Flowsta Vault
Where identity lives. Users hold their own keys on their own device and approve every sign-in and signature themselves — no one in the middle, not even Flowsta.
Vault Guide
Identity that lives with your users, not on anyone's server. SDKs, REST endpoints, webhook payloads, and HMAC verification — the technical reference for sovereign login, Sign It, and real-time webhooks.
A Flowsta account lives on the user's device. Their 24-word recovery phrase deterministically derives their keys; the Flowsta Vault app holds those keys and a personal Holochain node. There is no password, and no credential sits on any server. When someone signs in to your app — on the web or on desktop — their Vault signs a challenge and they approve it. Your app asks; the user answers. No one in the middle.
Four ready-to-copy starting points — login, agent linking, Vault identity, and file signing. Real-time webhooks and more are covered in their own sections.
Add "Sign in with Flowsta" with the @flowsta/auth SDK:
import { FlowstaAuth } from '@flowsta/auth';
const auth = new FlowstaAuth({
clientId: 'your_client_id',
redirectUri: 'https://yourapp.com/auth/callback'
});
auth.login(); // Redirects to login.flowsta.com — the user approves with their Vault
const user = await auth.handleCallback();
console.log('Welcome,', user.displayName);Link your app's agent key with the user's Flowsta Vault identity:
import { linkFlowstaIdentity } from '@flowsta/holochain';
const result = await linkFlowstaIdentity({
appName: 'YourApp',
clientId: 'your_client_id',
localAgentPubKey: myAgentKey,
});
// Commit attestation to your DHT
await appWebsocket.callZome({
role_name: 'my-role',
zome_name: 'agent_linking',
fn_name: 'create_external_link',
payload: {
external_agent: decodeHashFromBase64(result.payload.vaultAgentPubKey),
external_signature: base64ToSignature(result.payload.vaultSignature),
},
});Read the user's Flowsta Vault identity from any desktop app, over local IPC:
import { getVaultStatus } from '@flowsta/holochain';
const status = await getVaultStatus();
if (status.unlocked) {
console.log('DID:', status.did);
console.log('Agent key:', status.agentPubKey);
}Sign files with the @flowsta/auth SDK. When the user's Vault is running, the signature happens there — they approve it, and their keys never leave their device:
import { FlowstaAuth, hashFile } from '@flowsta/auth';
const flowsta = new FlowstaAuth({
clientId: 'your_client_id',
redirectUri: 'https://yourapp.com/callback',
scopes: ['openid', 'display_name', 'sign'],
});
// Hash client-side — the file itself is never uploaded
const hash = await hashFile(file);
const result = await flowsta.signFile({
fileHash: hash,
intent: 'Authorship',
});Traditional auth services store user credentials and data in centralized databases — single points of failure vulnerable to breaches, censorship, and vendor lock-in. And signing the work your users create usually means managing your own keys, your own infra, and your own liability.
Flowsta puts the user in charge and gets out of the way: