Watch-Only Bitcoin Wallets Explained: How to Check Without Risking

One of the strangest tensions in self-custody is this: you take the hard-earned step of moving your Bitcoin off an exchange and into a hardware wallet, and now you can’t casually check on it. Plugging in the device every Sunday morning to look at a balance starts to feel like overkill — and it slightly increases your security risk every time you do it. The fix is so simple it sometimes feels like cheating: a watch-only wallet.

The one-paragraph version

A watch-only wallet is a normal Bitcoin wallet, on your phone or computer, that you have set up using only the public portion of your hardware wallet’s key information. It can see every transaction that hits your addresses, show your full balance in real time, and even build (but not sign) outgoing transactions. What it cannot do is move funds. Your private keys never touch the watch-only device. So losing your phone, getting your laptop stolen, or even getting fully malware-infected does not put your Bitcoin at risk.

Why watch-only wallets exist

Bitcoin has, by design, a clever split inside every wallet. There are two pieces: a private key (which can spend) and a public key (which can receive). The public key can be shared widely — it is, by definition, public information — without compromising security. The private key has to be kept secret, ideally on an air-gapped or hardware device that never touches the internet.

What most beginners don’t realize is that your extended public key (called an xpub, or in newer formats zpub or vpub) is enough to derive every Bitcoin address your wallet will ever generate. With it, software can:

• Show you your full balance, summed across all your wallet’s addresses
• Show you every incoming transaction, in real time, as it confirms
• Generate the next receiving address so you can give it out to a buyer or to a Coinbase withdrawal
• Construct (but not sign) an outgoing transaction, which you can later finish on your hardware wallet

It cannot, however, move a single satoshi without that signed approval from the device holding the private keys. That asymmetry is what makes watch-only wallets the single highest-leverage habit a self-custodying Bitcoin holder can adopt.

What you actually use a watch-only wallet for

1. Casual balance checks

This is the obvious one. You want to know what your stack is worth at 9 PM on a Tuesday. Without a watch-only wallet, you either trust an exchange’s estimate (if your coins were originally bought there), squint at a block explorer with a list of addresses, or plug in your hardware wallet. With a watch-only wallet, you open the app on your phone. Done in three seconds.

2. Confirming an incoming transaction has arrived

Whenever you withdraw from an exchange, sell some Bitcoin to a friend, or move funds between your own wallets, you want to see the transaction land. With a watch-only wallet, you watch it appear as “unconfirmed,’’ turn into 1 confirmation, then 6, then settle. Closure for the transaction without exposing anything sensitive.

3. Generating a fresh receiving address without plugging in the hardware wallet

Best practice in Bitcoin self-custody is to use a fresh address for each incoming transaction (we cover the privacy reasons in our privacy explainer). The watch-only wallet derives a new address from your xpub on demand. You can copy it, paste it into Coinbase’s withdrawal form, and never touch your hardware device.

4. Coordinating multisig setups

If you run a 2-of-3 or 3-of-5 multisig wallet (see our multisig explainer), the watch-only layer is essential. The wallet software needs the public keys from every co-signer to track the joint balance and to build proposed transactions that each co-signer then signs separately on their own device.

5. Estate planning

Giving your spouse or executor a watch-only setup — while keeping the actual private keys with you — lets them see what is there without giving them the ability to move it during your lifetime. We cover this exact scenario in our Bitcoin inheritance plan article.

The 10-minute setup, end to end

Here is the simplest, free path. We are assuming you already have a hardware wallet (Coldcard, Ledger, Trezor, or similar) set up and holding Bitcoin.

Step 1 — Export your xpub from the hardware wallet

Every modern hardware wallet has a function to export your extended public key in a way that watch-only software can import. On a Coldcard, this is “Export Wallet”; on a Trezor, it’s the same option in Trezor Suite; on a Ledger, you go through Ledger Live or use a third-party tool. The export usually produces a small text file or a QR code.

What you are looking for is a string starting with xpub, ypub, zpub, or vpub (different prefixes correspond to different address types — see Bitcoin address types explained). Or, more conveniently in 2026, an output descriptor — a longer, more complete piece of metadata that fully describes the wallet structure.

Step 2 — Choose a watch-only app

For most beginners we recommend Sparrow Wallet (desktop) or BlueWallet (mobile). Both are free, both are open-source, and both have well-tested watch-only functionality. Sparrow is the more powerful option; BlueWallet is the more comfortable phone experience.

Step 3 — Import the xpub or descriptor

In Sparrow: File > New Wallet > (give it a name) > Connect Existing > paste the xpub or scan the QR code from your hardware wallet’s export. Sparrow will set the wallet to read-only mode automatically.

In BlueWallet: Add Wallet > Import > paste the xpub. BlueWallet will detect that no private keys were supplied and create the wallet in watch-only mode.

Step 4 — Verify the first address matches

Critical step. Have your hardware wallet display its receiving address #0 (or any specific index). Confirm that your watch-only wallet shows the same address at the same index. If they match, the import worked correctly. If not, you exported the wrong key type or imported the wrong descriptor — back up and redo step 1.

Step 5 — Lock down the watch-only device

Even though the watch-only wallet has no spending power, it still has your full transaction history and your future addresses. That’s privacy-sensitive. Set a screen-lock on the phone, use FileVault or BitLocker on the laptop, and don’t install random apps on the same device. Reasonable hygiene, not paranoia.

What about privacy?

This is the most-asked question once people understand watch-only wallets. The answer is honest: a watch-only wallet by default queries either a public Bitcoin server (Electrum, mempool.space) or the wallet developer’s own infrastructure to look up your addresses. That means a third party can correlate the addresses you are watching, even though they can’t spend from them.

If you care about that level of privacy, the answer is to point your watch-only wallet at your own Bitcoin node. Sparrow makes this trivial — one settings change — and the result is that your address lookups happen against your own copy of the blockchain rather than someone else’s server. We have a beginner-friendly walkthrough in running a Bitcoin node.

For most beginners holding moderate amounts, default Sparrow or BlueWallet privacy is fine for the watch-only use case. The option to upgrade is there when you want it.

What watch-only wallets do not protect against

To stay honest: a watch-only wallet protects you against device theft and most malware on the watching device. It does not protect you against:

• Loss of your hardware wallet without a backup of your seed phrase. If your hardware wallet drowns and you didn’t write down the 12 or 24 word phrase, the watch-only wallet still shows the balance — but you have no way to spend it.
• An attacker who gets both your watch-only device and your hardware wallet. Unrealistic, but worth knowing.
• Privacy leaks from default servers, as discussed above. Watch-only is great for security; somewhat lossy for privacy unless you self-host.

The progression most self-custodying holders actually follow

If you’re wondering where this fits in your overall security maturation, here is the rough path most thoughtful holders walk over their first two years of self-custody:

1. Buy on an exchange. Hold there for a month while you learn.
2. Move to a software wallet on your phone (BlueWallet). Learn what addresses are.
3. Buy a hardware wallet. Move funds. Verify. Sleep better.
4. Set up a watch-only wallet on your phone or laptop pointing at the hardware wallet’s xpub. Stop plugging in the hardware wallet to check balances.
5. Once balance crosses a threshold (often around $50,000), consider a multisig setup or a more sophisticated cold-storage strategy.

The watch-only step is the one most beginners skip, and it’s the one that changes day-to-day life with self-custody from “a chore I avoid’’ to “a system that runs in the background.’’

Three small mistakes to avoid

1. Don’t share your xpub publicly

Your xpub does not give anyone the ability to spend, but it does let anyone trace every transaction your wallet has ever made or will make. Treat it like a bank statement: not catastrophic if leaked, but not something you post on Twitter.

2. Don’t confuse “watch-only’’ with “hot wallet’’

A hot wallet is one that holds private keys on a connected device — risky for large amounts. A watch-only wallet, by definition, has no private keys. The naming is unfortunate but the security model is fundamentally different.

3. Don’t use a watch-only wallet as your only backup

If you lose your hardware wallet and you only have a watch-only setup, you can see your Bitcoin but you cannot move it. The seed phrase backup of the original device is what saves you from that. The watch-only wallet is a supplement to your backup strategy, never a replacement.

The shortest possible summary

1. A watch-only wallet uses just your public key information — the private keys stay on your hardware wallet.
2. You can check balance, see incoming transactions, and generate fresh addresses without exposing keys to a connected device.
3. Setup is 10 minutes: export xpub from the hardware wallet, import into Sparrow or BlueWallet, verify the first address matches.
4. For better privacy, point the watch-only app at your own Bitcoin node.
5. Don’t treat the watch-only wallet as a backup — the seed phrase is still your real backup.

If self-custody has felt like a chore you avoid, the watch-only wallet is probably the missing piece. The whole point of holding Bitcoin yourself is the calm of knowing it’s safe; a watch-only wallet is what lets that calm survive a Tuesday morning balance check.