Overview
DynamicEvmWalletClient::exportPrivateKey returns the wallet’s raw 32-byte EVM private key as 0x-prefixed hex. The MPC export ceremony returns an xpriv; the SDK then BIP-32-derives the final private key at the wallet’s recorded derivation path.
Once exported, the raw private key bypasses MPC — any holder of the key can sign without your server’s involvement. Treat it as a one-way operation. Only use it for migration or disaster recovery, and rotate / abandon the wallet afterward.
Prerequisites
Export the Key
import xyz.dynamic.waas.evm.DynamicEvmWalletClient;
String privateKeyHex = client.exportPrivateKey(
walletProperties,
externalServerKeyShares
).join();
// 0x-prefixed 32-byte hex, e.g. "0xabcd…"
System.out.println("Private key: " + privateKeyHex);
Verifying the exported key
The exported key should derive the same address as walletProperties.accountAddress(). With web3j:
import org.web3j.crypto.Credentials;
import org.web3j.crypto.ECKeyPair;
import org.web3j.utils.Numeric;
ECKeyPair pair = ECKeyPair.create(Numeric.toBigInt(privateKeyHex));
Credentials creds = Credentials.create(pair);
String derived = creds.getAddress(); // EIP-55 checksum form
assert derived.equalsIgnoreCase(walletProperties.accountAddress());
Best Practices
- Treat exports as a one-way operation — don’t use the same wallet through MPC after exporting; rotate to a fresh wallet.
- Never log the key — redact it from all logs and error messages. The SDK’s
tracing instrumentation already skips this arg; do the same in your own code.
- Zero memory after use — keep the key as
char[] / byte[] where possible and explicitly zero it after forwarding to its destination.
- Transport over TLS only — never send the key over an unencrypted channel.
Next Steps
