Wirex One gives you true ownership of your assets — your money lives in a wallet only you control — with the simplicity of a normal banking app. There are no seed phrases to write down and no passwords to remember. You sign in with your email and a passkey, and your wallet is ready.
This is made possible through Wirex's partnership with Privy, the wallet infrastructure that secures the keys behind your account. Privy secures millions of wallets for consumer apps, fintechs, and banks.
Two different things, often confused. This FAQ is about how you own and access your wallet (your keys, your logins). The separate Privacy & Confidentiality FAQ covers how your transactions stay private on-chain (Circle Arc). Wallet security and transaction privacy are two distinct layers.
Part 1 — The basics
Do I need a seed phrase or to manage private keys?
No. Wirex One creates and secures your wallet for you behind the scenes. There is no seed phrase to write down, store, or lose, and nothing to copy between devices. You get the security of a real crypto wallet with the experience of a normal app.
How do I sign in and approve actions?
With your email and a passkey. You verify your email once, and your passkey — secured by your device — is what you use to sign in and authorise sensitive actions like sending funds. No passwords to create, reuse, or have stolen.
What is a passkey, and why is it safer than a password?
A passkey is a modern sign-in credential built into your phone, tablet, or computer, unlocked by your normal device security (Face ID, fingerprint, or device PIN). Unlike a password, a passkey is unique to each app, never typed, and cannot be guessed, reused, or phished. There is no shared secret for an attacker to steal from a database or trick out of you on a fake website.
Do I actually own my wallet, or does Wirex hold it for me?
You own it. Wirex One is non-custodial: your wallet is controlled by keys that only you can authorise the use of. Neither Wirex nor Privy holds your assets on your behalf or can move your funds. Your assets, your control.
Who is Privy, and why does Wirex use them?
Privy is specialist wallet infrastructure that creates and protects the keys behind your Wirex One wallet. Rather than building this sensitive layer from scratch, Wirex partners with a provider whose security has been independently audited and is trusted to secure millions of wallets across major consumer and financial apps. Importantly, the design means Privy itself cannot access your keys.
What happens if I lose my phone?
You don't lose your wallet. Passkeys are typically backed up through your device's secure cloud keychain (such as Apple iCloud Keychain or Google Password Manager), so signing in on a new device can restore your access. Combined with re-verifying your email, you can re-establish access to the same wallet on a new device. (The exact recovery options available in Wirex One may evolve — always check the in-app guidance.)
What if I forget my password?
There is no password to forget. Access is based on your email plus your passkey, which lives securely on your devices.
Can I move my wallet somewhere else, or am I locked in?
You are not locked in. Wirex One lets you export your wallet's private key, so you can use the same wallet address in another wallet app such as MetaMask or Phantom. This is what true ownership means in practice: your wallet is yours to take with you.
Is my wallet safe even if Wirex or Privy went away?
Yes. Because the model is non-custodial and your key is exportable, your assets are not dependent on any single company continuing to operate. You can always move your wallet elsewhere.
Part 2 — How it works
How can my wallet be secure without a seed phrase?
Instead of one secret phrase that you have to guard, your wallet's private key is mathematically split into encrypted pieces ("shares") stored in separate places. No single piece reveals anything about your key, and the full key is only ever briefly reassembled inside secure hardware at the moment you authorise an action — then immediately destroyed. This removes the single point of failure that seed phrases represent.
What is a "secure enclave" (TEE)?
A trusted execution environment, or TEE, is a hardware-isolated area of a computer — Privy uses AWS Nitro Enclaves — with no persistent storage, no general network access, and no operator access. Even Privy's own engineers cannot read what happens inside it. Your key is only ever assembled and used inside this protected environment.
Where are my keys, and who can see them?
Your full private key is never stored anywhere as a whole. It exists only as separate encrypted shares: one tied to your login (your authenticated session), and one protected inside the secure enclave. They are only brought together momentarily inside the enclave to sign an action you requested, and the assembled key is wiped right after. Neither Wirex nor Privy can extract your key.
What actually happens when I send money?
You authenticate with your passkey, which authorises the action. Your encrypted key shares are brought into the secure enclave, your key is reconstructed in isolated memory just long enough to sign the transaction, the signed transaction is sent to the network, and the key is destroyed. Every signature requires your fresh authorisation.
Why are passkeys phishing-resistant?
A passkey is cryptographically bound to the genuine Wirex One app and your device. It produces a unique signature that only works for the real app, so it can't be entered into a lookalike phishing site, and there is no reusable secret to capture. This is a meaningful step up from passwords and even from SMS codes.
Part 3 — For the technically minded
What exactly is the key architecture?
Privy uses distributed key sharding with Shamir's Secret Sharing (SSS) combined with TEEs. Your private key is split into encrypted shares held across separate security boundaries — typically an auth share (encrypted and released only against a valid authenticated session) and an enclave/TEE share (decryptable only inside the enclave), with a recovery share used to provision new devices. No share in isolation yields any information about the key, and reconstruction only ever happens inside the TEE. Privy's shamir-secret-sharing library is open-source and independently audited.
How is my wallet generated?
At creation, the enclave generates 128 bits of entropy from a cryptographically secure RNG, converts it to a BIP-39 mnemonic, and derives a hierarchical-deterministic (HD) wallet. The key is immediately sharded and the shares encrypted and distributed; the complete key never persists outside the enclave.
How does signing work end to end?
A signing request is authenticated, then forwarded to the TEE along with the auth share. The enclave verifies authorisation against the wallet's policies, decrypts the enclave share, combines it with the auth share to reconstruct the private key in-memory, signs, and returns only the signature. The reconstructed key never persists beyond the operation. Attestation lets the system cryptographically verify exactly what code is running inside the enclave.
How does login translate into wallet authority?
After you sign in through a verified session (email or passkey), Privy issues time-bound authorisation keys. These are required to sign and they expire quickly, so control of the wallet stays with the currently authenticated user rather than any long-lived credential.
How does recovery and new-device provisioning work?
The recovery share is always encrypted such that only you can decrypt it. To set up a new device, you log in, decrypt the recovery share on-device, combine it with the auth share to reconstruct the key, then re-split it into a fresh device share. Privy never sees your key during this process. For backup, Privy supports cloud-based recovery (the encrypted recovery secret backed up to a cloud provider) and password-based recovery; passkeys themselves are also typically synced via the platform keychain. With password-based recovery there are no resets — losing both device and password means losing access, which is the inherent trade-off of self-sovereign control.
How does key export work?
Export is supported and, by Privy's design, enabled by default for wallet owners. When you export, your private key is assembled on an isolated origin separate from the app and transmitted using Hybrid Public Key Encryption (HPKE) — so neither Wirex nor Privy can ever see it; you are the only party that can access your full private key. Exported Ethereum keys are standard hex and load directly into wallets like MetaMask. (Applications can optionally require a 2-of-2 authorisation quorum to gate export; Wirex One's policy is communicated in-app.)
What protects the enclave software itself?
Code deployed to the TEE goes through strict multi-party review, hardware-security-key approvals, automated security testing, staged deployments, and signed build artifacts — regularly audited to prevent unauthorised modification.
Part 4 — Honest notes & responsibilities
We want you to understand the trade-offs of truly owning your wallet.
- Self-sovereign access cuts both ways. Because no one else holds your keys, no one — including Wirex — can move your funds without your authorisation. The flip side is that you are responsible for maintaining your access factors (your email and passkeys) and any recovery method you set up. Keep passkey cloud backup enabled and your email secure.
- Exporting shifts responsibility to you. If you export your private key and use it elsewhere, that copy is outside Wirex One's protections and is entirely your responsibility to safeguard.
- Privy is a trusted infrastructure partner. Like any enclave-based system, the design relies on the security guarantees of the TEE hardware and Privy's audited implementation, chosen specifically to remove single points of failure and to keep keys inaccessible to any single party — including Privy.
- Device security matters. Your passkeys are protected by your device security (biometrics/PIN). Keeping your devices locked and up to date is part of keeping your wallet safe.