Last updated: October 2024 / 866608 o'block
The most secure way to keep your bitcoin is a cold storage wallet. As it can spend your bitcoin it is important to keep it safe and private - but often that makes it less than convenient to use. You can't take it everywhere with you and it can be a pain having to plug in a hardware wallet each time you want to receive a bit of bitcoin.
One solution to this is a watch-only wallet. A watch-only wallet only has your public keys (and not your private keys) and can't spend your bitcoin. It can be used on a device that isn't very secure for easy viewing and receiving of bitcoin without compromising your cold storage security. It's only when you need to spend bitcoin that you'd need to use your cold storage wallet. A watch-only wallet can be on your mobile device, can go anywhere with you, and even if lost or stolen it's not risking the loss of your bitcoin.
Your bitcoin is controlled by the
private keys kept safe by your wallet - for example, your cold storage wallet. The cold storage wallet is able to, from your private key, also create a public key - specifically, Extended Public Key (xpub, zpub, or ypub - more on this below). The Extended Public Key is just a string of characters and can be saved to a text file or moved using a QR code.
On another device - for example, your mobile phone where you want to set up your watch-only wallet - you can install a wallet app of your choice that supports importing the public key (for instance, something like Electrum or BlueWallet), import your Extended Public Key into it, and have it create your watch-only for you. It will scan your addresses and show your transactions and balance - even though it doesn't know the seed or associated private keys. That's it! That is your watch-only wallet.
Same as with any other wallet, but you make sure the address type you are receiving to matches the type used by your cold storage wallet.
Extended Public Key has a few different forms depending on the address type and derivation path you want to use: xpub, zpub, ypub. If this seems too complex (and it is, honestly; Bitcoin is still young and actively developing), it may be easiest to simply use the same wallet software (Electrum, for instance) for both your cold storage and your watch-only; because it's the same app, it defaults to using the same derivation path and address type.
Once you've created your watch-only setup, you can also test it: check if the watch-only is showing the same transactions shown in your cold storage wallet. To test if you can receive bitcoin to an address generated by the watch-only, send a small amount of bitcoin to it and then check that your cold storage wallet can see it (and therefore, spend it).
To avoid malware attacks, always use a trusted wallet (open-source is better). You can also compare the receiving address your watch-only wallet gives you with the one created by the cold storage wallet.
A watch-only wallet can not directly spend the bitcoin sent to it. To spend bitcoin, use your original wallet created from the seed that has your private keys and can sign a transaction. There are two ways you can do this:
If a watch-only wallet is lost or someone gets into it without you knowing it's unlikely to be a big problem for you as a watch-only wallet can not spend bitcoin. However, you should keep in mind that anyone who has the extended public key to your wallet can see all its addresses and activities on them, past and going forward. If you want full privacy using Bitcoin, only share your extended public key with trusted parties.
Criminals sometimes use watch-only wallets to con bitcoin from inexperienced investors. This another reason to learn about watch-only wallets - the knowledge protects you from falling victim to a scam.
How the scam works: the criminal gives the victim, an inexperienced Bitcoin user, the public key - but not the seed/private keys. The victim is instructed to create a wallet from the public key, unaware that it is only a watch-only wallet. They are able to buy bitcoin on an exchange and withdraw it to the watch-only wallet; they see the balance and think that they have bitcoin safely in their custody. Eventually though, they discover they are unable to spend or move any of it because they don't have the private keys to the addresses they are watching - only the scammer does.
Graphical abstract: for when you just need a quick overview or reminder - same stuff as above, just all in one image.
