Key Generation

This explains key generation generally without diving to far into the cryptography internals.

The Secret Recovery Phrase

Let’s start with the Secret Recovery Phrase. When you first install Apex, we generate 12 words known as the Secret Recovery Phrase via the EthersJs Library. We use a specification known as the BIP39 to generate these words.

  • These 12 words in the Secret Recovery Phrase are generated from a list of 2048 words. The complete list of 2048 words can be found here:
  • BIP39 uses mnemonic phrases of 12 or 24 words, depending on the implementations. Hardware ledgers that use BIP39 include the Ledger Nano S and the Trezor Model One.



BIP stands for Bitcoin Improvement Proposals. BIP39 recommends the use of a mnemonic phrase (a group of easy-to-remember words) to serve as a means to recover your accounts in the event your accounts are compromised or lost. We call this mnemonic phrase the Secret Recovery Phrase.*

The order of the words in the secret recovery phrase is important. Each word in the secret recovery phrase has a number associated with it. These numbers form a seed integer, then used to create a set of public/private keys. The following diagram summarizes this:


Generating the public/private key pair and the Ethereum address

This is how the key pair is generated:

  1. A private key is generated using the seed integer (which is obtained from the secret recovery phrase) using the SHA256 hash function
  2. The corresponding public key for the private key is derived from the private key using the ECDSA (Elliptic Curve Signature) algorithm.
  3. From the public key derived in step 2, we use the keccak256 algorithm to generate a hash.
  4. From this keccak256 hash, we take the last 20 bytes (40 hexadecimal), and prefix the bytes with a “0x”. This is your new Ethereum address ✨!!


Check out for more details.

Creating the Default Account

With the public/private key pair created from the seed integer, Apex will now create your first account. As explained, your first account is generated from the keccak256 hash.

Internally, Apex encrypts your private key (either generated or imported) using the password you supplied during installation and stores it in your browser’s data store (IndexDB). It does not store it in the cloud.

The following figure summarizes how Apex generates your private key, derives the account address, and stores your private key internally in the browser store.*7G-_mBuMQ9w5foV9dRx2iA.png

Additional Accounts

If generating another wallet in Apex, we derivate the next account from the first imported/created account in the extension. This chaining is called building a hierarchical deterministic wallet.

The following figure summarizes this step:*KIyQLCQhRCxWdsK0x-9Aqg.png

Your accounts can be recovered if you have your secret recovery phrase. However, only if they have been created and stored in Apex Wallet.

Note: If you import a new account, Apex will use the private key of the first account and hash to get the next private key of the first account. The same procedure applies (as described earlier) to get the public key and, subsequently, the account address. And the next account is always the hash of the previous private key.

Recovering Accounts in Apex

If you forget your password and need to restore accounts as long as you have your phrase, you can simply remove the extension from your browser and import the wallet with your secret recovery phrase 👀. Apex will recover the main account!


Secret Phrases

If you lose your secret phrase, there is nothing anyone can do to recover your account. So please be careful!!

Once the first account is imported, if you click "Add New Account" from the main menu, Apex will automatically derive the previous account you created from that main address. Continue to do this until you get all the accounts you derived from your primary seed phrase.


Recovering Accounts

Apex can only recover accounts you have created using Apex — if you have imported an account from another source, you must add the account manually.