Appearance

How to build the apps the web deserves.

SDKs, REST endpoints, webhook payloads, and HMAC verification — the technical reference for sovereign login, Sign It, and real-time webhooks.

Get Started
View on GitHub
Flowsta Auth Network Architecture
🌐

Web OAuth SSO

Add "Sign in with Flowsta" to your web app. OAuth 2.0 + PKCE, no client secrets, pre-built login buttons for React, Vue, Qwik, and vanilla JS.

Auth Guide

🔗

Holochain Agent Linking

Link your Holochain app's agent key with the user's Flowsta identity. Cryptographic attestations on your DHT, verifiable by anyone.

Agent Linking

✍️

Sign It — Document Signing

Cryptographic file signing with content rights, AI disclosure, and fuzzy matching. Sign from Vault or the web. Verify anywhere.

Sign It Guide

🖥️

Flowsta Vault

Desktop identity manager for Holochain apps. Users control their own keys, approve link requests, and manage connected apps locally.

Vault Guide

🤖

AI Content Rights

Declare your AI training policy with cryptographic proof. Machine-readable rights manifests that AI crawlers and content platforms can check programmatically.

Content Rights Guide

🔔

Real-Time Webhooks

Subscribe to events from your OAuth app's users — sign created, sign revoked, OAuth authorized, token revoked, profile updated. HMAC-signed payloads.

Webhooks Guide

🔒

Zero-Knowledge Privacy

Private data encrypted on Holochain with user-derived keys. Even Flowsta staff cannot access emails, recovery phrases, or sessions.

Learn More

💾

Backups & Data Portability

CAL-compliant user data backups. Users can export their Holochain source chain and access their cryptographic keys at any time.

CAL Compliance

🔑

W3C DIDs & Ed25519

Every user gets a W3C Decentralized Identifier anchored to their Ed25519 keypair. Self-sovereign, portable, and verifiable.

Identity & DIDs

Integration Examples

Four ready-to-copy starting points — login, agent linking, Vault identity, and file signing. Real-time webhooks and more are covered in their own sections.

Web Apps - OAuth SSO

Add "Sign in with Flowsta" with the @flowsta/auth SDK:

typescript
import { FlowstaAuth } from '@flowsta/auth';

const auth = new FlowstaAuth({
  clientId: 'your_client_id',
  redirectUri: 'https://yourapp.com/auth/callback'
});

auth.login(); // Redirects to login.flowsta.com

const user = await auth.handleCallback();
console.log('Welcome,', user.displayName);

Desktop Holochain Apps - Agent Linking

Link your app's agent key with the user's Flowsta Vault identity:

typescript
import { linkFlowstaIdentity } from '@flowsta/holochain';

const result = await linkFlowstaIdentity({
  appName: 'YourApp',
  clientId: 'your_client_id',
  localAgentPubKey: myAgentKey,
});

// Commit attestation to your DHT
await appWebsocket.callZome({
  role_name: 'my-role',
  zome_name: 'agent_linking',
  fn_name: 'create_direct_link',
  payload: {
    other_agent: decodeHashFromBase64(result.payload.vaultAgentPubKey),
    other_signature: base64ToSignature(result.payload.vaultSignature),
  },
});

Desktop Tauri Apps - Vault Identity

Manage Flowsta Vault identity in Tauri desktop apps:

typescript
import { FlowstaVaultAuth } from '@flowsta/auth-tauri';

const vault = new FlowstaVaultAuth();

const status = await vault.getStatus();
if (status.unlocked) {
  const identity = await vault.getIdentity();
  console.log('DID:', identity.did);
  console.log('Agent key:', identity.agentPubKey);
}

Document Signing - Sign It

Sign files and verify signatures with the @flowsta/auth SDK:

typescript
import { FlowstaAuth, hashFile } from '@flowsta/auth';

const flowsta = new FlowstaAuth({
  clientId: 'your_client_id',
  redirectUri: 'https://yourapp.com/callback',
  scopes: ['profile', 'sign'],
});

// Hash client-side, sign via API
const hash = await hashFile(file);
const result = await flowsta.signFile({
  fileHash: hash,
  intent: 'authorship',
  contentRights: { license: 'cc-by', aiTraining: 'not_allowed' },
});

Why Flowsta?

Traditional auth services store user data in centralized databases — single points of failure vulnerable to breaches, censorship, and vendor lock-in. And signing the work your users create usually means managing your own keys, your own infra, and your own liability.

Flowsta bundles all three on one sovereign identity:

  • Zero-Knowledge Privacy — Flowsta staff physically cannot access user private data
  • Sovereign Login — OAuth 2.0 + PKCE, no client secrets, no password liability
  • Cryptographic File Signing — users sign with their own identity, verifiable on the public Holochain DHT
  • Real-Time Webhooks — HMAC-signed events for signatures, OAuth flows, and subscription changes
  • W3C DIDs — every user gets a standards-compliant Decentralized Identifier
  • User-Owned Data — users control their own encryption keys, not us
  • Always Available — distributed Holochain network means no single point of failure

Documentation licensed under CC BY-SA 4.0.

Copyright © 2025-2026 Flowsta