What do you want to do?
A toolkit for generating, verifying, and recovering Bitcoin seeds. Runs entirely in your browser - no network required.
Start here
From your seed Load a seed to unlock
Standalone tools No seed required
lnbc…) and BOLT-12 (reusable lno… / lni…) supported.
Miniscript Lab
Compile spending policies to Miniscript and Bitcoin Script. Analyse safety, enumerate spend paths, see worst-case witness size.
PSBT Inspector
Paste any PSBT (base64 or hex). See inputs, outputs, signatures, derivation paths, fee, and what's still needed to finalise.
BIP-353 DNS Payment Helper
Build a name@domain-style payment endpoint: assemble the bitcoin: URI and DNS TXT record to publish, or decode any URI back into its components.
Sign & Verify Messages
Prove you control an address by signing a message, or verify someone else's signature. BIP-137 and BIP-322.
Silent Payments (BIP-352)
Share one static sp1q… address; every payment goes to a fresh unlinkable Bitcoin address. No notification transaction.
BIP47 Payment Codes
Generate reusable payment codes and addresses between any two parties. PayNym compatible.
Single Address Check
Generate a Bitcoin address from a single WIF or hex private key, or build a quick m-of-n multisig address.
Multisig Addresses
Paste cosigner xpubs / ypubs / zpubs and a threshold to generate multisig addresses (m of n).
Passphrase Generator
Build a strong BIP39 passphrase from dice rolls using the Diceware wordlist.
One-Time Pad
Encrypt a seed phrase with a one-time-pad key. Decrypt to recover. Information-theoretic security.
About the project
Project info, how to use the tool offline, how to verify releases, and where to report issues.
Use offline
The safest way to run this tool is from a machine that is not connected to the internet. Download the single HTML file and open it in any browser on an offline device, or use an amnesic OS like Tails with networking disabled.
Verify releases
Every release is signed with a GPG key so you can confirm the HTML file you downloaded is the one published by the maintainer and hasn't been tampered with. Each release ships with a signature.txt asset alongside index.html.
To verify a download:
curl -sL https://github.com/BitcoinQnA/seedtool/raw/main/RELEASE-SIGNING-KEY.asc | gpg --import
gpg --verify signature.txtYou should see Good signature from "QnA <qna@bitcoiner.guide>" with fingerprint EB3D 738B EC6A 873A C274 5292 CF4F E215 EA66 63AC. The same key is also published at keys.openpgp.org.
Report an issue
Bugs, feature requests, and suggestions go on GitHub Issues. The full source code is open under GPLv3.
Maintainer
Maintained by QnA (@btcqna). See the credits page for the tools and libraries this project is built on.
Seed Workspace
Generate a fresh seed, type in an existing one, or roll your own entropy. Once loaded, all seed-dependent tools light up.
Three ways to load a seed: Pick a tab below. 🤖 generates a fresh random mnemonic, 📥 lets you type one you already have, and 🎲 takes raw entropy from dice / coins / cards. Once a seed is loaded you can add a BIP39 passphrase, and the rest of the toolkit unlocks.
- 🤖 Generate a cryptographically strong random mnemonic
- 📥 Enter your own (previously generated) mnemonic
- 🎲 Enter in your own entropy
Generate a Cryptographically Random Mnemonic of words.
Warning! Do not try to make up your own mnemonic, you are not as random as you think!
NOTE: You can enter your BIP39 Passphrase below.
Warning! Entropy is an advanced feature. Your mnemonic may be insecure if this feature is used incorrectly.
See the Learn more: Entropy button at the top of this page for details.
Output
BIP39 Mnemonic
Derived Addresses
See receive addresses, xpubs, and derivation paths for the loaded seed. Default is BIP84 (native segwit) - the modern standard.
What this does: A seed produces an unlimited tree of addresses. Pick the address style (BIP84 for modern bc1q..., BIP86 for Taproot bc1p..., BIP49 for nested-segwit 3..., BIP44 for legacy 1...) and a list of receive addresses is generated. The account-level xpub can be imported into any compatible wallet to watch-only the same addresses.
BIP44: Multi-Account Hierarchy for Deterministic 'Legacy' Wallets
BIP49: Derivation scheme for P2WPKH-nested-in-P2SH 'Nested Segwit' accounts
BIP84: Derivation scheme for P2WPKH 'Native Segwit' accounts
BIP86: Key Derivation for Single Key P2TR Outputs
The account extended keys can be used for importing to most BIP32 compatible wallets.
The BIP32 derivation path and extended keys are the basis for the derived addresses.
Note these addresses are derived from the BIP32 Extended Key.
BIP47 Payment Codes
Share one reusable payment code instead of fresh addresses every time. Generate addresses between two parties (you and a counterparty).
What this does: BIP47 lets you share one stable "payment code" instead of generating a fresh address every time. When someone wants to pay you, they paste your payment code into their wallet; both wallets derive a fresh address from the two codes, so each payment still gets its own unlinkable address. PayNym is the same idea with cute robot avatars.
My Details
Counterparty Details
Note these addresses are derived from your private key and the public key of your counterparty.
Display addresses from index
Multisig Addresses
Generate multisig (m-of-n) addresses from cosigner public keys. If a seed is loaded, your own xpub is filled in automatically.
What this does: Multisig requires multiple cosigners to spend. Paste each cosigner's account-level extended public key (Ypub or Zpub) on its own line, set the threshold (e.g. 2 for 2-of-3), and addresses will appear below. If you have a seed loaded, your own xpubs appear at the top - click "Add as Cosigner" to include yourself.
BIP85 Tools
Derive deterministic child seeds and passwords from your master seed. The same index always yields the same child - keep the master safe and you can regenerate everything.
What this does: BIP85 turns one master seed into unlimited deterministic children. Pick an Index (0, 1, 2…) and out comes a fresh 12/18/24-word seed phrase or a random-looking password. The same index always produces the same child, so you only ever need to back up the master.
Power user feature. If you lose the master seed, all children are gone too.
Warning! This is an advanced feature and should only be used if you understand what it does. See the Learn more: BIP85 button at the top of this page for details.
Passphrase Generator
Build a strong BIP39 passphrase from real dice rolls. Each word is picked from the Diceware list - 5 dice per word.
How this works: Roll 5 physical dice for each word in your passphrase. Type the digits (e.g. 14352) into the box below or click Add word to auto-roll. Each 5 dice produces one Diceware word - append as many as you want. Your generated passphrase appears below and is automatically set as the loaded BIP39 passphrase.
This passphrase is also written to the BIP39 Passphrase field in the Seed Workspace automatically.
Passphrase Tester
Forgot your BIP39 passphrase? Type the loaded mnemonic + a candidate passphrase in the Seed Workspace, then paste an address you know belongs to that wallet - this will tell you if it matches.
How to use: In the Seed Workspace, enter your mnemonic and try a candidate passphrase. Come back here, paste a Bitcoin address you know belongs to that wallet, then click Search. The tool will scan derived addresses from that seed+passphrase to see if the address appears.
Each search can take ~20 seconds. The default derivation path is BIP84 (m/84'/0'/0'/0) - edit it if you used a different scheme.
Please be patient, each search can take up to 20 seconds!
Split Mnemonic
Display the loaded mnemonic as three cards. Any 2 of the 3 cards recovers the seed; no single card alone reveals it.
2-of-3 paper backup: Your seed gets split into three cards. Any two cards combined recover the original. No single card on its own reveals anything. Keep the three cards in different geographic locations for redundancy without single-point-of-failure risk.
Seed XOR
Combine the loaded seed with one or more additional seeds using XOR. Each share alone reveals nothing - you need every share to recover.
All-shares-needed split: XOR your loaded seed with N additional seeds. Each share looks like a valid 12/24-word seed on its own and reveals nothing useful. You need every share to recover the original. This is different from 2-of-3 splitting (where any 2 suffice) - XOR is N-of-N.
One-Time Pad
Encrypt a seed phrase against a one-time-pad key. The key alone reveals nothing; the ciphertext alone reveals nothing. Information-theoretic security.
How to use: Click NEW KEY to generate a random pad, then ENCRYPT to produce a ciphertext. Store the key and the ciphertext in two different places. To recover, paste both back in and click DECRYPT. If you have both, you get the seed; with either alone, you get nothing.
Last Word Calculator
Finish a partial seed by computing the valid checksum word. Useful when generating seeds from coin flips - flip 7 bits, get a valid 12-word mnemonic.
How to use: The last word of a BIP39 mnemonic isn't random - its first few bits act as a checksum. Type the first 11 (or 17/23) words you already have, then either flip the bit toggles or click Flip the bits to randomize the remaining entropy. The tool figures out which checksum word makes everything valid.
Calculate the last word of a word seed.
Some user entropy is required. It has already been generated randomly, however you can toss a coin for these bits where, for example, "heads" is zero and "tails" is one.
Single Address Check
Generate a Bitcoin address from a single WIF / hex private key, or build a quick m-of-n multisig address from pasted public keys.
What this does: Paste a single Bitcoin private key (WIF like L1aW… or 64-char hex) and see the corresponding Legacy, Nested SegWit, and Native SegWit addresses. Or switch to multisig mode and paste public keys (one per line) to build a quick m-of-n script address. No seed required.
Shamir Secret Sharing
Split a seed into m-of-n shares using Shamir's Secret Sharing. Any threshold of shares can reconstruct the seed; fewer than the threshold reveal nothing. Two industry-standard formats are supported - pick the one your wallet uses.
Why this is better than Seed XOR: XOR requires every share to recover (N-of-N). Shamir lets you set a threshold - any 2 of 3, 3 of 5, etc. Lose one card, you still recover. A single share on its own reveals mathematically nothing.
Three formats, same algorithm:
- SLIP-39 (SatoshiLabs / Trezor): each share is a 20- or 33-word mnemonic from a dedicated SLIP-39 wordlist. Has its own optional passphrase. Supports hierarchical groups (e.g. "any 2 of group A plus any 3 of group B").
- SSKR (Blockchain Commons): shares are compact binary, typically shown as hex or wrapped in UR animated QR codes. No built-in passphrase; the outer container is expected to provide encryption.
- Foundation Shard (Passport Prime): a dCBOR-encoded variant of the same Shamir scheme, designed for NFC KeyCard backups. Byte-for-byte compatible with Passport Prime's Magic Backups.
Shares from one format are not interchangeable with another - pick whichever matches the wallet you intend to recover with.
Load a seed first to split it into Shamir shares. Load a seed →
Hierarchical SLIP-39: you have groups of shares, and you need a threshold of groups, with each group having its own threshold of members. For example: 2-of-3 groups, where each group is 2-of-3 → 9 shares total, you need 2 valid groups (each with 2 valid shares) to recover. Used by serious enterprise custody.
SSKR has no built-in passphrase. If you need an extra layer of encryption, encrypt your seed before splitting it (e.g. via the One-Time Pad tool) or use the outer wallet's encryption layer.
What's used as the master secret: the 128-bit (12-word) or 256-bit (24-word) BIP-39 entropy of your loaded mnemonic. SLIP-39 shares reconstruct this entropy, which then regenerates the same BIP-39 mnemonic.
Your shares
Save each share separately. Anyone who collects the threshold number of shares can recover your seed. Anyone with fewer learns nothing.
Paste your shares - one per row. Any order is fine. The tool needs at least the threshold count of valid shares to reconstruct the secret.
Heads-up: physical Passport Prime KeyCards store the shard as binary NDEF, not hex. To recover from a card directly you'd need an NFC reader app to dump the NDEF record, extract the application/cbor payload bytes, and hex-encode them before pasting here. Hex exported from this tool round-trips without any of that.
The hex above is the master entropy. The BIP-39 mnemonic shown is the corresponding 12/24-word English mnemonic for that entropy - paste it into the Seed Workspace to load it as your active seed.
BIP-329 Wallet Labels
Paste an exported BIP-329 JSONL file from any compatible wallet and see all your transaction notes, address tags, and other labels organized by type.
Why this exists: Most wallets let you add notes - "rent to landlord", "Coinbase deposit", "savings change addr". BIP-329 is the portable JSONL format for moving those labels between wallets. Format:
{ "type": "tx", "ref": "<txid>", "label": "Bought pizza" }
{ "type": "addr", "ref": "bc1q…", "label": "Donation address" }
{ "type": "xpub", "ref": "xpub…", "label": "Savings account" }
{ "type": "output", "ref": "<txid>:0", "label": "Change", "spendable": true }
Six possible type values: tx, addr, pubkey, input, output, xpub. Full spec on GitHub.
Either upload a .jsonl file exported from your wallet (read locally in the browser, never leaves the device), or paste the contents directly. Both work the same way.
Lightning Decoder
Decode Lightning Network strings into human-readable fields. Supports both BOLT-11 invoices (lnbc…) and BOLT-12 offers / invoices / invoice requests (lno… / lni… / lnr…).
BOLT-11 is the original Lightning invoice format. One-shot, expires quickly, encoded as a long lnbc… string. Decoder shows: amount, recipient node, payment hash, route hints, expiry, description.
BOLT-12 is the modern replacement. Reusable like a BIP-47 payment code, supports recurring payments. Three sub-types: lno1… offers (request to be paid), lni1… invoices, lnr1… invoice requests.
Decoder only - no signature verification, no network calls. Same content you'd see on a Lightning block explorer.
Miniscript Lab
Express Bitcoin spending conditions as a high-level Policy or a lower-level Miniscript expression. The tool compiles to Bitcoin Script, checks safety, and enumerates every way the script can be spent.
Paste anything from a Bitcoin scripting workflow and the tool will figure out what you gave it:
- Policy - human-friendly form, e.g.
or(pk(Alice),and(pk(Bob),older(144))). The compiler picks an efficient Miniscript for you. - Miniscript - the precise lower form that maps 1:1 to Bitcoin Script. Every expression has a known witness cost and a static safety proof.
- Output descriptor - what wallets actually export:
wsh(...),tr(...),sh(wsh(...)). Handles BIP-389 multipath (<0;1>/*or/**shorthand) and validates the#checksum. With real xpubs the tool also derives the first receive + change addresses.
Two script contexts:
- P2WSH (Segwit v0): ECDSA keys,
multi(k,…)for multisig. - Tapscript (Taproot leaf): Schnorr x-only keys,
multi_a(k,…)for multisig.
Spend paths show required signers, preimages, and timelocks - with human time on every older(N) / after(N).
Nothing is signed or broadcast - pure offline analysis.
Loading policy compiler…
Compiled Miniscript
Descriptor
Derived addresses
No addresses for this input. Policies and miniscripts with symbolic key names (A, Alice, Hot, etc.) are abstract templates - the tool has no real public keys to derive an address from. To see a full descriptor + receive/change addresses, paste a real wsh(...) / tr(...) descriptor, or try one of the descriptor sample buttons.
Spend paths
Analysis
Bitcoin Script (ASM)
The script as opcodes - what a node executes when this output is spent. Read top-to-bottom to see exactly which checks run.
Bitcoin Script (hex)
Raw wire-format bytes for the same script. Useful for byte-for-byte comparison with other tools, hand-crafting a transaction, or pasting into a block explorer's script field.
PSBT Inspector
Paste a Partially Signed Bitcoin Transaction (base64 or hex) and the tool will break it down: every input and output, who has signed, derivation paths, fee, and what's still required to finalise.
What this does: A PSBT (BIP-174) is the standard format wallets use to coordinate a transaction across multiple signers - hardware wallets, multisig cosigners, watch-only software. It carries the unsigned transaction plus all the UTXOs, signatures, and BIP-32 derivation paths that any signer might need.
This inspector reads but never signs or modifies. Paste a PSBT before signing it elsewhere to confirm exactly what you're about to authorise: which inputs are being spent, where the money is going, what fee you're paying, and which cosigners have already signed.
Inputs
Outputs
BIP-353 DNS Payment Helper
Turn a memorable identifier like name@domain into a Bitcoin payment endpoint. This tool helps you build the DNS record to publish, and inspect any bitcoin: URI that comes out of one.
What this does: BIP-353 puts a Bitcoin payment URI (Silent Payment address, BOLT-12 offer, on-chain address, etc.) into a DNSSEC-signed DNS TXT record. Senders type name@domain into their wallet, the wallet looks up the record, follows the URI, and pays.
Offline note: The resolution step (DNS lookup + DNSSEC validation) needs the internet. This tool only handles what's offline: building the URI + TXT record to publish, and decoding the URI value once you have it. Run the actual lookup in a connected wallet.
Your identifier
The DNS query a wallet will run: <name>.user._bitcoin-payment.<domain> (TXT record, DNSSEC required).
Payment endpoints at least one required
Optional metadata
Bitcoin URI
DNS TXT record to publish
Record name: (TXT, DNSSEC)
Record value:
Once published and DNSSEC is in place, a BIP-353-capable wallet will resolve to the URI above. This tool cannot test that, only an online wallet can.
Heads-up: This sub-tab makes a network call to a public DNS-over-HTTPS resolver. It will not work offline. Other tabs (Build / Inspect) stay fully offline.
Identifier to resolve
DNS response
Resolved TXT value
Decoded URI fields
Paste a bitcoin: URI (the value you'd put in a TXT record, or what a wallet shows after resolving name@domain). The tool breaks it into its component endpoints.
Silent Payments
Share one static address (sp1q…) instead of generating a new one for every payment. The sender uses your address plus their own input keys to compute a unique unlinkable Bitcoin address - no notification transaction needed, unlike BIP-47.
What this does: BIP-352 lets you publish one static address that anyone can pay you at, with each payment going to a fresh unlinkable Bitcoin address on-chain. Your "scan key" lets you find incoming payments; your "spend key" lets you spend them. Both are derived from your seed at standard paths.
Use the tabs below to generate your address, inspect someone else's, send a payment, compare to BIP-47, or read about how it works.
Load a seed first to generate your Silent Payment address. Load a seed →
Your Silent Payment address
Underlying keys
Privacy note: Share this sp1q… address freely. Anyone who has it can derive an unlinkable address to pay you, but only your scan key can find those payments and only your spend key can spend them.
Decoded
Sender side. You're going to pay someone who shared their sp1q… address. Provide that, plus a UTXO you own (its private key, txid, and vout), and the tool will compute the unique Taproot address your payment should go to. You'll construct and broadcast the actual transaction in your wallet.
Construct a transaction in your wallet that sends to this address using exactly the UTXO you specified above. If you use a different input, you'll get a different destination.
BIP-47 (PayNyms) vs BIP-352 (Silent Payments)
BIP-47
- Receiver shares one
P…payment code (PayNym). - Sender broadcasts a notification transaction on-chain to establish a payment channel - visible to chain analysts and costs a fee.
- Both parties then derive a sequence of unique receive addresses from the shared secret.
- Privacy leak: notification tx publicly links the two payment codes.
BIP-352 newer
- Receiver shares one
sp1q…address. - No notification transaction. Sender uses their input keys + ECDH with recipient's scan key to derive a fresh Taproot address for each payment.
- Receiver scans the chain (or uses a light filter service) for outputs matching their scan key.
- No on-chain link between sender and receiver beyond the payment itself.
Both schemes give you reusable, fresh-per-payment addresses. Silent Payments is the cleaner protocol - no on-chain handshake, no public link - but requires the receiver's wallet to scan the chain for incoming payments.
1. Two keys instead of one
Most Bitcoin wallets derive every address from a single master key. Silent Payments splits this into two keys:
- Scan key (path
m/352'/0'/0'/1'/0) - lets the receiver detect incoming payments by trial-decrypting every transaction output on the chain. - Spend key (path
m/352'/0'/0'/0'/0) - required to actually spend a received output.
The receiver can give their scan key to a server (e.g. their wallet provider) without granting any spending power. The spend key stays on a hardware wallet or air-gapped device.
2. The sp1q… address
The receiver's "address" is the concatenation of scan_pubkey ‖ spend_pubkey (33 + 33 = 66 bytes), encoded as Bech32m with the prefix sp for mainnet or tsp for testnet. It's static - share it once, accept payments forever.
3. Sender's tweak (ECDH)
When the sender wants to pay, they take the private keys for the UTXOs they're spending and combine them into a single private key a. Then they compute the shared secret:
shared = SHA256(a · scan_pubkey ‖ outpoint_hash)
This shared secret is unique to (this sender × this UTXO × this recipient). The sender then tweaks the recipient's spend key by this secret to derive a fresh Taproot output key:
output_pubkey = spend_pubkey + shared·G
They send to this fresh address. To any observer, it looks like an ordinary bc1p… Taproot payment.
4. Receiver's scan
The receiver scans the chain for Taproot outputs. For each block's transactions, they:
- Take the inputs' public keys (which are now revealed on-chain) and compute A = sum of input pubkeys.
- Compute the same
shared = SHA256(scan_privkey · A ‖ outpoint_hash). - Check if any output equals
spend_pubkey + shared·G.
If yes, that output belongs to them. They use spend_privkey + shared as the spending key.
5. Why it's better than BIP-47
No notification transaction - nothing on-chain links the sender's identity to the receiver beyond the payment itself. The static sp1q… address can be posted on a website, in an email signature, on a business card. Every payment to it goes to a different unlinkable Taproot output.
The trade-off: receivers must scan the chain (or use a service that scans for them via BIP-158-style filters). Compatible wallets handle this transparently.
Seed Phrase Recovery
Recover a seed phrase that has a typo, a missing word, scrambled order, or was written in a non-standard form. The more constraints you can give it - particularly a known address - the more confident the result.
How to use: Type each word you have. Click a word to mark it typo (probably right but maybe wrong) or unknown (no idea - try every possibility). Add an address you know belongs to that wallet if you have one - it lets the tool tell a real match from millions of valid-looking-but-wrong candidates.
For non-word inputs (entropy hex, binary, or wordlist indexes), switch to the matching mode at the top.
Click a word to cycle through: clean → typo? → unknown.
Order fixes (try with mis-ordered words)
Address constraint strongly recommended
If you know any one address that belongs to this wallet, paste it here. Without one, brute-force searches can return hundreds of valid-looking candidates with no way to tell which is yours.
Search
Results
Sign & Verify Messages
Prove you control a Bitcoin address by signing a message with its private key, or verify someone else's signed message. Supports BIP-137 (legacy P2PKH) and BIP-322 (modern, any address type including Taproot).
Why this exists: Exchanges, custodians, and audit firms routinely ask "sign this message to prove you control this address." It's the standard way to prove ownership of Bitcoin without spending from it.
Two standards: BIP-137 is the original (works with legacy 1... and 3... addresses). BIP-322 is the modern replacement that works with any address type including SegWit (bc1q...) and Taproot (bc1p...).
Sign a message with a private key you control. Load a seed first to pick an address from your wallet - or paste a WIF private key below.
Default: first BIP-84 receive address. Edit the path to use a different derivation.
-
What can I do here?
This page bundles a lot of tools. They're organised below by what you might actually want to accomplish - pick the section that matches your situation. Each tool is described in plain English with the relevant Bitcoin standard (BIP) noted for the curious.
🌱 I want to start using Bitcoin
A "seed" is the master backup for your wallet. Once you've got a seed loaded, this tool can show you everything that comes from it.
- Seed Workspace - Make a brand-new random seed, or type one in if you already have it written down. You can also create one from real dice rolls, coin flips, or playing cards if you don't trust a computer's randomness. Once a seed is loaded, every other tool here can use it. BIP-39
-
Derived Addresses
- Shows the actual Bitcoin addresses your wallet can receive payments at. Modern wallets default to BIP-84 (addresses that start with
bc1q…). You can also see Taproot (bc1p…), legacy (1…), or nested SegWit (3…). BIP-44 · BIP-84 · BIP-86 - How does a seed actually work? - A guided 9-step tour from random bits all the way to your first Bitcoin address, showing the live values for your loaded seed alongside the concepts.
🛡 I want to back up my seed safely
Writing your 12 or 24 words on paper and hiding them somewhere is fine, but a single piece of paper is fragile. These tools let you split your seed across multiple locations so no one location alone is enough to recover.
- Shamir Secret Sharing - Split your seed into m-of-n shares (e.g. any 2 of 3, any 3 of 5). Each share alone reveals mathematically nothing. Three formats: SLIP-39 (Trezor), SSKR (Blockchain Commons), and Foundation Shard (Passport Prime). Shares are not interchangeable across formats; pick the one your other wallet uses. SLIP-39 · SSKR
- Seed XOR - A simpler "all shares needed" backup. Combine 2+ seeds with bitwise XOR - every share alone looks like a valid but useless seed; you need all of them to recover. Different shape from Shamir (which only needs a threshold).
- One-Time Pad - Encrypt your seed against a one-time random key. Keep the key and the ciphertext in different places. Anyone with one half gets nothing.
🤝 I want to share an address (for receiving payments)
Every Bitcoin receive address you publish gives an observer information. These tools let you share something stable without that privacy cost.
-
Silent Payments
- Publish one static
sp1q…address; every payment goes to a fresh unlinkable Bitcoin address on-chain. No notification transaction needed. This is the modern replacement for BIP-47. BIP-352 -
BIP-47 Payment Codes (PayNyms)
- Share one reusable payment code
P…; senders use it plus a "notification transaction" to derive unique addresses for you. Older spec, well-supported in some wallets. BIP-47 - Multisig Addresses - Build receive addresses that require multiple signatures to spend (m-of-n). Common setups: 2-of-3 for individual users, 3-of-5 for businesses or inheritance plans. BIP-48
-
BIP-353 DNS Payment Helper
- Wrap any of the above in a memorable
name@domain-style identifier published over DNS. Build the URI and TXT record offline; resolve other people's identifiers via an opt-in DNS-over-HTTPS lookup. BIP-353 · BIP-21
🆔 I want to prove I own an address
Exchanges, audit firms, or anyone verifying you genuinely control a wallet might ask you to "sign a message" with the address. These tools handle that without ever needing to move funds.
- Sign & Verify Messages - Pick an address from your loaded seed and sign a message with it. Or verify a signature someone else gave you. Supports both BIP-137 (the original spec, P2PKH addresses) and BIP-322 (the modern spec, works for all address types including Taproot). BIP-322
🔑 I want to use one seed for many wallets
Instead of writing down 5 different seeds for 5 different wallets, you can derive child seeds from one master. Same master, different deterministic children.
- BIP85 Tools - Generate deterministic child seeds (12 / 18 / 24 words) and deterministic passwords from one master seed. Pick a number (the "index") and you always get the same child back. Useful for: hardware-wallet test wallets, password managers' master passwords, separate-purpose savings vaults. BIP-85
🔐 I want a stronger passphrase
A BIP-39 passphrase is the optional "25th word" on top of your seed. It massively increases security but is also lost-forever if you forget it.
- Passphrase Generator - Build a strong passphrase from real physical dice rolls using the Diceware wordlist. 5 dice per word; each word adds about 13 bits of entropy.
- Passphrase Tester - Forgot a passphrase but remember an address from that wallet? Try candidate passphrases and the tool tells you when one matches.
🛟 I want to recover from a damaged seed
Things go wrong: smudged ink, missing words, wrong wordlist. These tools try to recover what you've got.
- Seed Phrase Recovery - Mark which words are typos or completely missing, optionally paste an address you know belongs to the wallet, and the tool brute-forces candidates that match. Handles typos, missing words, swapped order, abbreviations, and alternate encodings (hex / binary / wordlist indexes).
- Last Word Calculator - The last word of a BIP-39 mnemonic isn't fully random - its first few bits act as a checksum. If you have the first 11 (or 17, 23) words, this tool computes the valid last word(s). Useful when generating seeds entirely from coin flips.
🧪 I want to design custom spending conditions
Advanced wallets aren't limited to "this key signs". You can build scripts that combine multiple keys, timelocks, and hash conditions in any logical shape.
- Miniscript Lab - Write a high-level Policy ("Alice can spend, or Bob can spend after 144 blocks") and the tool compiles it to a Miniscript expression and the raw Bitcoin Script. It also analyses safety, enumerates every possible spending path, and estimates witness size. Miniscript reference
🔍 I want to inspect or decode something
Standalone utilities that don't need a loaded seed. Paste things in, see them broken down.
- Single Address Check - Paste a private key (WIF or hex) and see its corresponding Bitcoin addresses across all common formats. Or paste public keys to build a quick multisig address.
- Multisig Addresses - Paste cosigner xpubs / ypubs / zpubs and a threshold, get back the multisig receive addresses. Works without a loaded seed if you're verifying someone else's multisig.
- PSBT Inspector - Paste a Partially Signed Bitcoin Transaction (base64 or hex) and see every input and output, who has signed, BIP-32 derivation paths, fee, and what's still needed before it can be broadcast. Read-only; never signs. BIP-174
- BIP-329 Wallet Labels - Paste a JSONL export of wallet labels (transaction notes, address tags, output flags) and the tool groups them by type so you can read them at a glance. The portable format for moving labels between wallets. BIP-329
-
Lightning Decoder
- Paste a BOLT-11 invoice (
lnbc…) or BOLT-12 offer / invoice (lno…/lni…/lnr…) and see every field decoded. The same content a Lightning block explorer would show you, but offline. BOLT-11 · BOLT-12
How does a seed actually work?
A guided tour through every step from random bits to a Bitcoin address. Each section shows the live values from your loaded seed alongside the concept.
-
1
Entropy - start with randomness
A Bitcoin seed begins as a string of random bits - for a 12-word seed, exactly 128 bits. That's 2128 possible values, roughly the number of atoms in a hundred trillion galaxies. Any way of generating those bits works: a CSPRNG, dice, coin flips, drawing playing cards.
You can see entropy directly - it's just a binary string. Below is the entropy behind your loaded seed:
Your entropy (128 bits)Why 128 bits? It's a security floor. To brute-force a 128-bit secret you'd need to test 2128 candidates - physically impossible with any conceivable computer.
-
2
Checksum - catch typos
A 12-word mnemonic actually encodes 132 bits, not 128. The extra 4 bits are a checksum:
SHA-256(entropy), taking the first 4 bits of the hash.This way, if you type the words wrong, the tool can tell. Most wrong combinations don't match a valid checksum and get rejected immediately.
SHA-256(your entropy)First 4 bits → your checksumFor 24-word seeds it's 256 bits of entropy + 8 bits of checksum = 264 bits = 24 × 11.
-
3
Words - a 2048-word dictionary
Split the 132 bits into 12 chunks of 11 bits. Each chunk is a number between 0 and 2047. Look it up in the BIP-39 wordlist and you get a word. Twelve chunks → twelve words.
The wordlist is carefully chosen - no two words share their first 4 letters, so partial input still uniquely identifies the word.
Your words and their indexesWords don't matter for security; the underlying bits do. Bitcoin doesn't know your words exist - it only ever sees the seed bytes derived from them.
-
4
Seed bytes - PBKDF2 stretches the words
The words (joined with spaces) plus an optional passphrase are fed into PBKDF2-HMAC-SHA512 with 2048 iterations and a salt of
"mnemonic"+ your passphrase. The output is a 64-byte seed.This deliberately slow step makes brute-forcing passphrases expensive. Even short passphrases cost real time.
Your 64-byte seed (hex)Same words + different passphrase = completely different seed. Same words + no passphrase = the "no passphrase" seed. They're separate wallets that share an attack surface only in the words themselves.
-
5
Master key - HMAC-SHA512 splits it
Feed the 64-byte seed into
HMAC-SHA512("Bitcoin seed", seed). You get 64 bytes back, split into two halves:- Left 32 bytes → the master private key
- Right 32 bytes → the chain code (used to derive children)
Your master extended private key (xprv)An extended key is just the private key + the chain code packed together. That's what xprv / yprv / zprv strings really are - different prefixes for the same underlying data.
-
6
Derivation path - a tree of children
From the master key, you can derive children. Each child has an index (0, 1, 2, …) and can in turn have children of its own. Specific paths are conventions:
Standard derivation pathsm/44'/0'/0'/0/0 ← BIP-44 legacy address (1…) m/49'/0'/0'/0/0 ← BIP-49 nested SegWit (3…) m/84'/0'/0'/0/0 ← BIP-84 native SegWit (bc1q…) m/86'/0'/0'/0/0 ← BIP-86 Taproot (bc1p…)
The
'after a number marks "hardened" derivation - a one-way step that prevents a leaked xpub from being walked backwards.m/84'is hardened./0/0at the end is not - those can be derived from an xpub alone, which is how watch-only wallets work.Notice each path begins
m, then four numbers, then two more. The 4 hardened numbers identify the account (purpose / coin / account); the last two pick a specific address (receive-or-change / index). -
7
Public key - secp256k1 math
For any private key (a 256-bit number), the corresponding public key is that number multiplied by a fixed point G on the elliptic curve
y² = x³ + 7. The math is one-way - easy in one direction, infeasible to reverse.Your first BIP-84 public key (33 bytes, compressed hex)"Public key cryptography" lets you share the public key freely. Anyone can verify your signatures using it; no one can derive the private key from it.
-
8
Address - hash and encode
An address is a compact, error-correcting encoding of a hash of the public key. For Native SegWit (BIP-84):
- Compute
HASH160(pubkey)=RIPEMD160(SHA256(pubkey))→ 20 bytes. - Prefix with witness version (
0x00) and length byte → witness program. - Encode the program with Bech32, prefixed with
bc(mainnet) and a separator → human-readable address.
Your first BIP-84 receive addressBech32's error-detection catches a handful of common typos. The 6-character "checksum" at the end of every
bc1…address is what does it. - Compute
-
9
Wrap-up - the whole chain
Each step is deterministic. Same entropy → same words → same seed → same master key → same path → same address. No matter what wallet software you use, if it agrees on the standards, you'll see the same addresses for the same seed.
Which is why seed phrases are portable: they encode all the information needed to reconstruct your wallet, in any compliant tool, forever.
Credits & licenses
If you find this tool useful, consider donating some sats to the lead developer SuperPhatArrow, or to any of the libraries below.
Libraries & Tools
Core seed and key derivation
- BIP39 Seed Tool by Ian Coleman - MIT
- bitcoinjs-lib by BitcoinJS Contributors - MIT
- BIP32 by BitcoinJS Contributors - MIT
- BIP39 by BitcoinJS Contributors - MIT
- BIP47-js by Samourai - GNU GPL v3
- BIP85 by Andreas Gassmann - MIT
- BIP86 by Anderson Juhasc - MIT
- zxcvbn by Dropbox - MIT
- Levenshtein by gf3 - Unlicense
- Endianness by Rafael da Silva Rocha - MIT
Message signing (BIP-137 / BIP-322)
Silent Payments (BIP-352)
Shamir Secret Sharing
- slip39-ts (SLIP-39) by Splitsec Labs - MIT
- @bcts/sskr (SSKR) by Blockchain Commons - BSD-2-Clause-Patent
- @bcts/dcbor (deterministic CBOR) by Blockchain Commons - BSD-2-Clause-Patent
- @bcts/uniform-resources (UR) by Blockchain Commons - BSD-2-Clause-Patent
- @bcts/shamir by Blockchain Commons - BSD-2-Clause-Patent
- @bcts/crypto by Blockchain Commons - BSD-2-Clause-Patent
- @bcts/rand by Blockchain Commons - BSD-2-Clause-Patent
- backup-shard (Foundation Shard format reference) by Foundation Devices - GPL-3.0-or-later
Lightning Network
Miniscript
- @bitcoinerlab/miniscript (analyser + satisfier) by Bitcoinerlab - MIT
- @bitcoinerlab/miniscript-policies (policy compiler) by Bitcoinerlab - MIT
- sipa/miniscript (reference C++ compiler, upstream) by Pieter Wuille - MIT