7 min read
Why the Identity Seed Still Matters When You Have a Passkey
Yes, you still need to save your Identity Seed even with a passkey. The passkey is a convenience unlock; the seed is the portable identity that works across CardanoWall, the CLI, SDKs, and any Label 309 tool.
Yes, you still need to save your Identity Seed, even if you add a passkey.
The passkey is the daily unlock. The Identity Seed is the identity. Save the seed and you can reconstruct the same Label 309 identity anywhere: in CardanoWall, in the open-source command-line tool, in the SDKs, and in any other software that implements the standard. Lose the seed and every way to unlock your vault, and the future use of that identity is gone for good.
This is not an oversight. It is the direct consequence of CardanoWall never taking custody of your identity. If a service could hand your identity back to you out of thin air, it would also be able to become you.
What is the Identity Seed?
The Identity Seed is a single 32-byte secret. From that one value, every Label 309 tool deterministically derives the keys your identity uses to:
- sign Proof of Existence records;
- receive sealed records at a classical receive address;
- receive sealed records at an optional post-quantum receive address;
- decrypt records addressed to the identity;
- prove you actually hold the identity when you import it into a new account.
The seed is the portable root of all of that. It is not a Cardano wallet seed phrase. It holds no ADA, it controls no funds, and it is not a payment wallet. It is the root of a Label 309 identity, and nothing else. For a fuller walk-through of how an identity grows from those 32 bytes, see Your Identity Is a Seed.
Why doesn't CardanoWall just hide the seed for me?
Because hiding it completely would make the service your recovery authority, and that is exactly what the design refuses to be.
If CardanoWall could reset or recreate your identity without the seed, it would have to hold some secret powerful enough to act as you. That secret would make the service a custodian: a single point that could be breached, subpoenaed, or simply shut down, taking your identity with it.
So the split is deliberate. CardanoWall can offer an encrypted vault, and a passkey can open that vault. But the vault is a convenience layer. The seed is the thing you own outright.
So what does the passkey actually do?
It opens the convenience vault, nothing more.
Once you have saved the seed, you can add a passkey. The passkey lets your browser unlock the encrypted identity vault without making you paste the seed every time. That is what keeps everyday work smooth:
- signing records;
- decrypting incoming sealed records;
- switching between identities;
- composing sealed messages;
- unlocking on another signed-in device, where your passkey provider syncs it;
- getting back in after a lost laptop, if your passkey is synced.
The vault itself holds encrypted ciphertext, not plaintext seeds, and it is addressed only to your passkeys, so the service cannot read it. For the full picture of what a passkey unlocks and what it does not, see How Passkeys Protect Your Identity Vault.
The catch is scope: a passkey is tied to one account and one platform context. The seed is not.
What can the seed do that a passkey can't?
It can move the identity anywhere. With the seed you can:
- import the identity into a new CardanoWall account;
- bring it into other Label 309 software;
- use it from the command-line tool;
- use it in a third-party tool that implements the standard;
- share a team identity on purpose;
- get back in when the hosted vault is unavailable;
- confirm that the derived public keys match the identity you expect.
A passkey unlocks one account's vault. The seed reconstructs the identity itself. That is why CardanoWall treats the seed as the canonical backup and the passkey as a cache on top of it.
What happens if I lose the seed?
It depends on what else you still have.
If you still have a working passkey and the hosted vault is online, you are fine: you can open the identity and reveal the seed again from settings, behind a re-authentication step. Treat that as your moment to finally save it somewhere durable.
If you lose the seed and every vault unlock factor, the identity's future use is lost. You cannot sign new records under it. You cannot decrypt sealed records addressed to it, including ones that arrive after the loss. And no one at CardanoWall can reset it, because no one at CardanoWall has it.
Your already-published proofs are a separate story. They keep verifying, because verification relies only on public data: the transaction metadata on Cardano and, where needed, the content bytes. Nothing about a lost seed un-proves what you already published.
What happens if someone steals the seed?
Treat the identity as compromised, and replace it.
Anyone holding the seed can derive the same private keys. They can sign as your identity and decrypt sealed records addressed to it, past and future. There is no way to revoke that knowledge.
The response is not "change the seed" inside the same identity. One seed is one identity, permanently. Instead:
- create a new identity;
- save the new seed;
- publish or hand out the new public keys through channels people trust;
- deactivate the old identity in the service;
- stop using the old receive addresses;
- where it helps, publish records that supersede the old ones.
This is why the seed deserves the same care as any other high-value secret. The difference between deactivating an old identity and deleting it is worth knowing before you need it; see Active, Deactivated, Deleted.
Where should I store the seed?
Somewhere you already trust for long-term secrets. Good options include:
- a reputable password manager;
- an offline, encrypted archive;
- a printed copy in a secure location;
- a company secret-management process;
- a sealed envelope in an office safe, for a shared team identity.
Avoid the places secrets leak from:
- screenshots in your phone's photo library;
- plain, unencrypted notes;
- chat messages;
- email drafts;
- issue trackers or wikis;
- public documents;
- anywhere you might paste a wallet phrase by reflex.
The right level of protection scales with the value of the identity. A throwaway test identity and a newsroom's shared identity do not deserve the same storage.
Is the seed a wallet phrase?
No, and CardanoWall goes out of its way to keep the two distinct.
CardanoWall deliberately does not use wallet-style word lists for identities. A Label 309 Identity Seed is shown as a checksummed string that looks nothing like a crypto wallet backup, precisely so you do not confuse the two. The checksum catches typos and truncation without borrowing the word-grid format people associate with funds.
Never paste a Cardano wallet phrase into CardanoWall. It does not need one and never asks for one. The Identity Seed is for your Label 309 identity, full stop.
How often should I touch the seed?
As rarely as you can. The healthy pattern is:
- create or import the identity;
- save the seed;
- add a passkey;
- use the passkey for daily unlocks;
- reveal or re-enter the seed only when moving, recovering, or auditing the identity.
That keeps the seed genuinely portable without making you handle a raw secret every day. Day to day, you tap a passkey; the seed waits safely in the background.
The short version
The Identity Seed is the identity. The passkey is the convenience unlock.
Save the seed before you start relying on the identity. Use passkeys to make daily work smooth. Keep the seed off untrusted devices, and never confuse it with a wallet phrase. If CardanoWall can help you every day but still cannot replace your seed, the model is working exactly as designed.
Further reading
- What Happens If You Remove a Passkey? — removing a factor, and what that does and does not revoke.
- The open standard lives at label309.org, and the open-source SDKs and command-line tool are at github.com/cardanowall.