Watch-Only Wallet

What Is a Watch-Only Wallet?

A watch-only wallet is a Bitcoin wallet that can view balances, generate receiving addresses, and track transaction history, but cannot spend funds. It contains only public keys: no private keys, no seed phrase, and no signing capability. Think of it as a bank statement that updates in real time but has no checkbook attached.

Watch-only wallets exist because of a fundamental tension in Bitcoin security. Private keys must remain offline to be safe from malware, phishing, and remote attacks. But users still need a convenient way to check balances, generate fresh receiving addresses, and prepare transactions. A watch-only wallet resolves this by separating the observation function (public keys on a connected device) from the authorization function (private keys on an air-gapped device).

This separation is the foundation of modern self-custody practices. Nearly every hardware wallet workflow relies on a companion watch-only wallet running on a phone or computer.

How It Works

Watch-only wallets rely on BIP 32 hierarchical deterministic key derivation. A single extended public key (xpub) can generate all child public keys and addresses for an entire wallet. By importing this xpub, the watch-only wallet mirrors the address set of the corresponding cold wallet without needing any secret material.

1. The user exports the xpub from their signing device or hardware wallet via USB, MicroSD card, QR code, or NFC
2. The watch-only software imports the xpub and derives all associated addresses following the wallet's derivation path
3. The software queries the Bitcoin network (through a full node or Electrum server) to find balances and transactions for those addresses
4. New receiving addresses are derived on demand, keeping the wallet synchronized with the cold storage side

Beyond xpubs, there are format variants for different address types: ypub for BIP 49 wrapped SegWit addresses and zpub for BIP 84 native SegWit addresses. These function identically to xpubs but encode the address type so wallets derive the correct format automatically.

Single Address Import

Not all watch-only setups require an xpub. Users can import individual Bitcoin addresses to monitor specific UTXOs or track payments to a known address. However, single-address import cannot derive new addresses, making it suitable only for static monitoring rather than ongoing wallet management.

Spending via PSBTs

Although watch-only wallets cannot sign transactions, they play a critical role in the spending process through PSBTs (Partially Signed Bitcoin Transactions), defined in BIP 174:

1. The watch-only wallet constructs the unsigned transaction: selecting inputs, setting outputs, and calculating the fee
2. It encodes the transaction as a PSBT and transfers it to the signing device via MicroSD card, QR code, USB, or NFC
3. The signing device verifies the transaction details on its own screen, then signs with the private keys (which never leave the device)
4. The signed PSBT returns to the watch-only wallet, which finalizes and broadcasts it to the Bitcoin network

# Example: creating a PSBT with Bitcoin Core in watch-only mode
bitcoin-cli createpsbt '[{"txid":"abc...","vout":0}]' '[{"bc1q...":0.01}]'

# Transfer the PSBT to hardware wallet for signing
# After signing, finalize and broadcast
bitcoin-cli finalizepsbt "signed_psbt_base64"
bitcoin-cli sendrawtransaction "finalized_hex"

This workflow ensures private keys remain isolated on the hardware device while the watch-only wallet handles all network communication. The user should always verify the destination address, amount, and fee on the hardware wallet's own display, as a compromised computer could manipulate what the watch-only software shows.

Implementations

Several dedicated applications support watch-only functionality, each with different tradeoffs:

Use Cases

Cold Storage Coordination

The primary use case for watch-only wallets is pairing with cold storage devices. Hardware wallets like Coldcard, Trezor, and Ledger export their xpubs so users can manage their funds day-to-day from a phone or computer. The hardware wallet only comes out of storage when a transaction needs signing.

Portfolio Tracking

Users with funds spread across multiple wallets can import each xpub into a single watch-only application to get an aggregated view of their total holdings. This avoids the security risk of consolidating keys while providing a unified dashboard.

Generating Receive Addresses

Because the xpub can derive new addresses, a watch-only wallet generates fresh receiving addresses on demand without touching the signing device. This is critical for merchants and businesses that need to provide unique addresses for each customer payment while keeping keys offline.

Business Treasury Monitoring

Companies holding Bitcoin in cold storage can deploy watch-only wallets on their finance team's devices. Staff can verify incoming payments, track balances, and prepare transactions for approval without any risk of unauthorized spending. For organizations building on Bitcoin, solutions like the Spark wallet SDK simplify integrating these monitoring capabilities into custom treasury applications.

Privacy Implications

Sharing or exposing an xpub has serious privacy consequences. Anyone who obtains your xpub can derive every address your wallet has ever used or will use in the future. They can see your complete transaction history, total balance, and all incoming and outgoing payments.

An xpub is not as sensitive as a seed phrase: it cannot authorize spending. But it fully compromises financial privacy. Treat your xpub with the same care you would treat a detailed bank statement.

To minimize privacy exposure when using a watch-only wallet:

• Connect through Tor or a VPN to prevent your IP address from being linked to your addresses
• Run your own Bitcoin node or Electrum server rather than relying on third-party infrastructure that can log your queries
• Never share xpubs publicly, store them in cloud services, or transmit them over unencrypted channels
• Be aware that importing an xpub into any third-party application gives that provider visibility into your full financial activity

For users who want stronger privacy in their Bitcoin transactions, techniques like CoinJoin and silent payments can complement a watch-only setup by reducing the on-chain linkability of transactions. For a deeper exploration of these approaches, see the Bitcoin privacy landscape research.

Risks and Considerations

Address Verification

If the device running the watch-only wallet is compromised, malware could display a tampered receiving address, redirecting incoming funds to an attacker. Always verify addresses on the hardware wallet's own screen before sharing them with senders, especially for large amounts.

Xpub Exposure

As noted above, xpub leaks are a privacy risk, not a fund-loss risk. However, a leaked xpub combined with other data (your identity, your IP address, your transaction patterns) can enable targeted chain analysis or even physical attacks if an adversary learns the size of your holdings.

Sync and Gap Limits

Watch-only wallets scan the blockchain for activity across derived addresses, but they stop scanning after a certain number of consecutive unused addresses (the address gap limit, typically 20 by default per BIP 44). If the signing wallet generated addresses beyond this gap, the watch-only wallet may show an incomplete balance. Adjusting the gap limit in the watch-only software resolves this.

No Offline Guarantee

A watch-only wallet must connect to the Bitcoin network to fetch transaction data. If it connects through a third-party server, the server operator can see which addresses you query. For self-custody users who prioritize privacy, running a personal Bitcoin node or Electrum server is strongly recommended.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.