A guide to connecting your XRPL wallet to apps like Squid - securely

Getting onchain is where crypto gets fun - swapping assets, exploring dApps, earning rewards. But the moment you connect your wallet or sign a transaction is also when you’re most vulnerable to scams, as phishing sites often mimic real apps to trick you. Knowing what to expect helps you spot red flags and stay safe when using your wallet onchain.

This guide assumes you already have an XRPL wallet. Don’t have one yet? Check out What Are the Best Wallets for XRP in 2025? (And How to Keep Your XRP Safe) →

Connect Wallet: Crypto’s login button

When you connect your wallet to an onchain app, you're proving that you own that address. This gives the app permission to read public info, like your wallet address and token holdings. Think of it like logging into a site with Google - you’re verifying your identity, not handing over control.

Importantly, connecting your wallet does not give the app control over your funds. Only when you sign or submit a transaction are you actually authorising the app to move funds or make changes.

What this guide covers

In this guide, we’ll walk through how to connect your wallet and sign transactions on Squid’s app using the Xaman mobile wallet. While screenshots and prompts here come from Xaman, the underlying steps apply across other XRPL wallets - so if you’re using Crossmark or another provider, you’ll recognise the same core principles even if the UI looks a little different.

What to expect when connecting

1. Click the “Connect Wallet” button on the app - this is often found in the top right corner.

2. Choose your wallet from a list of supported options

3. Approve the connection in your wallet. Depending on your wallet this might involve scanning a QR code on your mobile device or confirming a browser pop-up in an extension. It won’t cost anything; no blockchain transaction is submitted.

Make sure the connection prompt comes from your actual wallet app or extension - not a pop-up from the browser or unknown site.

4. You’re connected! The app can now display your balances, generate transaction quotes, and show you a personalized UI.

Signing transactions

Connecting your wallet is just the first step. Signing or submitting a transaction is what actually moves funds or triggers onchain activity.

When you sign, you’re giving permission for something to happen onchain - like sending tokens, swapping assets, or creating a trustline. Trustlines are a safety feature on XRPL: they let you decide which non-XRP assets your wallet can receive. If you haven’t explicitly allowed an asset via a trustline, no one can send it to you.

Because these actions happen onchain, they require a network fee (commonly called ‘gas’ on EVM chains). On XRPL, fees are much lower and fixed, but they still exist. What are crypto “gas fees”? →

How to Stay Safe

Most hacks exploit the wallet connection or signing process. Here’s how to stay safe:

• Always check the site URL before connecting
• Never sign a transaction you didn’t expect
• Be cautious if a “Connect Wallet” flow asks for gas
• Double check what you're signing
• Avoid unknown tokens in your wallet - don’t click, trade, or interact with them
• Use dApps with a proven reputation
• Never interact with pop-ups unless you triggered them yourself

Disconnecting Your Wallet

When you’re done using a dApp, it’s good practice to disconnect. This breaks the live connection between the app and your wallet until you choose to connect again.

You can usually disconnect in two ways:

• Via the app - Look for a disconnect or logout option in the app interface
• In your wallet - Check the connected apps section and remove access there

Note: On XRPL, disconnecting ends the session completely. On EVM chains, you may still need to revoke token permissions separately if you've approved actions like spending or bridging.

How This Differs on EVM Chains (like Ethereum)

EVM-compatible chains like XRPL EVM use smart contracts to handle app interactions. That means:

• When you sign a transaction, you're often interacting directly with a smart contract - not just sending funds.
• Apps can request ongoing permissions to spend tokens or execute actions, without needing your approval every time.
• On XRPL, trustlines let you choose which tokens you’re willing to receive. On EVM, there’s no such filter - anyone can send tokens to your wallet, which can include spam or malicious assets.

And here’s the key difference: disconnecting your wallet doesn’t remove those permissions.

You’ll need to manually revoke access if you no longer trust an app using a tool like revoke.cash, which shows all active token allowances on your wallet and lets you remove them safely.