What is Flowsta Auth?

Flowsta Auth is a decentralized authentication service built on Holochain. It provides OAuth SSO for web apps, cryptographic identity linking for desktop Holochain apps, and zero-knowledge privacy for everyone.

The Problem

Traditional authentication services (Auth0, Firebase Auth, AWS Cognito) rely on centralized databases:

• Single point of failure - If their servers go down, so does your app
• Data breaches - Centralized honeypots attract attackers
• Censorship risk - Central authorities can shut down accounts
• Vendor lock-in - Your user data is trapped in their system

The Flowsta Solution

Flowsta Auth combines the simplicity of OAuth with decentralized infrastructure:

Feature	Traditional Auth	Flowsta Auth
Infrastructure	Centralized database	Holochain DHT
Data ownership	Service provider owns it	Users own it
Identity Standard	Proprietary user IDs	W3C DIDs
Privacy	Provider has access	Zero-knowledge
Censorship	Can be shut down	Resistant
Single point of failure	Yes	No

Two Integration Paths

Flowsta Auth serves two types of applications:

Path 1: Web Apps — OAuth SSO

Add "Sign in with Flowsta" to any website or web app. Standard OAuth 2.0 with PKCE — no client secrets needed.

How it works:

1. Your app redirects users to Flowsta's login page
2. Users authenticate with their Flowsta account
3. Flowsta redirects back with an authorization code
4. Your app exchanges the code for an access token (PKCE)
5. You receive user profile data (name, email, DID, etc.)

import { FlowstaAuth } from '@flowsta/auth';

const auth = new FlowstaAuth({
  clientId: 'your_client_id',
  redirectUri: 'https://yourapp.com/auth/callback'
});

auth.login(); // Redirects to login.flowsta.com
const user = await auth.handleCallback();

Get started with Web Auth →

Path 2: Desktop Holochain Apps — Identity Linking

Let users prove their Flowsta identity on your Holochain app's DHT. Your app's agent key gets linked to the user's Flowsta identity through cryptographic attestations — no shared DNA required.

How it works:

1. Your app checks if Flowsta Vault is running locally
2. Your app sends an identity linking request via IPC
3. The user approves the link in Flowsta Vault
4. Vault signs a payload with its agent key
5. Your app commits an IsSamePersonEntry attestation to your DHT

import { linkFlowstaIdentity } from '@flowsta/holochain';

const result = await linkFlowstaIdentity({
  appName: 'YourApp',
  clientId: 'your_client_id',
  localAgentPubKey: myAgentKey,
});
// result.attestation committed to your DHT

Get started with Holochain Apps →

Desktop Tauri Apps

Building a Tauri desktop app that doesn't use Holochain? Use @flowsta/auth-tauri for OAuth-style authentication through Flowsta Vault. Learn more →

Key Features

Zero-Knowledge Privacy

Flowsta staff physically cannot access your users' private data.

Private user data (email addresses, recovery phrases, sessions) is stored encrypted on Holochain with keys derived from user passwords. Only the user (with their password) can decrypt their private data. This zero-knowledge architecture is powered by Holochain's distributed storage.

W3C Decentralized Identifiers (DIDs)

Every user gets a globally unique, cryptographically verifiable identity:

• Format: did:flowsta:uhCAk... (based on Ed25519 public key)
• Self-sovereign: Users own their DID, not Flowsta
• Portable: Works across any DID-compatible system

Cross-Platform Identity

One Flowsta account works across web and desktop:

• Sign in to any partner website with OAuth SSO
• Link identity to any Holochain app through Vault
• Same DID and cryptographic identity everywhere

Secure by Default

• Ed25519 cryptography - Industry-standard public key cryptography
• BIP39 recovery phrases - 24-word mnemonics like hardware wallets
• OAuth 2.0 + PKCE - No client secrets needed for web apps
• PBKDF2 key derivation - Brute-force resistant password hashing

Architecture

Flowsta Auth uses two Holochain DNAs for zero-knowledge data storage:

DNA	Purpose	Data Stored
Identity DNA (Public)	Public profile	Display name, profile picture, agent public key, agent links
Private DNA (Encrypted)	Sensitive data	Email, recovery phrase, sessions, OAuth logs

Zero-Knowledge Guarantee

All Private DNA data is encrypted client-side with keys derived from the user's password. Flowsta servers never see the unencrypted data.

Learn more about Holochain Architecture →

What's Next?

Quick Start → Register Your App Web Auth Guide Vault Guide

Questions?

• Discord: Join our community
• Support: Find out about Flowsta support options
• GitHub: github.com/WeAreFlowsta