All articles

What is a public key (XPUB)?

An Extended Public Key (XPUB) is a cryptographic string that allows anyone to generate and see all the addresses your wallet controls for Bitcoin & for other coins that use Bitcoin's UTXO-based model, like Dogecoin, Litecoin, Cardano, Bitcoin Cash & Zcash. Understanding XPUBs is essential for Bitcoin users, and, like many concepts in Bitcoin, they may seem complex at first but become intuitive with practical experience.
 

XPUBs were introduced by Pieter Wuille, a prominent Bitcoin developer, as part of BIP32 (Bitcoin Improvement Proposal 32), which laid the foundation for Hierarchical Deterministic (HD) wallets.
 

The introduction of XPUBs (Extended Public Keys) significantly enhanced on-chain privacy. By having a single public key to generate multiple unique addresses, XPUBs enable a user to receive separate payments to different addresses, reducing the risk of exposing their full wallet balance and preventing potential tracking caused by address reuse.
 

How does an XPUB work?


An XPUB is a special key in HD wallets that shows every address the account has generated, and can generate more addresses. It works by applying a mathematical formula to derive multiple addresses for receiving funds while keeping the private key secure.
 

Warning: Sharing an XPUB compromises your on-chain privacy!

Anyone who has access to your XPUB can track your entire transaction history and balance. Be very selective with who you share your XPUB with. 


XPUBs in practice: how to get your XPUB in Trezor Suite


To see the XPUB of your account:
 

  • Plug in your Trezor and open the Trezor Suite desktop app or web app
  • Select the desired account from the sidebar menu
  • Then select the the Details tab, and click on Show public key:

 
 

Your Trezor device and Trezor Suite will now display your XPUB both as a QR code and as text.
 

For security purposes it is crucial that you review every character matches on your Trezor device’s screen and Trezor Suite, just like when generating a receiving address or verifying an outgoing transaction’s address.


 

 

The XPUB can be copied or scanned into any application that supports XPUBs or any compatible block explorer. You now can then keep track of your transactions and balances and receive payments on the go, without needing to have your Trezor with you.
 
By pasting an XPUB into a block explorer, you are linking your IP address to that XPUB which may identify you to the owners of the website.

Consider using a VPN if using a block explorer to check your XPUB.

     

Importing XPUBs

To view your complete Trezor portfolio and balance, it’s important to import all public addresses (XPUBs) for every coin and Bitcoin account type you use.
 

If you choose this method to receive funds, ensure that your XPUB that Trezor Suite displays is the same as the one displayed on your Trezor device, as described above. This is a riskier method of receiving funds than copying addresses directly from Trezor Suite. 


If you use multiple account types (Segwit, Taproot, Legacy Segwit & Legacy) you will need to import an XPUB for each account type.
 

Similarly, for other coins that use Bitcoin's UTXO-based model, like Litecoin , ensure you import the corresponding XPUBs for each account type. This ensures accurate tracking of your assets and the ability to receive transactions seamlessly.
 

To learn more about account types, please read this article.
 

XPUBs in Trezor Suite Lite


In Trezor Suite Lite, you can import XPUBs to view all your Bitcoin accounts and accounts for other cryptocurrencies that use similar address structures and transaction models, such as Litecoin and Bitcoin Cash.
 

For more information, you can read our article about XPUBs in Trezor Suite.
 

FAQs about XPUBs


If I lose my XPUB, do I lose access to my funds?


This is something particularly tricky to which multisig users need to pay very close attention. 

If you have a normal wallet which is not a multisig wallet, you will not lose access to your funds as long as you have access to your private key, either as a wallet backup or within your Trezor device.

However, if you are managing your own multisig setup, losing an XPUB can potentially result in losing access to your funds.

When sending funds from a multisig wallet, the XPUB of each key used in the setup is required to reconstruct the wallet.

Without every single XPUB from the keyset, you will not be able to access or manage your funds even if you have enough private keys to meet the threshold.

If you have a multisig wallet and have access to all the keys used to set up the wallet, back up your XPUBs immidiately!

 

Example: In a 2-of-3 multisig wallet, if you lose one of the keys and did not back up that key’s XPUB, you won’t be able to send funds, even if you still have the other two keys.


 

To protect your multisig setup, ensure that the XPUB for each key in your multisig setup is backed up.

As with any wallet backup, you should make multiple copies of each XPUB. 


Are XPUBs safe to share?


Anyone with your XPUB will be able to see your total balance. For this reason, you should be very careful with sharing your XPUB. If you are using an XPUB to get paid, consider using this wallet separately from your main holdings.
 

Can an XPUB be changed or updated?


An XPUB is generated from the wallet’s master private key using a specific derivation path. As long as the wallet’s private key remains the same, the XPUB will always correspond to it.
 

How is an XPUB generated?


An XPUB is created from your wallet's master private key and a derivation path. The master private key generates a master public key, which is then combined with additional data to create the XPUB.
 

What is a derivation path?


A derivation path is a sequence of instructions used to generate specific crypto addresses from a wallet's master seed. It ensures compatibility between wallets and allows users to access their funds consistently across different wallet applications.
 

Does sharing an XPUB compromise my wallet’s security?


Sharing an XPUB does not directly compromise your wallet’s security because an XPUB cannot be used to spend funds—it only generates public addresses. However, sharing an XPUB can expose your entire wallet’s transaction history and balance, which could compromise your privacy.
 

Only share your XPUB for specific use cases (e.g., receiving payments) and avoid using the same XPUB for wallets tied to sensitive balances or activity. Always keep your private key and recovery seed secure to prevent total wallet compromise.


Best practices for managing Your XPUBs


Keeping your XPUB selectively private


Your XPUB acts like a window into your wallet, revealing your entire balance and transaction history to anyone who has access to it. For this reason, it’s crucial to keep your XPUB private and only share it for specific purposes, like receiving recurring payments to a designated wallet.
 

If you later move funds from this wallet to another, and especially if you consolidate UTXOs, anyone with access to your XPUB can still track your entire balance and transaction history.
 

Always use caution when sharing your XPUB and consider creating separate wallets for public or shared purposes to protect your privacy.
 

Backup and recovery tips for XPUBs


If you still have your wallet backup or a functioning Trezor device, you can recover your XPUB at any time through Trezor Suite. This is also possible in a multisig setup, but it requires access to all the keys in the setup to reconstruct the XPUBs. Keeping your wallet backup safe ensures you can always retrieve your XPUB if needed.
 

XPUBs and the future of crypto wallets
 

XPUBs are a key feature of wallets today, but as Bitcoin evolves, new formats like YPUBs, ZPUBs, and TPUBs are becoming popular, although they are generated from the same mechanics as XPUBs. These formats correspond to SegWit (Segregated Witness) and Taproot, upgrades to Bitcoin that reduce fees, improve transaction efficiency, and enable advanced functionality.
 

  • YPUB: Used for older SegWit-compatible addresses that start with "3." While widely supported, they are less efficient than newer formats.
  • ZPUB: Used for native SegWit addresses that start with "bc1." These offer lower fees and faster transactions, making them a preferred choice for many users.
  • TPUB: Used for Taproot addresses that start with "bc1p." Taproot enables even greater efficiency and enhances privacy for complex transactions like multisig setups.


As more wallets and exchanges adopt SegWit & Taproot, ZPUBs & TPUBs are becoming the standard, helping users save on fees and making Bitcoin transactions smoother and more secure.