What you are setting up, and the one habit that protects it
Setting up MetaMask takes about ten minutes: install the official app, create a wallet, write down a 12-word backup phrase, add the networks you need, connect to a site, and send a test transaction. The setup is the easy part. The habit you build around that 12-word phrase is what keeps your money yours.
MetaMask is a self-custody wallet, a free browser extension and mobile app that holds, sends, and receives Ethereum and any token on an Ethereum-compatible network. Self-custody means you hold the keys, not a company. It also means no password reset, no support line that can claw back a bad transaction, and no safety net if your recovery phrase leaks. I have watched people lose real money in the first ten minutes because they treated the backup phrase like a throwaway login. Do the steps in order and that does not happen.
- Download MetaMask only from metamask.io, never from a search result, ad, or emailed link.
- Write the 12-word secret recovery phrase on paper, by hand, and store it offline. Never photograph it or type it into a notes app or cloud service.
- The password unlocks the extension on one device only. The recovery phrase is the master key, and whoever holds it holds the funds.
- Add networks through Chainlist so you never type connection details by hand.
- Send a small test amount before you move anything real. Crypto sends are irreversible.
- Nobody legitimate, no site, email, or support agent, ever needs your recovery phrase.
You will need a desktop browser (Chrome, Firefox, Brave, Opera, or Edge) or a smartphone. Both are free. You can run the same wallet on both, but pick one device to set up first.
Step 1: Install the official extension or app
Type metamask.io into your browser yourself and download from there. The site detects your browser and sends you to the right extension store, or on a phone, to the App Store or Google Play. Do not search "MetaMask" in your add-on store and click the top result, and do not follow a download link from an email, ad, or chat message. Fake wallet extensions are common, and they exist to empty your wallet the second you connect it.
Before you install, run two checks:
- Read the address bar. It should be
metamask.ioormetamask.io/download, character by character, because lookalike domains are the whole game here. - Confirm the extension-store publisher shows as MetaMask with a download count in the millions. On a phone, check the developer name reads MetaMask. A near-empty review count on a "MetaMask" listing is a red flag.
When you add the extension, your browser warns that it can read and change data on websites. That is normal for a wallet, which talks to the pages you visit. Approve it. The MetaMask fox then appears in your toolbar; if you do not see it, open the extensions menu and pin it.
The choice between the two ways to run MetaMask comes down to where you want it to live:
| Browser extension | Mobile app | |
|---|---|---|
| Where it runs | Chrome, Firefox, Brave, Opera, or Edge | iPhone or Android |
| Install from | metamask.io, which sends you to the right extension store | metamask.io, which sends you to the App Store or Google Play |
| Check before installing | Publisher shows as MetaMask, download count in the millions | Developer name reads MetaMask |
| Adding networks | Networks you add here do not sync to the mobile app | Networks you add here do not carry to the extension |
On mobile the install is a normal app download, but open the store from metamask.io rather than searching, and check the developer name first.
Step 2: Create a new wallet, or import one
Open MetaMask. You get two choices: Create a new wallet or Import an existing wallet. They are not interchangeable.
Choose Create a new wallet if this is your first wallet or you want a fresh one. MetaMask generates a brand-new recovery phrase you have never used anywhere.
Choose Import an existing wallet only if you already hold a 12-word secret recovery phrase from MetaMask or another compatible wallet and want to restore it here. Importing types that phrase into the app to rebuild the same accounts.
Never import a phrase someone sent you or one you found posted anywhere. A "pre-loaded" wallet handed to you is a known trap, set so the scammer can sweep whatever you add.
The rest of this guide follows the create path.
MetaMask asks whether to share usage data. That is optional and does not affect your funds. Pick what you prefer and continue.
You also see two ways to secure a new wallet. The Secret Recovery Phrase route is the standard self-custody method: MetaMask generates a 12-word phrase that is the master backup, and you store it yourself. A newer social login option (Google or Apple) ties the wallet to that account, though MetaMask still creates an underlying recovery phrase and tells you to back it up anyway. For a first wallet, take the Secret Recovery Phrase route. It keeps you fully in control, with no third-party login in the chain.
Step 3: Set a strong password
Next, MetaMask asks you to set a password. Get one thing clear: this password only unlocks the extension on this one device. It is not your recovery phrase and cannot restore your wallet anywhere else. Reinstall MetaMask or move to a new computer and the password does nothing; only the recovery phrase brings the wallet back.
Use a long, unique password and let a password manager generate and store it. Do not reuse one from another account, then continue.
Step 4: Back up your secret recovery phrase
This is the step where almost all the losses happen, so slow down here.
MetaMask now shows a 12-word phrase in a set order. Those words, in that order, are the only way to recover the wallet if your computer dies, you forget the password, or you switch devices. They are also complete control of the wallet for anyone who reads them. Whoever holds the phrase holds the funds, with no second factor behind it.
Handle it like this:
- Write all 12 words on paper, in order, by hand, right now.
- Store that paper somewhere physically safe: a fireproof safe, a locked drawer, or two copies in separate places.
- Do not photograph it. Do not type it into a notes app, a document, a password manager note, or any cloud service, and do not email it to yourself. A backup on an internet-connected device is a backup an attacker can reach.
- Never type it into any website or app except MetaMask itself, and only during first setup or a genuine recovery.
Write the phrase on paper, by hand, the moment MetaMask shows it. A backup on an internet-connected device is a backup an attacker can reach.
MetaMask then asks you to confirm the phrase by tapping the words back in order. That check proves you actually wrote it down. Finish it and confirm.
Your wallet now exists. The address starting with 0x is your public address: share it freely, like an account number for receiving a payment. The recovery phrase is the private master key. Those two are not the same thing. Give out the address all day. Guard the phrase like cash.
Step 5: Find your way around the wallet
Take a minute before you move money. The main screen shows your account name, your 0x address (tap to copy), and your balance. The account menu lets you rename, add, or switch accounts, all covered by that one backup phrase. The network selector at the top tells you which chain you are on, which matters the moment you send or receive. Below the balance sit your tokens, the buy, send, swap, and receive buttons, and an Activity tab listing every transaction. Knowing where these live saves a fumble later.
Step 6: Add the networks you need
MetaMask opens connected to Ethereum Mainnet. To use other compatible networks (Polygon, BNB Smart Chain, Arbitrum, Base, and others) you add them yourself.
The clean way is Chainlist. Go to chainlist.org with MetaMask installed, connect your wallet when asked, and search the network name, say "Polygon" or "Base." Click "Add to MetaMask" next to the correct one and approve the prompt. Chainlist pulls the verified connection details for you, so there is nothing to type by hand.
To add a network manually instead, open the MetaMask menu, choose Networks, then "Add a custom network," and fill in the Network Name, RPC URL, Chain ID, Currency Symbol, and Block Explorer URL. Take those values only from the network's own official documentation, never from a forum comment. Wrong values can fail your transactions or push funds onto a network you did not intend. On mobile, tap the network name at the top, switch to the Custom tab, and add it there.
Networks you add on the extension do not sync to the mobile app. Add them on each device separately.
Step 7: Receive crypto into your wallet
To receive, you give the sender your public address. Open MetaMask, tap Receive (or copy the address under your account name), and you get the 0x string and a QR code. Send that to whoever is paying you, or paste it into an exchange's withdrawal screen.
Match the network on both ends. A token sent on Polygon arrives on Polygon, and your MetaMask must have that network added to display it. Funds sent on the wrong network do not bounce back on their own; recovering them is technical at best, impossible at worst. Before you share the address, confirm which network the sender will use and that you have it selected.
Step 8: Send a small test amount
Before you move anything meaningful, send a small test transaction. This is the single habit that has saved me the most grief. Crypto sends are irreversible: once a transaction confirms on-chain, there is no recall, no chargeback, no support ticket that reverses it.
Open MetaMask and click "Send." Paste the recipient address, then check the first four and last four characters against the original source, because clipboard-hijacking malware swaps copied addresses for the attacker's. Pick the token, enter a small amount, and review the network fee (the gas fee, which pays to process the transaction and moves with network load). Then confirm. On mobile the steps match: tap Send, paste or scan the address, set token and amount, check the fee, and send.
The transaction shows under the Activity tab. Tap it to track its status on a block explorer such as Etherscan. Most networks confirm in seconds to a few minutes. Once you confirm the test landed at the right address, send the full amount.
Step 9: Connect to a dapp
A dapp is a decentralized app, a website you use straight from your wallet, such as a token swap, a marketplace, or a lending app. To use one, you connect MetaMask to it.
On the dapp, click "Connect Wallet" and pick MetaMask. A window opens asking which account to share and listing what the connection grants. Read it. Connecting lets the site see your address and propose transactions; it does not move funds on its own, and it never needs your recovery phrase. Approve only if you typed the site's address yourself or reached it from a source you trust.
Here is the part that costs people money. Once connected, a dapp can ask you to sign two kinds of request. A plain transaction does one thing, like a single swap. A token approval grants the site ongoing permission to move a token from your wallet, and a careless or malicious one can be set to unlimited. Read the amount and the spender before you approve. If a site you barely know asks for unlimited approval, stop. You can review and cancel old approvals later from MetaMask's permissions page or a revoke tool, worth doing now and then.
Step 10: Pair a hardware wallet (optional, recommended as you grow)
A hardware wallet such as the Ledger Nano X keeps your private keys on a device that never touches the internet, so even a compromised computer cannot sign a transaction without you pressing the physical buttons. You still use MetaMask's screen; the keys live on the hardware. Worth adding once your balance is more than you would shrug off losing.
To pair one, set up the hardware wallet on its own first, including its own separate recovery phrase, and install its Ethereum app. Connect it, open MetaMask, go to the account menu, and choose to add a hardware wallet. Pick your device, let MetaMask read its accounts, and select one. That account then shows in MetaMask, but every send must be confirmed on the physical device. Back up the hardware wallet's recovery phrase on paper and offline like the software one, and never type it into a computer.
The safety rules that actually matter
MetaMask's reach makes it a target, and the attacks below are the ones that keep working. Read them once and they stop working on you. Our crypto safety hub goes deeper.
Fake extensions. Security researchers found more than 40 fake wallet add-ons in the Firefox store in 2025, several impersonating MetaMask. A clone looks identical and steals your recovery phrase the moment you enter it. That is why Step 1 starts from metamask.io. If an update prompt ever looks off, go to metamask.io and verify before you touch it.
Phishing emails and fake security checks. A campaign running into early 2026 sent emails dressed up to look like MetaMask, telling people to complete a "security check" or set up two-factor authentication, then linking to fake pages that asked for the recovery phrase to "verify ownership." Wallets drained in seconds. MetaMask does not email you to confirm a security check, and it has no 2FA feature that needs your recovery phrase. Any such message is a scam.
Fake support accounts. On social media, Discord, and Telegram, scammers pose as MetaMask support and ask for your phrase to "fix" a problem. No real MetaMask agent will ever ask for it, not in a direct message, not on a call. The request itself is the scam.
Approval scams. Some sites skip the recovery phrase and go for a signature instead, getting you to approve a token spend that hands over the right to move your assets, often disguised as a free mint or airdrop claim. Read every approval before you sign, watch for unlimited amounts, and treat a too-good claim that needs a signature as a drain attempt.
"Deceptive site ahead" warnings. When MetaMask flags a site with this warning before you connect, take it at face value. It comes from a blocklist of known phishing domains. Do not click through and connect anyway.
Your 12-word secret recovery phrase is total control of your wallet for whoever holds it, and no legitimate service, support person, or website ever needs it. The only place you type it is MetaMask itself, during setup or a real recovery. Anything else asking for it, an email, a "support" agent, a website, is an attack.
Troubleshooting the common snags
A token you received is not showing. MetaMask does not list every token by default. Add it by its contract address, taken from the token's official site or its Etherscan page, and confirm you are on the right network.
A transaction is stuck as pending. The gas fee was likely too low for current network load. MetaMask lets you speed up or cancel a pending transaction from the Activity tab, which resubmits it with a higher fee.
You forgot your password. It is local, so there is no reset. Reinstall MetaMask and restore the wallet with your recovery phrase, then set a new one. This is the moment that backup earns its keep.
Frequently asked questions
Is MetaMask free? Yes. The extension and app cost nothing to install or use. You pay network gas fees when you transact, and MetaMask charges a small fee on its in-app swaps, but holding the wallet is free.
Is MetaMask safe? The software is sound and widely used; the risk is almost always the user. Phishing, fake extensions, and approval scams cause the losses, not a flaw in MetaMask. It is a wallet, not a brokerage: no insured deposits, no FDIC protection, no way to claw funds back. Protect the recovery phrase, install from metamask.io, and read what you approve.
Can I use the same wallet on my phone and computer? Yes. Install MetaMask on the second device, choose to import, and enter the same recovery phrase. Both then control the same accounts. Networks added on one device do not carry to the other.
What happens if I lose my recovery phrase? If the wallet is still open and unlocked, reveal and re-back-up the phrase from settings. If you have lost both the phrase and access to every device, the funds are gone for good, and no one can recover them, including MetaMask.
The setup runs about ten minutes. Where you keep the recovery phrase, how you check an address before you send, and whether you read what a site asks you to approve: that is what decides if the money stays safe.