Foundation’s mobile Bitcoin wallet and companion app for iOS and Android. Envoy pairs with Passport Prime and Passport Core to manage your Bitcoin wallet, deliver firmware updates, and provide features like Magic Backups and a built-in hot wallet . Envoy can also be used as a standalone mobile Bitcoin wallet without a Passport device.

Explore Envoy documentation →

The open-source operating system that powers Passport Prime. KeyOS is a Rust-based microkernel OS that manages all of the device’s apps, including the Bitcoin App , 2FA App , Keys App , Files App , and Vault . Its microkernel architecture isolates each app in its own secure sandbox, so a problem in one app cannot affect others.

Learn more about Passport Prime →

Foundation’s original airgapped Bitcoin hardware wallet (discontinued). Passport Core featured a camera for QR code scanning, a microSD card slot, and communicated exclusively through QR codes and microSD with no wireless connectivity. While Passport Core is no longer in production, Foundation continues to provide firmware updates and documentation support.

Explore Passport Core documentation →

Foundation’s flagship Personal Security Platform. Passport Prime secures your Bitcoin, 2FA codes, security keys, and important files in a single device. It features a 3.5-inch touchscreen with Gorilla Glass 5, QuantumLink Bluetooth connectivity, 50GB of encrypted storage , NFC for KeyCard backups, and runs KeyOS .

Explore Passport Prime documentation →

Passport Prime includes 50GB of hardware-encrypted storage using AES-XTS encryption. Your files are encrypted automatically at the hardware level, so even if someone removed the storage chip from the device, the data would be unreadable. Storage is organized into three areas: Internal (private, encrypted), Airlock (secure buffer for transferring files), and External (for plugged-in storage).

Learn more about the Files App →

The scratch-resistant glass that covers Passport Prime’s 3.5-inch touchscreen. Gorilla Glass 5 is designed to survive drops and resist scratches from everyday use, protecting the capacitive touchscreen underneath.

A short-range wireless technology used in Passport Prime for tapping KeyCards to create and restore Magic Backups . NFC requires the card to be held within a few centimeters of the device. NFC can be toggled on or off from the Passport Prime control panel by swiping down from the top of the screen.

Learn about NFC features →

A dedicated tamper-resistant security chip (ATECC608C) inside Passport devices that stores your private keys. The Secure Element is designed so that private keys can never be extracted, even if an attacker has physical access to the device. It also provides hardware random number generation and handles cryptographic operations like PIN stretching .

Passport Prime includes active tamper detection that monitors whether the device has been physically opened or modified. If tampering is detected, the device erases all sensitive data including your Master Key to protect your Bitcoin. This happens automatically and cannot be overridden.

The port on Passport Prime used for both charging and data transfer. USB-C data transfer enables features like the Files App (encrypted storage access) and FIDO security keys. You can disable USB data transfer from the control panel while still allowing charging, if you prefer to limit connectivity. Passport Core used USB-C for charging only.

Learn about device features →

A secure buffer zone within Passport Prime’s encrypted storage . Airlock acts as a privacy gateway between your device and any computer you connect to via USB-C. When you plug Passport Prime into a computer, only the Airlock area is visible, not your private Internal storage. You move files in and out of Airlock on the device itself, giving you full control over what is exposed.

Learn more about the Files App →

A security feature that prevents anyone from installing an older version of Passport firmware on your device. Each firmware update includes a timestamp stored in the Secure Element . If someone attempts to install firmware older than what is currently recorded, the device will reject it. This protects against attacks that exploit vulnerabilities in previous firmware versions.

An open authentication standard that allows Passport Prime to act as a hardware security key for logging into websites and services. Instead of relying on passwords alone, FIDO lets you authenticate by tapping your Passport Prime via NFC or connecting via USB-C . You can register multiple services and manage them in the Keys App .

Learn about the Keys App →

NFC-enabled backup cards that store a part of your wallet’s seed phrase as part of the Magic Backups system. Passport Prime ships with three KeyCards: two are used during setup (one for the backup part, one spare) and one remains as a backup. You tap a KeyCard against Passport Prime or your phone to read or write backup data. KeyCards ship inside Faraday sleeves for protection.

Learn more about KeyCards →

An automatic backup system that splits your wallet’s seed phrase using Shamir Secret Sharing into a 2-of-3 scheme. One part is stored on a KeyCard , one is stored in Envoy , and one is stored on Foundation’s server. Any two of the three parts can reconstruct your full seed phrase, so no single point of failure can lock you out.

Learn more about Magic Backups →

The root secret stored on Passport Prime from which all of your accounts and seed phrase are derived. If you enter the wrong PIN 10 times, the Master Key is erased to protect your funds. You can always recover using your seed phrase backup or Magic Backups .

A 6-to-12 digit code that locks your Passport Prime. You set your PIN during initial setup, and it is required every time you unlock the device. After 10 incorrect attempts, the device erases your Master Key as a security measure. PINs can be numeric or alphanumeric on Passport Prime.

A security technique used by Passport Prime to make PIN guessing attacks extremely slow. When you enter your PIN, the device runs it through multiple rounds of cryptographic hashing combined with the Secure Element , which adds a significant time delay to each attempt. This means that even if an attacker had physical access, brute-forcing your PIN would take an impractical amount of time.

Passport Prime’s encrypted Bluetooth connection. QuantumLink uses a hybrid encryption scheme that combines traditional cryptography with post-quantum algorithms (designed to resist future quantum computers). The initial pairing is verified via QR code to prevent man-in-the-middle attacks. QuantumLink is used for communication between Passport Prime and Envoy , including firmware updates and wallet sync. You can disable QuantumLink from the control panel at any time.

Learn more about QuantumLink →

The process Passport Prime uses to verify that its software has not been tampered with each time it powers on. Starting from a hardware root of trust, each stage of the boot process verifies the next before handing off control. If any stage fails verification, the device will not boot, protecting you from running compromised software.

An optional anti-tamper feature on Passport Prime. When enabled, the device displays a unique pair of words during startup that are derived from your device’s identity and Master Key . If the words ever change unexpectedly, it could indicate the device has been tampered with. This gives you a quick visual check each time you power on.

A time-based one-time password (TOTP) manager built into Passport Prime. The 2FA App stores your two-factor authentication codes offline on the device, so they are never exposed to your phone or computer. You can scan QR codes to add services, organize entries with color coding, and view codes on Passport Prime’s screen when logging in.

Learn more about the 2FA App →

The primary wallet application on Passport Prime for managing your Bitcoin. The Bitcoin App handles receiving, sending (via PSBT signing), and managing multiple Bitcoin accounts. It supports multiple address types and works with a range of compatible wallet software .

Learn more about the Bitcoin App →

Passport Prime’s encrypted file storage application. The Files App gives you access to the device’s 50GB of encrypted storage , organized into three areas: Internal (private storage only accessible on the device), Airlock (secure buffer visible when connected via USB), and External (for plugged-in storage devices).

Learn more about the Files App →

The security key manager on Passport Prime. The Keys App lets you use Passport Prime as a FIDO hardware security key for websites and services that support it. You can register multiple services and authenticate via NFC tap or USB-C connection.

Learn more about the Keys App →

The multi-purpose secrets manager on Passport Prime. The Vault manages multiple seed phrases via BIP-85 child seed derivation (generating independent seed phrases from your Master Key), NIP-06 Nostr key generation, and password management. Each derived seed is mathematically independent but recoverable from your Master Key backup.

Learn more about the Vault →

A string of characters that represents a destination for a Bitcoin payment, similar to a bank account number. Each address is derived from a public key and corresponds to a specific location on the Bitcoin network. Passport Prime and Envoy generate new addresses automatically for each transaction to improve privacy. You should never reuse addresses.

See also: Address types

A security measure where a device is physically isolated from the internet and other networks. An air-gapped device has no Wi-Fi, no cellular connection, and no wired network access. Passport Core was fully air-gapped, communicating only via QR codes and microSD. Passport Prime can also operate in an air-gapped manner using QR code signing when QuantumLink and USB-C data are disabled.

Bitcoin supports several address formats, each with different features and fee characteristics:

• Legacy (P2PKH): The original Bitcoin address format, starting with “1”. Highest transaction fees.
• Nested SegWit (P2SH-P2WPKH): A transitional format starting with “3”. Lower fees than Legacy.
• Native SegWit (P2WPKH): The current standard, starting with “bc1q”. Lower fees and better efficiency. This is the default on Passport Prime.
• Taproot (P2TR): The newest format, starting with “bc1p”. Offers privacy improvements and is used for advanced features. Can be enabled in Passport Prime settings.

Most users should use Native SegWit (the default) unless they have a specific reason to choose another format.

A Bitcoin standard for deriving independent child seed phrases from a single master seed. Passport Prime uses BIP-85 in the Vault to generate separate seed phrases for different purposes (such as a mobile wallet or a Nostr identity) that are all recoverable from your one Master Key backup.

A decentralized digital currency that operates without a central authority. Bitcoin transactions are recorded on a public ledger called the blockchain. Foundation’s products are designed to help you securely store and manage your own Bitcoin through self-custody .

A batch of Bitcoin transactions that have been verified and permanently recorded on the blockchain. A new block is added roughly every 10 minutes by miners. Each block references the previous one, forming a continuous chain. When you send Bitcoin, your transaction is included in a block once it receives a confirmation .

A website or tool that lets you look up Bitcoin transactions , addresses , and blocks on the blockchain. The most popular explorer is mempool.space. You can use a block explorer to verify that a transaction has been sent, check how many confirmations it has, or inspect the details of any address . Block explorers show all public blockchain data but cannot reveal who owns an address.

A method of storing Bitcoin where the private keys are kept on a device that is not connected to the internet. Both Passport Prime and Passport Core are cold storage devices. Cold storage protects your Bitcoin from online attacks, malware, and remote hacking because the keys never touch an internet-connected device.

A feature in Envoy that lets you manually select which specific Bitcoin outputs (UTXOs ) to use when sending a transaction. Coin control is useful for privacy, allowing you to avoid combining Bitcoin from different sources in a single transaction, and for fee management, letting you spend specific outputs strategically.

A count of how many blocks have been added to the blockchain since your transaction was included. One confirmation means your transaction is in the most recent block. Six confirmations is widely considered irreversible for large amounts. Envoy shows the confirmation count for each transaction in your activity feed. Most everyday transactions are considered safe after one or two confirmations.

A formula that tells a wallet how to generate addresses from your seed phrase . Different derivation paths produce different sets of addresses, which is why choosing the correct path matters when connecting Passport to third-party wallet software like Sparrow . Common paths include m/84’/0’/0’ for Native SegWit and m/86’/0’/0’ for Taproot . If your wallet software shows a zero balance after importing, the derivation path is usually the first thing to check.

A Bitcoin wallet that is connected to the internet, making it convenient for everyday transactions but more exposed to online threats than cold storage . Envoy functions as a hot wallet when used standalone (without a Passport device). For larger amounts, Foundation recommends using Passport Prime as your primary cold storage and Envoy as your spending wallet.

A Bitcoin security setup that requires more than one private key to authorize a transaction. For example, a 2-of-3 multisig requires any two out of three keys to sign. Multisig can be used with Passport devices alongside compatible wallet software like Sparrow , Nunchuk , or Specter . It adds an extra layer of security because no single compromised device can move your funds.

A computer running Bitcoin software that validates transactions and blocks independently. Running your own node gives you the highest level of privacy and trustlessness because you verify everything yourself rather than relying on a third party. You can connect Envoy or Sparrow to your own node for fully sovereign Bitcoin use alongside your Passport device.

Software whose source code is publicly available for anyone to inspect, modify, and distribute. Foundation’s hardware designs and firmware are open source, meaning security researchers and the community can verify that the code does what it claims. Open source is a core principle for Foundation because Bitcoin security should not depend on trusting a company’s private code.

An optional additional word added to your seed phrase that creates an entirely separate Bitcoin wallet. Think of it as a password on top of your seed phrase. On Passport Prime, the passphrase is never saved to the device and is cleared when the device powers off. This means you must enter it each time you want to access the passphrase-protected wallet. It provides plausible deniability: your main seed phrase opens one wallet, and the seed phrase plus passphrase opens a different, hidden wallet.

A standard format for passing unsigned or partially signed Bitcoin transactions between devices. PSBTs are what make airgapped signing possible: you create a transaction in your wallet software (like Envoy or Sparrow ), transfer it to Passport via QR code, USB-C , or microSD, sign it on Passport, and then send the signed transaction back to your wallet software for broadcasting to the Bitcoin network.

Replace-by-Fee (RBF) is a Bitcoin feature that lets you increase the fee on an unconfirmed transaction to speed up its confirmation. In Envoy , this feature is called “Boost.” If your transaction is stuck in the mempool because the fee was too low, you can boost it by broadcasting a replacement transaction with a higher fee.

A set of 12 or 24 words that represents your Bitcoin wallet’s master private key. Your seed phrase can recover your entire wallet on any compatible device if your Passport is lost or damaged. Foundation recommends storing your seed phrase securely offline and never sharing it with anyone.

Note: Foundation uses the term “seed phrase.” You may see other sources refer to this as a “recovery phrase” or “mnemonic.” They all mean the same thing.

Learn about backup options →

Holding your own Bitcoin private keys rather than trusting a third party like an exchange. When you use a Passport device, you are practicing self-custody because your keys are stored on your device and never shared with Foundation or anyone else. The common expression is: “not your keys, not your coins.”

The smallest unit of Bitcoin. One Bitcoin equals 100 million satoshis (sats). Satoshis are named after Bitcoin’s pseudonymous creator, Satoshi Nakamoto. Most wallets, including Envoy , let you display balances in sats instead of BTC, which many users find easier to read for smaller amounts. For example, 0.00050000 BTC is the same as 50,000 sats.

A Bitcoin upgrade (activated in 2021) that improves transaction privacy and efficiency. Taproot transactions use Schnorr signatures and start with “bc1p”. On Passport Prime, Taproot address support can be enabled in the Bitcoin App settings. Taproot is optional and not enabled by default.

A transfer of Bitcoin from one address to another, recorded permanently on the blockchain. Every transaction specifies which UTXOs to spend, where to send the Bitcoin, and a fee paid to miners for processing. When you send Bitcoin from Passport Prime, you sign the transaction on the device and then broadcast it via Envoy or your chosen wallet software.

A small amount of Bitcoin paid to miners to include your transaction in a block . Fees are based on the size of your transaction in bytes, not the amount of Bitcoin being sent. When the mempool is busy, fees rise because more people are competing for block space. Envoy suggests an appropriate fee based on current network conditions, and you can adjust it manually. If a transaction gets stuck, you can increase the fee using RBF / Boost .

An individual piece of Bitcoin that you can spend. When you receive Bitcoin, it arrives as a UTXO. When you send Bitcoin, you spend one or more UTXOs and typically receive change back as a new UTXO. Think of UTXOs like individual bills in a physical wallet. Coin control in Envoy lets you choose which specific UTXOs to spend.

A wallet that can track balances and generate addresses but cannot sign or send transactions because it does not hold the private keys. Envoy acts as a watch-only wallet when paired with Passport Prime. It shows your balance and creates transactions, but the actual signing happens on Passport Prime where your keys are stored in cold storage . This separation is what keeps your Bitcoin secure.

The waiting area where Bitcoin transactions sit before they are confirmed by miners and added to the blockchain. When you send a Bitcoin transaction, it enters the mempool first. Transactions with higher fees are typically confirmed faster. If your transaction is stuck, you can use RBF / Boost to increase the fee.

A backup of your wallet data that is protected by encryption, making it unreadable without the correct decryption key. Passport devices support encrypted backups to microSD cards. Magic Backups also protect each part stored on the KeyCard and in Envoy .

Learn about backup options →

RFID-blocking protective sleeves that ship with your KeyCards . Faraday sleeves prevent the KeyCards from being read wirelessly by NFC unless you intentionally remove them from the sleeve. Store your KeyCards in their Faraday sleeves when not in use to prevent unauthorized scanning.

A part stored on a KeyCard via NFC as part of the Magic Backups system. During Passport Prime setup, you tap a KeyCard to write one of the three Shamir Secret Sharing parts to the card. This part, combined with any one of the other two parts, can recover your full seed phrase .

Learn about Magic Backups →

A method of encoding your seed phrase as a QR code for quick import and export between devices. SeedQR is supported on Passport Core for importing seed phrases by scanning a QR code with the built-in camera, and on Passport Prime for both import and export. It provides a faster alternative to manually typing 12 or 24 words.

A cryptographic scheme that splits a secret (like a seed phrase ) into multiple parts (called “shards” in the Shamir standard), where only a specified number of parts are needed to reconstruct the original secret. Foundation uses a 2-of-3 Shamir Secret Sharing scheme in Magic Backups , meaning any two of the three parts can recover your wallet. No single part reveals anything about your seed phrase on its own.

One piece of a seed phrase that has been split using Shamir Secret Sharing . In the Magic Backups system, three parts are created. Each part is useless on its own but combining any two of the three reconstructs your full seed phrase. Parts are stored on a KeyCard , in Envoy , and on Foundation’s server. You may see the technical term “shard” used in other documentation to mean the same thing.

Separate Bitcoin wallets within Envoy that let you organize your funds for different purposes. For example, you might have one account for savings (connected to your Passport Prime) and another as a spending hot wallet . Each account has its own set of addresses and transaction history.

A Bitcoin voucher service integrated into Envoy . Azteco vouchers let you purchase Bitcoin with cash at participating retailers and redeem the voucher directly in Envoy. This provides a way to acquire Bitcoin without linking a bank account or credit card.

A map of Bitcoin ATMs and merchants integrated into Envoy . Coinmap helps you find nearby locations where you can buy Bitcoin with cash or spend Bitcoin at physical stores.

See the full definition under Hardware & Design .

The wireless technology underlying QuantumLink . BLE is a low-power version of Bluetooth designed for short-range communication. On Passport Prime, BLE is handled by a dedicated microcontroller that is physically separate from the main security processor, so Bluetooth cannot directly access your private keys. BLE can be completely disabled via a hardware-level kill switch in the control panel.

A method of signing Bitcoin transactions by scanning QR codes between your wallet software and your Passport device. QR code signing is fully airgapped because no electronic connection is needed. Passport uses animated QR codes based on the UR (Uniform Resources) standard to handle larger transactions that do not fit in a single QR code.

See the full definition under Security Features .

A standard for encoding data in QR codes, used by Passport for airgapped Bitcoin transaction signing. Because Bitcoin transactions can be too large for a single QR code, the UR standard splits them into animated sequences of QR codes that your wallet software and Passport scan back and forth. This is sometimes called “fountain coding” because the data flows in a continuous stream that can recover from missed frames.

An open-source Bitcoin wallet for iOS and Android. BlueWallet supports connecting to Passport via QR code for airgapped transaction signing. It offers a clean, beginner-friendly interface alongside advanced features.

The reference implementation of Bitcoin’s full node software. Running Bitcoin Core gives you the highest level of privacy and verification because you validate all transactions yourself. Passport can be used with Bitcoin Core for transaction signing via PSBT files.

A self-hosted, open-source Bitcoin payment processor. BTCPay Server can be integrated with Passport for signing incoming payment transactions. It is commonly used by merchants who want to accept Bitcoin without relying on a third-party payment processor.

A multisig Bitcoin custody service. Casa provides a user-friendly interface for managing multi-key vaults, where Passport can serve as one of the signing keys. Casa is designed for users who want multisig security without the complexity of managing it entirely on their own.

A long-established desktop Bitcoin wallet known for its speed, reliability, and advanced features. Electrum supports Passport via PSBT files for airgapped transaction signing and offers detailed coin control and transaction management.

A Bitcoin wallet focused on multisig and inheritance planning. Keeper supports Passport as a signing device and offers features like vault management and collaborative custody arrangements.

A multisig Bitcoin wallet available on desktop and mobile. Nunchuk makes it easy to set up multi-key vaults using Passport and other hardware wallets. It supports both individual and collaborative multisig setups.

Learn about Nunchuk + Passport →

A popular desktop Bitcoin wallet designed for privacy-conscious users. Sparrow offers comprehensive coin control , transaction visualization, and supports Passport via QR code, USB, and PSBT file. It is one of the most commonly used companion wallets for Passport devices.

Learn about Sparrow + Passport →

A desktop Bitcoin wallet focused on multisig setups with hardware wallets. Specter makes it straightforward to create and manage multi-key configurations with Passport alongside other signing devices.

A mobile Bitcoin wallet with Lightning Network support. Zeus can connect to your own Lightning node and supports on-chain Bitcoin management. Passport can be used with Zeus for on-chain transaction signing.

Foundation’s public discussion forum at community.foundation.xyz, powered by Discourse. The forum is a place to ask questions, share tips, discuss features, and connect with other Passport and Envoy users. Foundation team members also participate in discussions and share updates.

Foundation’s premium one-on-one onboarding service. Concierge provides a 60-minute video call where a Foundation team member walks you through setting up your Passport Prime, configuring your wallet, and answering any questions. Concierge is ideal for customers who want hands-on guidance or who are new to Bitcoin self-custody .

Learn more about Concierge →