diff --git a/CHANGELOG.md b/CHANGELOG.md
index 84f4f56b1..e695ac510 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Bcoin Release Notes & Changelog
 
+## v1.0.x
+
+### Wallet API changes
+
+Creating a watch-only wallet now requires an `account-key` (or `accountKey`)
+argument. This is to prevent bcoin from generating keys and addresses the user
+can not spend from.
+
 ## v1.0.0
 
 ### Migration
diff --git a/lib/wallet/wallet.js b/lib/wallet/wallet.js
index e6ed64dc8..daf8f5af8 100644
--- a/lib/wallet/wallet.js
+++ b/lib/wallet/wallet.js
@@ -575,7 +575,7 @@ class Wallet extends EventEmitter {
     await this.unlock(passphrase);
 
     let key;
-    if (this.watchOnly && options.accountKey) {
+    if (this.watchOnly) {
       key = options.accountKey;
 
       if (typeof key === 'string')
diff --git a/test/wallet-test.js b/test/wallet-test.js
index 035ecf5a4..98d3ee0d8 100644
--- a/test/wallet-test.js
+++ b/test/wallet-test.js
@@ -25,6 +25,10 @@ const KEY1 = 'xprv9s21ZrQH143K3Aj6xQBymM31Zb4BVc7wxqfUhMZrzewdDVCt'
 const KEY2 = 'xprv9s21ZrQH143K3mqiSThzPtWAabQ22Pjp3uSNnZ53A5bQ4udp'
   + 'faKekc2m4AChLYH1XDzANhrSdxHYWUeTWjYJwFwWFyHkTMnMeAcW4JyRCZa';
 
+// abandon abandon... about key at m'/44'/0'/0'
+const PUBKEY = 'xpub6BosfCnifzxcFwrSzQiqu2DBVTshkCXacvNsWGYJVVhhaw'
+  + 'A7d4R5WSWGFNbi8Aw6ZRc1brxMyWMzG3DSSSSoekkudhUd9yLb6qx39T9nMdj';
+
 const enabled = true;
 const workers = new WorkerPool({ enabled });
 const wdb = new WalletDB({ workers });
@@ -1301,12 +1305,31 @@ describe('Wallet', function() {
     importedKey = key;
   });
 
+  it('should require account key to create watch only wallet', async () => {
+    let err = null;
+
+    try {
+      await wdb.create({
+        watchOnly: true
+      });
+    } catch (e) {
+      err = e;
+    }
+
+    assert(err);
+    assert.strictEqual(
+      err.message,
+      'Must add HD public keys to watch only wallet.'
+    );
+  });
+
   it('should import pubkey', async () => {
     const key = KeyRing.generate();
     const pub = new KeyRing(key.publicKey);
 
     const wallet = await wdb.create({
-      watchOnly: true
+      watchOnly: true,
+      accountKey: PUBKEY
     });
 
     await wallet.importKey('default', pub);
@@ -1322,7 +1345,8 @@ describe('Wallet', function() {
     const key = KeyRing.generate();
 
     const wallet = await wdb.create({
-      watchOnly: true
+      watchOnly: true,
+      accountKey: PUBKEY
     });
 
     await wallet.importAddress('default', key.getAddress());