Changelog

v3.0

Flowsta Auth now supports web and desktop applications.

Previously, Flowsta Auth was an OAuth-only service for web apps. v3.0 introduces Flowsta Vault, identity linking for Holochain apps, and new SDK packages — making Flowsta Auth a complete authentication platform for both web and desktop.

New: Flowsta Vault

Desktop identity manager — Tauri v2 app that runs a local Holochain conductor and lair keystore
Agent linking — Third-party apps can request cryptographic identity attestations via IPC
Connected apps management — Users see and control which apps are linked to their identity
Auto-backups — CAL-compliant source chain backup support
Data export — Users can export their Holochain data and keys at any time

New: Holochain App Integration

Identity linking for Holochain apps — Apps add agent-linking zomes and use @flowsta/holochain to link their agent key with a user's Flowsta identity
IsSamePersonEntry attestations — Cryptographic proof committed to your app's DHT, verifiable by any agent on the network
IPC server — Vault exposes endpoints on localhost:27777 for app communication
CAL compliance — Built-in support for Cryptographic Autonomy License requirements (data access, key access, data portability)

New: SDK Packages

@flowsta/holochain — Agent linking and backup functions for Holochain apps
@flowsta/auth-tauri (v0.1.0) — OAuth-style authentication for Tauri desktop apps through Vault
@flowsta/login-button — Pre-built "Sign in with Flowsta" components for React, Vue, Qwik, and vanilla JS

New: Documentation

Vault guide — Overview, Holochain app integration, agent linking, backups, Tauri apps, IPC reference
Holochain section — Architecture, identity and DIDs, developer guide
Security section — Zero-knowledge architecture, data portability
SDK reference pages — Dedicated pages for each SDK package

Improved

Getting started — Now covers both web OAuth and desktop Holochain integration paths
Architecture docs — Two-DNA model, infrastructure diagram, cloud nodes
Static SVG diagrams — All diagrams are now static SVGs for better SEO and accessibility

No Breaking Changes

Existing OAuth integrations using @flowsta/auth continue to work without changes. All v3.0 additions are new functionality.

v2.0

Initial public release of Flowsta Auth.

OAuth 2.0 + PKCE — Authorization code flow without client secrets
@flowsta/auth SDK (v2.0) — TypeScript SDK with React bindings
Zero-knowledge privacy — Client-side encryption with Holochain storage
W3C DIDs — Decentralized identifiers for every user
Cross-partner SSO — One account across all partner sites
Developer dashboard — App registration, analytics, and management at dev.flowsta.com

Breaking Changes from v1.x

Removed direct email/password authentication from the SDK
All authentication now goes through Flowsta's hosted login page (OAuth redirect)

typescript

// v1.x (removed)
await auth.login(email, password);

// v2.0+
auth.login(); // Redirects to login.flowsta.com
const user = await auth.handleCallback();

Changelog ​

v3.0 ​

New: Flowsta Vault ​

New: Holochain App Integration ​

New: SDK Packages ​

New: Documentation ​

Improved ​

No Breaking Changes ​

v2.0 ​

Breaking Changes from v1.x ​