How does a full-node index watch-only addresses?

I can import watch-only addresses into my full-node’s wallet. I can start querying their utxos from that point onward.

  1. Where are watch-only addresses stored and how does my node keep index of their balances / utxos?
  2. If I want to backup and boot a new instance of my node will it retain the indexes associated with my watched addresses?
  3. Is there a limit to how many addresses I can watch, will many make querying inefficient?

bitcoin core – Isn’t an encrypted wallet.dat automatically a “watch-only” wallet?

I have encrypted my wallet.dat outside of this computer. Now I store my wallet.dat on this computer.

If I open it in Bitcoin Core, I can view the balance but not spend it (without entering the decryption passphrase).

Doesn’t this make an encrypted wallet.dat a “watch-only” wallet? Can’t I simply safely keep this on my PC and use the RPC API to check on the balance to make sure that it still contains my coins?

Basically: What is the difference between an encrypted wallet and a “watch-only” wallet? Why would I make a “watch-only” wallet when the encrypted wallet apparently has the same functionality, and is as secure?

How to create descriptor watch-only wallet with bitcoin-cli in Bitcoin Core 0.21?

Using only command line (no GUI), how can I create watch only wallet based on descriptor and get first unused address?

This is the descriptor:


this is the bitcoin-cli command to list addresses based on this descriptor:

./bitcoin-cli deriveaddresses
“wpkh((00000000/84h/0h/0h)xpub6DP….xyz/0/*)#checksum” “(0,2)”

How to create actuall watch only wallet so that I can get automatically first unused address?

Is there anything wrong using a cold wallet from BitKey in watch-only mode on my normal desktop Electrum?

I followed the instruction for cold-offline in BitKey and created my cold wallet on a USB key with BitKey burned and booted from a CD-ROM. I noted the encryption password and the seed phrase on a paper which I will store in a secure location.

The workflow described on the BitKey website would use cold-online mode for watching the wallet (and preparing transactions).

Now, is there anything wrong in adding the watch-only mode (I think BitKey stores the proper information unencrypted on the USB key) to my normal work PC running Electrum on Win 10?

In my opinion, it shouldn’t because no single secret will be exposed. However, I am wondering why the documentation is so keen on emphasizing the workflow with cold-offline and cold-online.

Lastly, I intend to store my Bitcoins for long term. In 10 years I may have forgotten details about the sofware, BitKey may not exist any more, I may not have a CD drive any more, Electrum may be at a completely different version and who knows, it may be hard to import the data.
For that reason I really love the simplistic idea of paperwallets. But individual paperwallets are hard to deal with. Hence I would like to store an export of the public/private key list of my wallet as well. I feel this format will be most barebone and most likely to be importable also in ten years or more (I know that the seed could re-generate them but I hope you get my point).

For backup purposes, I also want to store the AES encrypted contents of the USB key on my NAS. I am thinking of packing the public/private key export into this file as well. Using a very long passphrase and storing it in a KeePass database.

Accidentally Sent BTC to bitcoin core watch-only wallet with private keys disabled

I think I already know the answer to this, but I just want to make sure as it will result in a loss of funds. I have Specter desktop connected to my bitcoin-core. But because I also sometimes use the core wallet as a hot wallet as well, I accidentally generated the address in the core wallet that is linked to my specter wallet, but the core wallet is a watch-only wallet with the priv keys disabled and then I sent funds to this address and not the address generated by specter or my default core hot wallet. But because this is watch-only my core wallet does not have the priv keys. I am doubtful but is their anyway for the wallet to know it generated this key by enabling priv key.

Create unsigned tx (PSBT) in a watch-only wallet using bitcoin core, sign it in electrum and broadcast using bitcoin core

create wallet


Run the below commands in electrum console:

>> getaddresshistory('tb1qu2l4n8st9w3hhsxstd8muaxgnu63fql9rkylmd')
        "height": 1807710,
        "tx_hash": "727707cced87f9bc2a1ca3ed28df39588e9881fd50c272e78bc76a5bb1ffde9c"
>> deserialize(gettransaction('727707cced87f9bc2a1ca3ed28df39588e9881fd50c272e78bc76a5bb1ffde9c'))
    "inputs": (
            "coinbase": false,
            "nsequence": 4294967295,
            "prevout_hash": "99ebe2d047c545a50cf86f0ff5f4c0648437cb8724137f1a33c2f06eb06ef35a",
            "prevout_n": 1,
            "scriptSig": "",
            "witness": "0247304402206379d344d75fbee07f54213378f95e44dc757872d59a35efbc14ec7e1ca7dfd102207a47f9c1be39cafa8f9ac8a879e2b968e2359bead23a1f6598478ed7d141c73d012103ee169045615c663c0204472f86e3c2b2ae43e574146d30607c42fe6d670ac7be"
    "locktime": 0,
    "outputs": (
            "address": "tb1qu2l4n8st9w3hhsxstd8muaxgnu63fql9rkylmd",
            "scriptpubkey": "0014e2bf599e0b2ba37bc0d05b4fbe74c89f351483e5",
            "value_sats": 3000000
            "address": "tb1q7sx47sra5w7kw8we5xeusl4089ryverhjcft6q",
            "scriptpubkey": "0014f40d5f407da3bd671dd9a1b3c87eaf3946466477",
            "value_sats": 61797954
    "version": 2

You get the scriptPubKey in above output which can be used in importmulti command in bitcoin core:

"address": "tb1qu2l4n8st9w3hhsxstd8muaxgnu63fql9rkylmd",
"scriptpubkey": "0014e2bf599e0b2ba37bc0d05b4fbe74c89f351483e5"

Get the public key of the address from details:


If you are using bitcoin core wallet instead of electrum in this example, you can run the getaddressinfo command in console to get scriptPubKey and pubkey of the address.

Run the below command in bitcoin core console to import the address with the details copied from electrum:

importmulti '({"scriptPubKey" : "0014e2bf599e0b2ba37bc0d05b4fbe74c89f351483e5","pubkeys" : ("0304c5184085eea27a072628de03fbb953f5fdd99fb526f097fdd4c6968d165f1a"),"timestamp" : "now","label" : "watch-address-test", "watchonly": true}

You can ignore the steps mentioned above for scriptPubKey and only use the “Public Key” of an address by using descriptor:

We need checksum in importmulti which is returned in descriptorinfo for the public key mentioned


Next, we can run importmulti command (I have used public key for a different address in this command):

importmulti '({"desc" : "wpkh(026641b79d7ffa40ddf994f0277c2649f3ddcbd871194ba6ef87687daea22ca503)#zl4yt8hu","timestamp" : "now","label" : "watch-address-test", "watchonly": true})'


rescanblockchain 1800000 1835099

I can see available inputs in GUI:


We still get an error if trying to create an unsigned tx which involves sending some amount to change address because we aren’t trying to spend the whole balance.


Add a change address for creating unsigned tx:


Option to copy PSBT:


Load transaction using the copied text in electrum:



Copy the hex of signed tx and run the below command in bitcoin core:

sendrawtransaction 020000000001019cdeffb15b6ac78be772c250fd81988e5839df28eda31c2abcf987edcc0777720000000000fdffffff02b3410f0000000000160014112c8ecb9e0876a645e7b8e89eed83bd61096e2c80841e00000000001600145f24e8fbfe65840c27dad3b053855de4cee843820247304402200d7cc29a8588c180e6a460e0eb88ea830db76dbb040a875d45fe8c64c9509a80022060879365af1c6d19e7c47bdbfa402a053ed42809c52db6816cd249dff46529b001210304c5184085eea27a072628de03fbb953f5fdd99fb526f097fdd4c6968d165f1a5f001c00

It returns the transaction id: 4890c14e7635a3e72320046645686052339e443eba56e5a62849a48b3f67f419

You can check the details in a block explorer:

Related questions:

How to create unsigned tx in a watch-only wallet?

How to move/sweep your Bitcoin Core bitcoins safely and air-gapped to your new fancy cold storage?

Related issues:

bip174 psbt – How to create unsigned tx in a watch-only wallet?

Below are the steps that I followed and couldn’t create an unsigned tx. I am not even sure what are the inputs that can be used for it in this case and how to add inputs.

create a watch-only wallet


add one address in ‘sending addresses’


dont see anything in ‘receiving addresses’ and no option to add


open console and run the below commands to add one address

importaddress tb1qu2l4n8st9w3hhsxstd8muaxgnu63fql9rkylmd "receivetesting" false

rescan blockchain to update

rescanblockchain 1800000 1834770

can see the address in ‘receiving addresses’ and balance


How do I create an unsigned tx because I get the below error and dont see anything in available balance or inputs?

Consider the scenario in which I have added an address from my cold storage to watch the balance and now want to create an unsigned transaction that spends from it which I will sign later on a different machine (offline)

Also receiving and sending addresses in a watch-only wallet is confusing. Not sure at this moment how can we make it easier to understand atleast in the GUI.


I found this on reddit related to same issue however didn’t understand how was it resolved:

wallet – You can't spend Watch-Only coins, have I been scammed?

A watch only address means an address of which your wallet tracks the balance, and no more. To have an address, that is to say being able to spend it, you need to know your Private key. All addresses generated by wallet software have their private keys stored by and known to the wallet.

A common scam using surveillance addresses only is:

  1. User is asked to "invest today, win 100 times soon"
  2. The victim pays the malicious actor.
  3. Later the malicious actor says "We have your profits, now you have to import them into your wallet"
  4. The victim is asked to import the address as "only shows" to their portfolio and not the private key necessary to spend the coins.
  5. It takes time for the victim to realize that she cannot spend her balance. However, the malicious actor has already disappeared.

Remember that Bitcoin is a cryptocurrency, which means it is possible to make transactions!!! If the malicious actor was honest, he would ask for the user's address so he can trade and send in his winnings, but importing into a wallet should always be considered shady.