get`

Load an existing session key from the store. Returns null if no mnemonic is stored.


get(): Promise<SessionKeyInfo | null>

`getOrCreate`

Load existing or create a new session key.


getOrCreate(): Promise<SessionKeyInfo>

Functions

`createChainCode()`


createChainCode(code: string): Uint8Array

`deriveProductAccountPublicKey()`


deriveProductAccountPublicKey(parentPublicKey: Uint8Array, productId: string, derivationIndex: number): Uint8Array

`seedToAccount()`

Derive a DerivedAccount from a BIP39 mnemonic phrase.

Uses the specified key type for derivation with a hard derivation path (default "//0").


seedToAccount(mnemonic: string, derivationPath: string = "//0", ss58Prefix: number = 42, keyType: "sr25519" | "ed25519" = "sr25519"): DerivedAccount

Parameters

mnemonic: BIP39 mnemonic phrase
derivationPath: Hard derivation path, defaults to "//0"
ss58Prefix: SS58 network prefix, defaults to 42 (generic)
keyType: Key type for derivation, either "sr25519" or "ed25519", defaults to "sr25519"

Interfaces

`interface DerivedAccount`

Derivation result for a Substrate/EVM account from seed material.

Properties

`h160Address`

property`0x${string}`

H160 EVM address derived via keccak256(publicKey)

`publicKey`

propertyUint8Array

Public key (32 bytes). Sr25519 or Ed25519 depending on key type.

`signer`

propertyPolkadotSigner

PolkadotSigner for signing extrinsics

`ss58Address`

propertySS58String

SS58 address (generic prefix 42 by default)

`interface DerivedKeypairs`

NaCl encryption + signing keypairs derived from a master key.

Properties

`encryption`

property{ publicKey: Uint8Array; secretKey: Uint8Array }

Curve25519 keypair for NaCl Box (asymmetric encryption)

`signing`

property{ publicKey: Uint8Array; secretKey: Uint8Array }

Ed25519 keypair for NaCl Sign (digital signatures)

`interface SessionKeyInfo`

Session key info returned by SessionKeyManager.

Properties

`account`

propertyDerivedAccount

The derived account info

`mnemonic`

propertystring

The BIP39 mnemonic (the only thing that needs persisting)