An extended public key is public account information that can be used to derive receiving addresses for a specific wallet account.
In the BitBoxApp, you can find the extended public key in the account details window. You may need it when setting up a watch-only wallet or when importing account information into compatible external wallet software.
An extended public key does not contain private keys and cannot be used to spend your funds. However, it can reveal account activity, so you should treat it as privacy-sensitive information.
Privacy note
An extended public key cannot be used to steal your funds, but it can reveal addresses and transactions that belong to the related account. Only share it with wallet software or services you trust.
What an extended public key can do
An extended public key can generate public receiving addresses for one specific wallet account.
This is useful when you want another wallet, service, or tool to monitor an account without giving it spending access.
For example, an extended public key can be used to:
- set up a watch-only wallet
- monitor account balances and transactions
- generate receiving addresses for the related account
- import account information into compatible wallet software
- connect accounting, tax, or portfolio tools
Address verification
External tools may derive receiving addresses from your extended public key. Before using such an address to receive funds, verify the receiving address on your BitBox02 whenever possible.
What an extended public key cannot do
An extended public key cannot spend funds.
It does not contain the private keys required to sign transactions. This means that someone with your extended public key cannot send funds out of your wallet.
An extended public key also cannot be used to recover your wallet. For wallet recovery, you need your wallet backup, such as your recovery words or your microSD card backup.
Recovery words warning
Never enter your recovery words into a computer, smartphone, website, or third-party wallet tool. Recovery words can restore and spend your wallet. An extended public key cannot.
Why extended public keys are privacy-sensitive
Although an extended public key cannot spend funds, it can reveal information about the related account.
Someone with access to an extended public key may be able to see:
- addresses that belong to the account
- received transactions
- outgoing transactions
- balances
- transaction history
- patterns in how the account is used
This can affect your financial privacy, especially if the extended public key is shared with an online service or an untrusted third party.
Extended public keys and wallet accounts
An extended public key usually belongs to one specific account, not necessarily to your entire wallet.
For example, a Bitcoin Native SegWit account and a Bitcoin Taproot account use different account structures. Each account can have its own account details, extended public key, and descriptor.
Sharing one account’s extended public key should not reveal unrelated accounts. However, it can reveal addresses and activity for the account it belongs to.
Account scope
An extended public key applies to the related account and account format. Always check that you are copying the extended public key from the correct account in the BitBoxApp.
Your recovery words are the master seed of your wallet.
From this seed, the BitBox02 can generate:
- multiple accounts
- multiple extended public keys
- many receiving addresses
Each account in the BitBoxApp has its own account details.
Recovery words
└── Bitcoin account 1
└── Extended public key
└── Receiving addresses
└── Bitcoin account 2
└── Extended public key
└── Receiving addressesWhy different extended public key formats exist
Bitcoin has evolved over time and introduced different address types.
Because of this, wallet software must know which address format should be generated from the account information. Extended public key formats and descriptors help wallet software understand which address type belongs to an account.
The most common Bitcoin account formats are:
| Format | Address prefix | Standard | Typical derivation path | Status |
|---|---|---|---|---|
| xpub | 1 | Legacy (BIP44) | m/44'/0'/0' | Old |
| ypub | 3 | Wrapped SegWit (BIP49) | m/49'/0'/0' | Transitional |
| zpub | bc1q | Native SegWit (BIP84) | m/84'/0'/0' | Recommended |
| Taproot descriptor | bc1p | Taproot (BIP86) | m/86'/0'/0' | Newest |
Native SegWit is the recommended standard for most Bitcoin users. These addresses start with bc1q and are widely supported.
Taproot is the newest Bitcoin address format. These addresses start with bc1p. Taproot can be useful when supported by the wallet or service you want to use, but compatibility may still vary depending on the external wallet software.
Wrapped SegWit is an older transitional format. It was introduced to make SegWit compatible with services that did not yet support Native SegWit. Existing Wrapped SegWit accounts continue to work, but Native SegWit is usually preferred today.
Legacy is the oldest Bitcoin address format. It may still appear in older wallets or services, but it is generally not recommended for new accounts.
BitBoxApp default
The BitBoxApp uses Native SegWit by default for Bitcoin accounts because it offers broad compatibility and better fee efficiency than older address formats.
Extended public key or descriptor?
The BitBoxApp can show both the extended public key and the wallet descriptor.
A descriptor contains more complete account information than the extended public key alone. It can include details such as the script type and derivation path, which helps compatible wallet software import the account correctly.
Use the descriptor whenever the external wallet supports it. Use the extended public key only if the external wallet specifically asks for an xpub, ypub, zpub, or similar extended public key.
| Option | What it contains | Recommended use |
|---|---|---|
| Extended public key | Public account information used to derive addresses for one account | Use it when an external wallet asks for an xpub, ypub, zpub, or similar extended public key |
| Descriptor | More complete account information, including details such as script type and derivation path | Use it when the external wallet supports wallet descriptors |
Descriptor compatibility
Wallet descriptors are usually the better option when supported, because they include more complete account information and reduce the risk of importing the wrong address type.
How to view your extended public key
If you want to view your extended public key in the BitBoxApp, follow the separate guide:
→ How to find your extended public key in the BitBoxApp
FAQ
Can someone steal my funds with my extended public key?
No. An extended public key does not contain private keys and cannot be used to spend funds.
Can someone see my transactions with my extended public key?
Yes. Someone with access to the extended public key may be able to monitor addresses, balances, and transactions for the related account.
Is an extended public key the same as recovery words?
No. Recovery words can restore and spend your wallet. An extended public key can only derive public account information and cannot spend funds.
Should I share my extended public key?
Only share your extended public key with wallet software or services you trust. It cannot spend your funds, but it can reveal account activity.
Does one extended public key reveal all my accounts?
Usually no. An extended public key belongs to a specific account and account format. However, it can reveal addresses and activity for that account.
Why do different extended public key formats exist?
Different formats exist because Bitcoin supports different address types, such as Legacy, Wrapped SegWit, Native SegWit, and Taproot. Wallet software needs this information to derive the correct addresses.
Should I use the extended public key or the descriptor?
Use the descriptor whenever the external wallet supports it. Use the extended public key only if the external wallet specifically asks for it.