What is Flowsta Auth?

Flowsta Auth is a decentralized authentication service built on Holochain that provides OAuth-only authentication with zero-knowledge privacy.

The Problem

Traditional authentication services (Auth0, Firebase Auth, AWS Cognito) rely on centralized databases:

• 🚨 Single point of failure - If their servers go down, so does your app
• 🔓 Data breaches - Centralized honeypots attract attackers
• 🚫 Censorship risk - Central authorities can shut down accounts
• 💰 Vendor lock-in - Your user data is trapped in their system

The Flowsta Solution

Flowsta Auth combines the simplicity of OAuth with decentralized infrastructure:

Feature	Traditional Auth	Flowsta Auth
Integration	SDK + secrets	✅ OAuth + PKCE (no secrets)
Infrastructure	Centralized database	✅ Holochain DHT
Data ownership	Service provider owns it	✅ Users own it
Identity Standard	Proprietary user IDs	✅ W3C DIDs
Censorship	Can be shut down	✅ Resistant
Privacy	Provider has access	✅ Zero-knowledge
Single Sign-On	Provider-specific	✅ Cross-partner SSO
Single point of failure	Yes	✅ No

How It Works

sequenceDiagram
    participant App as Your App
    participant Flowsta as Flowsta Auth
    participant HC as Holochain
    
    App->>Flowsta: Redirect to login.flowsta.com
    Flowsta->>Flowsta: User logs in
    Flowsta->>App: Redirect with auth code
    App->>Flowsta: Exchange code for token
    Flowsta->>HC: Verify user identity
    HC->>Flowsta: User data (encrypted)
    Flowsta->>App: Access token + user info

1. Your app redirects users to Flowsta's login page
2. Users authenticate with their Flowsta account
3. Flowsta redirects back with an authorization code
4. Your app exchanges the code for an access token (PKCE)
5. Holochain DHT stores user data in a distributed, encrypted manner

Key Features

🔐 Zero-Knowledge Privacy

Flowsta staff physically cannot access your users' private data.

Private user data (email addresses, recovery phrases, sessions) is stored encrypted on Holochain with keys derived from user passwords. Even Flowsta employees have zero access to:

• User email addresses (encrypted)
• Recovery phrase backups
• Session information
• Private profile data

Only the user (with their password) can decrypt their private data.

🌐 Single Sign-On Across Partners

One Flowsta account works across all partner sites.

When users create a Flowsta account, they can use it to login to:

• All Flowsta services
• Any partner site integrated with Flowsta Auth

This provides a seamless experience similar to "Login with Google" but with decentralized, user-owned identities.

🔑 OAuth 2.0 + PKCE (No Secrets)

Simple integration without managing client secrets.

• Standard OAuth 2.0 Authorization Code Flow
• PKCE for security (no client secrets needed)
• Works safely in browsers and mobile apps
• Client ID is all you need

🔐 Secure by Default

• Ed25519 cryptography - Industry-standard public key cryptography
• BIP39 recovery phrases - 24-word mnemonics like hardware wallets
• Password-encrypted keys - Keys never stored in plaintext
• PBKDF2 key derivation - Brute-force resistant password hashing

🆔 W3C Decentralized Identifiers (DIDs)

Every user gets a globally unique, cryptographically verifiable identity.

Flowsta Auth automatically generates W3C-compliant DIDs for each user:

• Format: did:key:z6Mk... (based on Ed25519 public key)
• Standards-compliant: Follows W3C DID specification
• Self-sovereign: Users own their DID, not Flowsta
• Portable: Can be used across any DID-compatible system

🚀 Developer-Friendly

• Simple SDK - Install with npm, integrate in minutes
• TypeScript support - Full type safety and IntelliSense
• No secrets to manage - PKCE handles security
• Beautiful dashboard - Manage apps and analytics

Architecture

Flowsta Auth consists of three main components:

1. Client SDK (@flowsta/auth)

TypeScript/JavaScript library for your frontend:

import { FlowstaAuth } from '@flowsta/auth';

const auth = new FlowstaAuth({
  clientId: 'your_client_id',
  redirectUri: 'https://yourapp.com/auth/callback'
});

// Redirect to Flowsta login
auth.login();

// Handle callback
const user = await auth.handleCallback();

2. OAuth API

OAuth 2.0 + PKCE endpoints:

GET  /oauth/authorize     - Start OAuth flow
POST /oauth/token         - Exchange code for token
GET  /oauth/userinfo      - Get user profile
POST /oauth/revoke        - Revoke refresh token

3. Holochain Backend

Distributed hash table (DHT) for storing:

• Encrypted user keypairs
• DIDs (Decentralized Identifiers)
• Authentication records
• Recovery phrase hashes

User Data You Receive

After authentication, you get:

interface FlowstaUser {
  id: string;           // Unique user ID
  email?: string;       // Email (if 'email' scope granted)
  username?: string;    // Username (if set by user)
  displayName?: string; // Display name
  profilePicture?: string;
  agentPubKey?: string; // Holochain agent public key
  did?: string;         // W3C Decentralized Identifier
}

What's Next?

Ready to integrate Flowsta Auth into your application?

Quick Start → SDK Documentation OAuth Guide

Questions?

• 📧 Email: support@flowsta.com
• 💬 Discord: Join our community
• 🐙 GitHub: github.com/WeAreFlowsta