diff --git a/platforms/emover-api/src/controllers/MigrationController.ts b/platforms/emover-api/src/controllers/MigrationController.ts
index c0d1149f..58a09d06 100644
--- a/platforms/emover-api/src/controllers/MigrationController.ts
+++ b/platforms/emover-api/src/controllers/MigrationController.ts
@@ -171,7 +171,10 @@ export class MigrationController {
                 });
             }
 
-            await this.processMigration(migrationId);
+            // Fire and forget - don't block eID wallet UI
+            this.processMigration(migrationId).catch((error) => {
+                console.error(`Migration ${migrationId} failed:`, error);
+            });
 
             return res.status(200).json({
                 success: true,
diff --git a/platforms/emover-api/src/services/MigrationService.ts b/platforms/emover-api/src/services/MigrationService.ts
index 9a194b51..516dc750 100644
--- a/platforms/emover-api/src/services/MigrationService.ts
+++ b/platforms/emover-api/src/services/MigrationService.ts
@@ -414,7 +414,7 @@ export class MigrationService extends EventEmitter {
         migration: Migration,
     ): Promise<number> {
         const graphqlUrl = new URL("/graphql", newEvaultUri).toString();
-        const batchSize = 50; // Process in batches to avoid timeout
+        const batchSize = 10; // Process in batches to avoid 413 payload too large
         let totalCreated = 0;
 
         const mutation = `
diff --git a/platforms/emover-api/src/services/SigningService.ts b/platforms/emover-api/src/services/SigningService.ts
index a7c84bf4..28df239d 100644
--- a/platforms/emover-api/src/services/SigningService.ts
+++ b/platforms/emover-api/src/services/SigningService.ts
@@ -76,6 +76,15 @@ export class SigningService extends EventEmitter {
             return { success: false, error: "Session expired" };
         }
 
+        // Verify signer's w3id matches the migration owner's eName
+        const expectedEName = session.data.eName as string;
+        if (w3id !== expectedEName) {
+            return {
+                success: false,
+                error: `Signer w3id (${w3id}) does not match migration owner (${expectedEName})`,
+            };
+        }
+
         // Verify signature (simplified - in production, use proper signature verification)
         // For now, we'll just check that signature exists
         if (!signature) {