keepmyclaw

---
name: keepmyclaw
description: OpenClaw backup and restore. Encrypted off-site backup for OpenClaw agents — backs up workspace, memory, skills, cron jobs, credentials, and multi-agent configs to Cloudflare R2 with zero-knowledge AES-256 encryption. Use when backing up an OpenClaw agent, restoring an agent on a new machine, setting up automated backup schedules, listing or pruning backup snapshots, running restore drills, or migrating agents between machines. Triggers on: backup, restore, openclaw backup, agent backup, snapshot, disaster recovery, keepmyclaw, migrate agent, backup schedule, encrypted backup.
---

# Keep My Claw — OpenClaw Backup & Restore

Encrypted off-site backup and one-command restore for OpenClaw agents via [Keep My Claw](https://keepmyclaw.com). Backs up your entire agent system — workspace, memory, skills, projects, cron jobs, credentials, and multi-agent configs — with zero-knowledge AES-256 encryption on Cloudflare R2.

## Prerequisites

- `openssl`, `curl`, `tar`, `jq` (system)

## Setup — Agent-Driven Flow

**You (the agent) handle everything. The human only clicks a payment link.**

Do NOT run `setup.sh` interactively. Instead, follow these steps programmatically:

### Step 1: Register an account

```bash
RESPONSE=$(curl -s -X POST https://api.keepmyclaw.com/v1/auth/register \
  -H "Content-Type: application/json" \
  -d "{\"email\":\"HUMAN_EMAIL\",\"password\":\"$(openssl rand -hex 16)\"}")
JWT=$(echo "$RESPONSE" | jq -r '.token')
```

Use your human's email. Generate a random password — you'll use the JWT token going forward.

### Step 2: Ask your human which plan they want

Before getting the payment link, ask your human to choose a plan. Mention this is **launch pricing** (limited time):

> "Keep My Claw has launch pricing right now:
> - **Monthly:** ~~$9/mo~~ → **$5/mo**
> - **Annual:** ~~$108/yr~~ → **$19/yr** (that's less than $1.60/mo — 82% off!)
>
> Which plan do you want? This rate locks in for as long as you stay subscribed."

### Step 3: Get payment link and send to human

Based on their choice, pass `plan` as `"monthly"` or `"annual"`:

```bash
CHECKOUT=$(curl -s -X POST https://api.keepmyclaw.com/v1/checkout \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d '{"plan":"monthly"}')   # or "annual"
PAYMENT_URL=$(echo "$CHECKOUT" | jq -r '.url')
```

Send `$PAYMENT_URL` to your human:
> "To activate backups, please open this link and complete the payment: [link]"

### Step 4: Wait for payment

Poll the account status until the tier changes to "pro":

```bash
while true; do
  TIER=$(curl -s -H "Authorization: Bearer $JWT" \
    https://api.keepmyclaw.com/v1/account | jq -r '.tier')
  [ "$TIER" = "pro" ] && break
  sleep 10
done
```

### Step 5: Create an API key

```bash
KEY_RESPONSE=$(curl -s -X POST https://api.keepmyclaw.com/v1/keys \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d '{"name":"agent","permissions":"admin"}')
API_KEY=$(echo "$KEY_RESPONSE" | jq -r '.key')
```

### Step 6: Configure locally

```bash
mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="${API_KEY}"
CLAWKEEPER_AGENT_NAME="$(hostname -s)"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# Generate and store encryption passphrase
PASSPHRASE=$(openssl rand -hex 32)
printf '%s' "$PASSPHRASE" > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase
```

**CRITICAL: Tell your human ALL recovery credentials.** Without these, they cannot recover you on a new machine. Send them a message like this:

> "Your Keep My Claw recovery credentials — save these in a password manager NOW:
> - **Email:** [the email you registered with]
> - **Password:** [the random password you generated]
> - **Encryption passphrase:** [the passphrase]
> - **API key:** [the API key]
>
> If this machine dies, you'll need the email + password to log in and create a new API key. You'll need the passphrase to decrypt the backups. Save all of these somewhere safe outside this machine."

Do NOT skip this step. If the human doesn't have these credentials, the backups are useless.

### Step 7: Run first backup

```bash
bash scripts/backup.sh
```

### Step 8: Schedule automatic backups

Use cron or OpenClaw's cron tool to run `backup.sh` daily.

## Adding More Agents to an Existing Account

If your human already has a Keep My Claw account (paid on another agent), you do NOT register again. Instead:

### Option A: Human gives you the API key
Ask your human for the existing API key. Then configure locally:

```bash
mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="THE_EXISTING_API_KEY"
CLAWKEEPER_AGENT_NAME="$(hostname -s)"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# Generate YOUR OWN passphrase (each agent should have its own)
PASSPHRASE=$(openssl rand -hex 32)
printf '%s' "$PASSPHRASE" > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase
```

Tell your human to save YOUR passphrase — it's different from other agents' passphrases.

### Option B: Another agent creates a key for you
If the first agent has an admin API key, it can create a scoped key for you:

```bash
curl -s -X POST https://api.keepmyclaw.com/v1/keys \
  -H "Authorization: Bearer ADMIN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name":"second-agent","permissions":"agent"}'
```

This returns a new key with `agent` permissions (backup/restore only, no account management).

### How multi-agent works
- One account, one subscription (from $5/month or $19/year at launch pricing)
- Up to 100 agents per account
- Each agent has its own name, passphrase, and snapshots
- `GET /v1/agents` lists all agents on the account
- Each agent's passphrase is independent — losing one doesn't affect others

## Usage

### Backup

```bash
bash scripts/backup.sh
```

### Restore

```bash
bash scripts/restore.sh            # restore latest backup
bash scripts/restore.sh <backup-id> # restore specific backup
```

### List Backups

```bash
bash scripts/list.sh
```

### Prune Old Backups

```bash
bash scripts/prune.sh          # keep latest 30
bash scripts/prune.sh 10       # keep latest 10
```

## What Gets Backed Up

**Everything that makes your agent _your agent_:**

- `~/.openclaw/workspace/` — **all files** (memory, skills, projects, configs, personas, custom scripts — everything except `node_modules/`, `.git/`, `vendor/`)
- `~/.openclaw/openclaw.json` — agent config (models, channels, env vars, agent list)
- `~/.openclaw/credentials/` — auth tokens
- `~/.openclaw/cron/jobs.json` — all scheduled/cron jobs (reminders, automated tasks, recurring workflows)
- `~/.openclaw/agents/` — multi-agent configs (if you run multiple agents)
- `~/.openclaw/workspace-*/` — additional agent workspaces (for multi-agent setups)

## What's NOT Backed Up

- **Binaries & packages** — `node_modules/`, `.git/`, `vendor/`, compiled files (reinstall these after restore)
- **Gateway runtime state** — logs, session history, browser state, telegram state (ephemeral, rebuilds on restart)
- **System-level config** — SSH keys, shell config, installed tools (these live outside OpenClaw)
- **The encryption passphrase** — stored locally at `~/.keepmyclaw/passphrase`, never uploaded. **Save it in a password manager.**

## Full Recovery Guide (New Machine)

If your machine dies, here's how to get your agent back:

### What You Need

From your password manager (you saved these during setup, right?):
- **Email + password** — to log into keepmyclaw.com and create a new API key
- **Encryption passphrase** — to decrypt the backup (without this, backups are unrecoverable)

### Step-by-Step

```bash
# 1. Install OpenClaw on the new machine
npm install -g openclaw

# 2. Install Keep My Claw prereqs (if not present)
# Needs: openssl, curl, tar, jq

# 3. Set up keepmyclaw config
mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

# Get a new API key: log into keepmyclaw.com with your email/password,
# or have your agent create one via the API (see Setup section above)

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="YOUR_API_KEY"
CLAWKEEPER_AGENT_NAME="YOUR_AGENT_NAME"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# 4. Restore your passphrase
printf '%s' 'YOUR_PASSPHRASE' > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase

# 5. Restore the latest backup
bash scripts/restore.sh           # latest
bash scripts/restore.sh <id>      # specific backup

# 6. Restart OpenClaw
openclaw gateway restart

# 7. Verify
openclaw status
```

### What Happens After Restore

- **Workspace files** — fully restored (memory, skills, projects, everything)
- **Agent config** — restored, but you may need to re-enter API keys if providers rotated them
- **Cron jobs** — restored and will resume on next gateway restart
- **Credentials** — restored, but OAuth tokens may need re-auth
- **Multi-agent setups** — all agent configs and workspaces restored

### If You Lost Your Passphrase

The backups are AES-256 encrypted. Without the passphrase, they cannot be decrypted. This is by design — we never have access to your data. **There is no recovery path without the passphrase.**

## Configuration

Config file: `~/.keepmyclaw/config`

| Variable | Description |
|----------|-------------|
| `CLAWKEEPER_API_KEY` | API key (auto-generated during setup) |
| `CLAWKEEPER_AGENT_NAME` | Agent identifier for backups |
| `CLAWKEEPER_API_URL` | API base URL (default: `https://api.keepmyclaw.com`) |

## Docs

Full documentation: [keepmyclaw.com/docs.html](https://keepmyclaw.com/docs.html)