Skip to content

Build the New Internet with Flowsta.

Identity that lives with your users, not on anyone's server. SDKs, REST endpoints, webhook payloads, and HMAC verification — the technical reference for sovereign login, Sign It, and real-time webhooks.

Flowsta Network Architecture

The model in one paragraph

A Flowsta account lives on the user's device. Their 24-word recovery phrase deterministically derives their keys; the Flowsta Vault app holds those keys and a personal Holochain node. There is no password, and no credential sits on any server. When someone signs in to your app — on the web or on desktop — their Vault signs a challenge and they approve it. Your app asks; the user answers. No one in the middle.

Integration Examples

Four ready-to-copy starting points — login, agent linking, Vault identity, and file signing. Real-time webhooks and more are covered in their own sections.

Web Apps - OAuth SSO

Add "Sign in with Flowsta" with the @flowsta/auth SDK:

typescript
import { FlowstaAuth } from '@flowsta/auth';

const auth = new FlowstaAuth({
  clientId: 'your_client_id',
  redirectUri: 'https://yourapp.com/auth/callback'
});

auth.login(); // Redirects to login.flowsta.com — the user approves with their Vault

const user = await auth.handleCallback();
console.log('Welcome,', user.displayName);

Desktop Holochain Apps - Agent Linking

Link your app's agent key with the user's Flowsta Vault identity:

typescript
import { linkFlowstaIdentity } from '@flowsta/holochain';

const result = await linkFlowstaIdentity({
  appName: 'YourApp',
  clientId: 'your_client_id',
  localAgentPubKey: myAgentKey,
});

// Commit attestation to your DHT
await appWebsocket.callZome({
  role_name: 'my-role',
  zome_name: 'agent_linking',
  fn_name: 'create_external_link',
  payload: {
    external_agent: decodeHashFromBase64(result.payload.vaultAgentPubKey),
    external_signature: base64ToSignature(result.payload.vaultSignature),
  },
});

Desktop Apps - Vault Identity

Read the user's Flowsta Vault identity from any desktop app, over local IPC:

typescript
import { getVaultStatus } from '@flowsta/holochain';

const status = await getVaultStatus();
if (status.unlocked) {
  console.log('DID:', status.did);
  console.log('Agent key:', status.agentPubKey);
}

Document Signing - Sign It

Sign files with the @flowsta/auth SDK. When the user's Vault is running, the signature happens there — they approve it, and their keys never leave their device:

typescript
import { FlowstaAuth, hashFile } from '@flowsta/auth';

const flowsta = new FlowstaAuth({
  clientId: 'your_client_id',
  redirectUri: 'https://yourapp.com/callback',
  scopes: ['openid', 'display_name', 'sign'],
});

// Hash client-side — the file itself is never uploaded
const hash = await hashFile(file);
const result = await flowsta.signFile({
  fileHash: hash,
  intent: 'Authorship',
});

Why Flowsta?

Traditional auth services store user credentials and data in centralized databases — single points of failure vulnerable to breaches, censorship, and vendor lock-in. And signing the work your users create usually means managing your own keys, your own infra, and your own liability.

Flowsta puts the user in charge and gets out of the way:

  • No one in the middle — sign-ins and signatures are approved by the user, with keys only they hold
  • Zero-Knowledge Privacy — no passwords exist; Flowsta stores no credential and cannot read private data
  • Sovereign Login — OAuth 2.0 + PKCE, no client secrets, nothing to leak
  • Cryptographic File Signing — users sign with their own identity, verifiable by anyone on Flowsta's tamper-proof network, built on Holochain
  • Real-Time Webhooks — HMAC-signed events for signatures, OAuth flows, and profile changes
  • W3C DIDs — every user gets a standards-compliant Decentralized Identifier that never changes
  • Always Available — a distributed network with community-run nodes means no single point of failure

Documentation licensed under CC BY-SA 4.0.