Coldcard Spending Policy: Turn Your Coldcard Into a Programmable Vault
Coldcard's Single Signer Spending Policy (SSSP) is one of the most powerful and underutilized security features on any hardware wallet. It turns a single Coldcard into a highly restrictive, cryptographically enforced vault - limiting how much can move, how often, and where it can go.
Watch on YouTube · Compare hardware wallets on my comparison page
This post walks through the full setup from my video tutorial. You'll learn what spending policy is for, how to configure it on a Coldcard Q, how the locked-down menu works, how to test that rules are enforced, and how to exit back to normal unlimited spending mode.
Why this matters
Spending rules are enforced at the signing layer itself - not in companion software. That makes them especially useful against a $5 wrench attack, device theft while traveling, or any scenario where someone has physical access and your PIN. You can cap how much Bitcoin moves, how often transactions can be sent, and whitelist where funds are allowed to go.
What Spending Policy Does
When active, Coldcard's spending policy can restrict signing unless all configured conditions are met:
- Max magnitude: Cap the maximum BTC amount per transaction.
- Velocity: Require a minimum number of blocks between spends (e.g. only one transaction every 8 hours).
- Address whitelisting: Only allow sends to pre-approved addresses - even if someone has your PIN.
- Optional 2FA: Require confirmation from a mobile authenticator app (needs NFC enabled).
Activating policy also locks down the device: seed backups, firmware menus, passphrase settings, and most sensitive options are hidden until you unlock with a special bypass PIN. Think of it as a travel mode or coercion-resistant mode baked into the hardware.
SSSP works on a single-signer Coldcard today, and can also be part of a multisig setup for more advanced custody models.
Step 1: Open Spending Policy Settings
- Power on your Coldcard and unlock with your normal PIN (and passphrase wallet if you use one).
- Go to Advanced/Tools.
- Scroll to Spending Policy near the bottom.
- Select Single Signer (multisig is also supported, but this guide covers single-sig).
Coldcard will explain that spending policies block signing unless your conditions are met, and that the device enters a restricted mode limiting seed access, backups, settings, and other features.
Step 2: Create the Bypass PIN
First, define a new PIN used only to bypass or disable the spending policy. This is separate from your main wallet PIN.
Write it down with the prefix and anti-phishing words Coldcard shows you. If you lose this bypass PIN, you cannot exit spending policy mode without wiping the device and restoring from your seed backup. Choose something memorable but not trivial - the demo in the video uses a simple PIN for clarity; use a strong one in production.
Step 3: Edit Your Policy Rules
From the policy editor, configure each rule you want enforced:
Max magnitude
Set the maximum BTC allowed per transaction. Default is 1 BTC. In current firmware you can only increase this value in whole-Bitcoin steps (no fractional amounts like 0.5 BTC yet). For the demo I set 2 BTC. A future firmware improvement would be sub-BTC limits - e.g. capping at 1 million sats so a worst-case loss stays around $1,000 instead of a full coin.
Velocity (blocks between transactions)
Limit how frequently you can sign. Examples from the menu:
- Unlimited (default) - no cooldown between spends.
- 6 blocks - roughly one hour between transactions.
- 48 blocks - roughly eight hours (what I used in the demo).
Address whitelisting
Add one or more destination addresses by scanning a QR code or importing from file. This is powerful for travel or inheritance workflows: even if someone has full PIN access, they can only send to addresses you pre-approved.
A practical use case: whitelist your own exchange deposit address or another cold wallet you control. A thief could not drain funds to their own address - only to destinations you defined in advance.
In the video I whitelisted a Sparrow wallet receive address, scanned the QR with the Coldcard Q camera, confirmed the address on my computer, and saved it to the policy.
Optional mobile 2FA
You can require a mobile authenticator for any spend. Coldcard generates a shared secret and loads it on your phone via QR code. This feature requires NFC to be enabled on the device. I skipped 2FA in the demo, but it is straightforward to add if you want another layer on top of magnitude, velocity, and whitelisting.
Step 4: Activate the Policy
Review your settings (max amount, velocity, whitelist, optional 2FA), then choose Activate.
Coldcard warns that returning to unlimited spending requires entering the special bypass PIN first, then your main PIN. Keep both recorded securely.
What Changes After Activation
Your Coldcard menu shrinks dramatically. You typically see:
- Ready to Sign
- Scan Any QR Code
- Address Explorer
- Advanced/Tools (limited subset)
Under Advanced/Tools you lose access to seed viewing, passphrase management, and most firmware/backup menus. You can still export the wallet to companion software and use the device for signing within your policy rules - but you cannot casually view or exfiltrate sensitive material.
Important: Entering your normal main PIN alone does not exit policy mode. You land back in the restricted menu every time. Only the bypass PIN sequence unlocks full access.
Testing the Rules in Sparrow
I verified the policy live using Sparrow Wallet connected to the same Coldcard Q wallet:
Test 1: Non-whitelisted address (should fail)
- Select UTXOs and create a send to an address not on the whitelist.
- Finalize for signing and show the QR code.
- Scan with the Coldcard Q.
Result: Spending policy violation. The device does not tell you which rule failed - that is intentional. An attacker cannot probe the policy by learning whether magnitude, velocity, or whitelist blocked them.
Test 2: Whitelisted address (should succeed)
- Create a send to your whitelisted address.
- Scan the signing QR on the Coldcard.
Result: Coldcard shows transaction details (e.g. "OK to send, consolidating within wallet") and allows signing. I saved the signed transaction to microSD and broadcast it from Sparrow. The spend confirmed on chain.
Test 3: Velocity limit (should fail)
- Immediately try a second spend to the whitelisted address before the block cooldown expires.
- Scan for signing again.
Result: Spending policy violation again - this time because the 48-block (8-hour) velocity rule had not elapsed since the prior transaction. Whitelist alone is not enough if you are spending too soon.
How to Exit Spending Policy Mode
To return the Coldcard to normal unlimited operation:
- Power on the device.
- Enter your bypass PIN (not your main PIN first).
- Confirm anti-phishing words when prompted.
- When you see "Spending policy unlock," enter your main PIN.
- Go to Advanced/Tools → Spending Policy.
- Choose Remove Policy (or edit if you want to keep it with changes).
- Confirm removal. Bypass PIN and all policy settings are forgotten.
You are now back in the full Coldcard menu with unrestricted signing and full settings access.
Inheritance and Long-Term Custody Notes
Spending policy can fit into a broader inheritance or travel protocol - for example, a heir or attorney might hold a device configured to only send to a known estate wallet or exchange account in their name. But remember: a Coldcard is still an electronic device. Paper backups, clear written instructions, and redundant key material remain essential. Policy mode reduces coercion and theft risk; it does not replace backup discipline.
Current Limitations
- Max magnitude currently steps in whole BTC only - sub-coin limits would make travel mode far more practical for most holders.
- Policy violations give no detail on which rule failed (good for security, harder for debugging).
- Losing the bypass PIN means wipe-and-restore - treat it like seed-level critical material.
Overall, Coldcard has thought this through well. SSSP is one of the strongest reasons to choose a Coldcard Q if you want programmable, hardware-enforced spending guardrails.
Watch the full walkthrough: Coldcard Spending Policy Tutorial (YouTube).
Want help configuring spending policy for your setup?
Book a one-on-one session and we'll design magnitude, velocity, and whitelist rules for your threat model - travel, inheritance, multisig, or full self-custody hardening.
Book a Session