Changelog
v4.1
Post-launch polish and integrator-facing additions for Sign It.
New: Badge & Widget reference
A dedicated Badge & Widget page covering the embeddable widget.js and the underlying badge API. Includes attribute reference (data-flowsta-hash, data-flowsta-style, data-flowsta-theme), style variants (card / badge / minimal), SVG and JSON rendering endpoints, and examples for HTML, React, static sites, and CSP-locked environments.
New: Content Rights API endpoint
The Content Rights page now documents the machine-readable endpoint for AI training pipelines, search engines, and content platforms:
GET /api/v1/sign-it/content-rights?hash=<sha256>— returns signer-declared license, AI-training policy, commercial-licensing stance, and contact preference as JSON- Aggregation rules — most restrictive policy wins when multiple signers declare different rights; revoked signatures are excluded
- 5-minute edge caching — safe for CDN/pipeline use at scale
- Python example — drop-in check for AI training pipelines
Adopting the Standard
The Content Rights field set is open — no proprietary schema, no license fees, no API key. We'd like the same enum values (license, ai_training, commercial_licensing, contact_preference) to become a de-facto standard so a single query surfaces rights regardless of which service signed the file. Details →
SDK cross-links
/sdk/authand/sdk/holochainnow surface the Sign It methods directly, each linking to the full Sign It SDK Reference.SigningDnaNotInstalledErroradded to the desktop error-handling example in the Developer Guide.
Packages published
The Sign It methods covered across the v4.0 documentation are live on npm:
v4.0
Flowsta is now three building blocks, not one. This release adds cryptographic file signing and real-time webhooks as first-class products, alongside the existing sovereign login.
New: Sign It — Cryptographic File Signing
A new product pillar. Users sign files with their Flowsta identity; anyone can verify on a public Holochain DHT. No keys to manage, no servers to run.
- Intent types —
Authorship,Approval,Witness,Receipt,Agreement - Content rights — declare license and AI training policy at sign time
- AI disclosure —
None,Assisted, orGeneratedper signed file - Multi-signer — multiple agents can co-sign the same file hash
- Revocation — the signer can revoke with an optional reason; the revocation is itself a signed action
- Perceptual matching — fuzzy lookup for images, audio, and video (finds resized, cropped, or recompressed copies)
- Thumbnails — signers can attach a
data:image/...thumbnail (≤ 15 KB) to their signature - Blind contact relay — anyone can message a signer without learning their email
New section: Sign It — overview, quickstart, content rights, developer guide, SDK reference, and verification API.
New: Real-Time Webhooks
Subscribe your server to events from your OAuth app's users. Every payload is HMAC-SHA256 signed with a per-webhook secret.
Events currently firing:
sign.createdsign.revokedoauth.authorizedoauth.token.revokeduser.profile.updated
Reserved for future work: user.2fa.enabled, user.2fa.disabled, subscription.upgraded, subscription.downgraded, subscription.cancelled.
Delivery is fire-and-forget with a 10-second timeout; webhooks are auto-disabled after 10 consecutive failures and can be re-enabled with PUT { active: true }.
New section: Webhooks — overview, event types and payloads, HMAC verification with Node and Python examples, delivery and failure policy.
New: API Endpoints
Sign It
POST /api/v1/sign-it/sign— sign a file hashPOST /api/v1/sign-it/sign-batch— sign up to 100 hashes per requestPOST /api/v1/sign-it/revoke— revoke a signature you createdGET /api/v1/sign-it/verify— hash lookupPOST /api/v1/sign-it/verify-file— upload a file for server-side perceptual fingerprinting (50 MB max)POST /api/v1/sign-it/verify-fuzzy— fuzzy lookup from pre-computed perceptual hash bandsPOST /api/v1/sign-it/fingerprint— compute a perceptual hash with the same algorithm Vault uses (50 MB max)POST /api/v1/sign-it/set-thumbnail— attach a thumbnail to an existing signatureGET /api/v1/sign-it/my-signatures— list signatures by the authenticated userGET /api/v1/sign-it/creator/:id— public profile and signatures for a signerGET /api/v1/sign-it/badge— verification badge (SVG / JSON)GET /api/v1/sign-it/content-rights— query content rights for a file hashPOST /api/v1/sign-it/contact— blind email relay to a signer
Webhooks
GET /api/v1/webhooks/events— list available event types (public)POST /api/v1/webhooks— register a webhookGET /api/v1/webhooks— list webhooks on an appPUT /api/v1/webhooks/:id— updateurl,events,filters, oractiveDELETE /api/v1/webhooks/:id— delete
New: Signing DNA
A third public Holochain DNA dedicated to Sign It signatures. Integrity and coordinator zomes cover signature entries, content rights manifests, perceptual hash bands, multi-signer links, revocations, and public creator profiles.
New: Tier Gating & Quotas
- Sign It quotas — monthly signature quotas per developer tier (Free 250, Spark 2,500, Pro 25,000, Enterprise custom). Overage metered per 100 signatures and billed via Stripe on Spark ($1/100) and Pro ($0.50/100). Verification is always free and unlimited.
- Webhook limits — webhook endpoints counted per organisation: Free 0, Spark 10, Pro 100, Enterprise unlimited. Paid tiers only.
SDK Updates
@flowsta/auth— new Sign It methods:hashFile(),signFile(),signBatch(),verifyFile(),getContentRights(),signDocument(),getSigningStatus(). Full reference at Sign It SDK Reference.
Docs Reorganisation
- New three-pillar framing across the homepage, Getting Started, and nav — sovereign login + Sign It + webhooks.
- New
/webhooks/section (overview, events, verification, delivery). /sign-it/section expanded with developer guide, verification API reference, and SDK reference.- Getting Started now covers four integration patterns — OAuth, Holochain agent linking, Sign It, and webhooks.
v3.1
Encrypted Public Entries
Apps can now store private data on the public DHT. Entries are encrypted client-side with lair's xsalsa20poly1305 crypto_box before being committed. Peers replicate the ciphertext for backup, but only the author can decrypt. See Encrypted Entries on Public DHT.
Improved Backups
@flowsta/holochainv2.1.0 — Backups work while the Vault is locked (after first unlock)- Auto-versioned snapshots — Each backup creates a new timestamped snapshot (up to 10 per app, oldest auto-rotated). No more overwriting "latest"
- Private data in exports — Encrypted entries are decrypted and included in backup exports for human readability
- Export format v4 — New
private_datasection with_readmefields and human-readable field names
Reference Implementation
ProofPoll v1.3 demonstrates the encrypted entry pattern with vote rationales (private notes on votes) and draft polls (encrypted until published), plus the complete DNA migration system across 4 versions.
v3.0
Flowsta Auth now supports web and desktop applications.
Previously, Flowsta Auth was an OAuth-only service for web apps. v3.0 introduces Flowsta Vault, identity linking for Holochain apps, and new SDK packages — making Flowsta Auth a complete authentication platform for both web and desktop.
New: Flowsta Vault
- Desktop identity manager — Tauri v2 app that runs a local Holochain conductor and lair keystore
- Agent linking — Third-party apps can request cryptographic identity attestations via IPC
- Connected apps management — Users see and control which apps are linked to their identity
- Auto-backups — CAL-compliant source chain backup support
- Data export — Users can export their Holochain data and keys at any time
New: Holochain App Integration
- Identity linking for Holochain apps — Apps add agent-linking zomes and use
@flowsta/holochainto link their agent key with a user's Flowsta identity - IsSamePersonEntry attestations — Cryptographic proof committed to your app's DHT, verifiable by any agent on the network
- IPC server — Vault exposes endpoints on
localhost:27777for app communication - CAL compliance — Built-in support for Cryptographic Autonomy License requirements (data access, key access, data portability)
New: SDK Packages
@flowsta/holochain— Agent linking and backup functions for Holochain apps@flowsta/auth-tauri(v0.1.0) — OAuth-style authentication for Tauri desktop apps through Vault@flowsta/login-button— Pre-built "Sign in with Flowsta" components for React, Vue, Qwik, and vanilla JS
New: Documentation
- Vault guide — Overview, Holochain app integration, agent linking, backups, Tauri apps, IPC reference
- Holochain section — Architecture, identity and DIDs, developer guide
- Security section — Zero-knowledge architecture, data portability
- SDK reference pages — Dedicated pages for each SDK package
Improved
- Getting started — Now covers both web OAuth and desktop Holochain integration paths
- Architecture docs — Two-DNA model, infrastructure diagram, cloud nodes
- Static SVG diagrams — All diagrams are now static SVGs for better SEO and accessibility
No Breaking Changes
Existing OAuth integrations using @flowsta/auth continue to work without changes. All v3.0 additions are new functionality.
v2.0
Initial public release of Flowsta Auth.
- OAuth 2.0 + PKCE — Authorization code flow without client secrets
@flowsta/authSDK (v2.0) — TypeScript SDK with React bindings- Zero-knowledge privacy — Client-side encryption with Holochain storage
- W3C DIDs — Decentralized identifiers for every user
- Cross-partner SSO — One account across all partner sites
- Developer dashboard — App registration, analytics, and management at dev.flowsta.com
Breaking Changes from v1.x
- Removed direct email/password authentication from the SDK
- All authentication now goes through Flowsta's hosted login page (OAuth redirect)
// v1.x (removed)
await auth.login(email, password);
// v2.0+
auth.login(); // Redirects to login.flowsta.com
const user = await auth.handleCallback();