Skip to main content
Walley is a non-custodial wallet, which means you — and only you — control your funds. There is no support team that can reset your access, no company that holds a copy of your keys, and no safety net if your credentials are lost. The security practices below are not optional extras; they are the foundation of safe self-custody.
Walley cannot recover your wallet on your behalf. If you lose access to both your passkey and your recovery phrase, your funds are permanently inaccessible.

Protect Your Recovery Phrase

Your 24-word recovery phrase is the ultimate backup for your wallet. Anyone who obtains it gains complete, irreversible access to your funds.
1

Write it down on paper immediately

As soon as your recovery phrase is generated, write all 24 words on paper — in order. Do this before closing or navigating away from the generation screen.
2

Store it offline, never digitally

Never save your recovery phrase in a notes app, password manager, cloud document, email draft, photo, or any digital format. Digital storage creates exposure to breaches, sync leaks, and device compromise.
3

Make a durable copy

Store your written phrase in a secure, fireproof location such as a safe or safety deposit box. Consider making a second physical copy kept in a separate secure location.
4

Record your Party Hint alongside the phrase

When restoring your wallet, you will need both your 24-word recovery phrase and your Party Hint — a short identifier tied to your on-ledger party. Store your Party Hint in the same secure, offline location as your phrase so both are available when you need them.
5

Never share it with anyone

No Walley team member, support agent, or legitimate service will ever ask for your recovery phrase. Treat any request for it — from any source — as a scam.
Never enter your recovery phrase into any website, browser extension, or application other than the official Walley interface. Phishing sites are designed to look identical to legitimate ones.

Secure Your Passkey Device

Your passkey is bound to a specific device and protected by your biometric or device PIN. Keeping your device secure is keeping your wallet secure.
  • Use a strong device PIN or biometric lock. Your passkey is only as strong as the device lock protecting it. Enable Face ID, fingerprint, or a long alphanumeric PIN.
  • Keep your device OS and browser up to date. Security patches close vulnerabilities that attackers exploit. Enable automatic updates where possible.
  • Do not share your device. Avoid letting others use the device where your passkey is registered, even briefly.
  • Register passkeys on devices you own and control. Never create a passkey on a borrowed, public, or workplace-managed device unless you intend to use only that device for wallet access.
  • Plan for device loss. If you lose a passkey device, your recovery phrase is the only way to restore access. Make sure your phrase is stored safely before the device is lost.
If you upgrade or replace your device, create your new passkey and confirm wallet access before decommissioning the old device.

Manage Your Session Safely

A Walley session gives anyone with access to your browser the ability to act on your behalf. Treat an open session with the same care you would treat an unlocked vault.
  • Log out when you finish. Always end your session explicitly, especially on shared, borrowed, or public computers.
  • Do not leave a session unattended. Lock your screen or close the browser if you step away, even briefly.
  • You are responsible for actions taken during your active session. If someone accesses your open session, any transactions they authorize are your responsibility. Walley has no mechanism to reverse on-ledger actions taken through a valid session.
  • Avoid wallet access on public Wi-Fi. Use a trusted network or a VPN when accessing your wallet from shared or unfamiliar networks.
If you suspect your session has been compromised, close the browser immediately, change your device credentials, and review your recent transaction history.

Verify Every Transaction Before Signing

Every transaction you approve is final once submitted to the ledger. There is no undo, no dispute resolution, and no chargeback mechanism.
  • Check the recipient address carefully. Malware can silently swap clipboard addresses. Always verify the full address — not just the first and last few characters.
  • Confirm the asset type and amount. Verify that you are sending the correct asset in the correct quantity before approving.
  • Read smart contract interactions. If a dApp is requesting an action, understand what you are authorizing before you sign. When in doubt, reject the transaction and research first.
  • Be suspicious of urgency. Legitimate services do not pressure you to sign transactions immediately. Time pressure is a social engineering tactic.
On-ledger transactions can be irreversible. Always verify the counterparty, amount, and asset type before submitting any transaction.

Exercise Caution with dApp Connections

Walley allows you to connect external decentralized applications to your wallet. These connections extend trust to third-party software that Walley does not control.
  • Only connect dApps you trust. Research any dApp before connecting it. Check its reputation, audit history, and official channels.
  • Review permissions before approving. Understand what a dApp is requesting access to before you grant it.
  • Disconnect dApps you no longer use. Remove inactive connections to reduce your attack surface.
  • Walley is not responsible for third-party dApp behavior. The security, content, and terms of connected dApps are entirely the responsibility of those applications and their operators.
Bookmark the official URLs of dApps you use regularly. Avoid navigating to dApps through links in emails, social media, or messaging apps.

Review Automation Settings Regularly

Walley’s automation features — such as transfer pre-approval and merge delegation — can permit future transactions to execute without per-transaction confirmation. Review these settings regularly.
  • Understand what you have enabled. Check your automation and delegation settings periodically to ensure they reflect your current intentions.
  • Revoke settings you no longer need. Disable pre-approvals or delegations when they are no longer required.
  • Monitor your transaction history. Regularly review completed transactions to catch any unexpected activity early.

Secure Your API and SDK Access

If you use Walley via its API or SDK, your session tokens and environment configuration carry the same authority as an interactive session. Treat them with equivalent care.
  • Store tokens securely. Never hard-code API tokens in source files, commit them to version control, or expose them in client-side code. Use environment variables or a secrets manager.
  • Scope tokens to the minimum required permissions. Request only the access your integration actually needs. Revoke tokens that are no longer in use.
  • Protect your session environment. Ensure the server or environment where Walley SDK calls are made is access-controlled. An unauthorized process that can invoke the SDK on your behalf can transfer your assets.
  • Rotate tokens regularly. Treat a potentially exposed token as compromised immediately — revoke it and issue a new one.