Secure Agent Migration
LaunchThatBot uses a one-time token handshake, RSA-2048 encrypted peer-to-peer transfer, and stores your secrets in your own Convex environment variables. Our API relays encrypted payloads it physically cannot read.
This page explains exactly how the import works, what data flows where, and which cryptographic properties protect you at every step. No hand-waving.
The trust argument to skeptical users is built on three verifiable pillars. Each one is independently checkable -- you do not need to take our word for it.
The encrypted payload passes through our API as an opaque blob. The RSA private key exists only inside the container on your VPS. We physically cannot decrypt your secrets because we never hold the decryption key.
After import, open dashboard.convex.dev, navigate to your deployment, and see your environment variables. You own that Convex project -- we do not. This is independently verifiable.
It expires in 15 minutes and is consumed on first use. Tokens are stored as SHA-256 hashes -- even our own database never contains the raw token. Interception after consumption is useless.
The full import process from start to finish. Each step includes the technical detail behind it so you know exactly what happens at every stage.
On your agent detail page, click the import button. LaunchThatBot generates a single-use import token and an RSA-2048 keypair. The token is displayed once -- copy it. It expires in 15 minutes.
Technical detail
Behind the scenes: a crypto-random 32-byte token is generated, the RSA private key is encrypted with AES-256-GCM using a process-level key, and only the SHA-256 hash of the token is stored. The raw token is shown once and never persisted.
Add the launchthatbot-import MCP skill to your existing OpenClaw agent. This lightweight skill knows how to collect your agent's configuration, memory, skills, and environment.
Technical detail
The skill reads soul.md, memory banks from /home/node/.openclaw/memory/, installed skills, and the .env file. It separates secrets from non-sensitive config automatically.
Tell your old agent to export to LaunchThatBot using the token you copied. The skill collects everything, encrypts your secrets with the RSA public key, and pushes the payload over TLS.
Technical detail
Non-secret config (soul.md, memory files, skill files) is sent as plaintext. Every secret value is individually RSA-2048 encrypted using the public key from step 1. The payload is sent via POST to /api/import/push with the token as a Bearer header.
Our API validates the token, marks it consumed, and relays the encrypted payload to your new container via Portainer exec. We never hold the private key. We physically cannot decrypt your secrets.
Technical detail
Token validation: the API hashes the incoming token, looks up the hash in our database, verifies it is active and not expired, then marks it consumed. The encrypted payload is relayed as-is to the target container. The RSA private key is encrypted at rest and only decrypted inside the container's process memory.
Inside your VPS container, a script decrypts each secret with the RSA private key, writes config files to the agent's filesystem, and stores API keys in your own Convex environment variables.
Technical detail
The container-side script: (1) decrypts each secret using the RSA private key, (2) writes soul.md to the agent config directory, (3) writes memory files to the memory directory, (4) writes skill files to the skills directory, (5) sets environment variables in both the container .env and your Convex deployment via npx convex env set.
Open dashboard.convex.dev, navigate to your deployment, and confirm your environment variables are present. You own that Convex project. We do not. Your old instance can be shut down immediately.
Technical detail
This is the final trust verification step. You can independently confirm that your API keys were stored in your own Convex instance by checking the Convex dashboard directly. LaunchThatBot has no access to your Convex environment variables.
A clear breakdown of what data passes through the platform and what stays encrypted at every stage.
Plaintext through platform
LowThese are configuration files, not credentials. They define behavior, not access.
Encrypted through platform
NoneRSA-2048 encrypted on your machine. LaunchThatBot relays the ciphertext but holds no decryption key.
Final destination: your Convex
You controlSecrets are written to your own Convex deployment. Verify them yourself at dashboard.convex.dev. We have no access.
Common concerns and the specific cryptographic and architectural mitigations that address them.
A complete list of what the import skill collects from your existing OpenClaw instance.
Agent personality
Your soul.md file -- the system prompt and personality definition that makes your agent unique. Transferred as plaintext (not a secret).
Memory banks
All files from your agent's memory directory. Conversation history, learned context, and accumulated knowledge. Transferred as plaintext.
Installed skills
Skill definitions, templates, and configuration files. Your agent keeps every capability it had before the move.
Secrets & credentials
API keys, tokens, and service credentials from your .env file. Each one is individually RSA-encrypted before leaving your machine.
Ready to migrate
Your secrets stay encrypted in transit, land in your own Convex instance, and are independently verifiable. LaunchThatBot never holds the keys to your kingdom.
