What is Flowsta?
Flowsta gives developers three building blocks on one sovereign identity:
- Sovereign login — OAuth 2.0 + PKCE for web and mobile, Vault IPC for Holochain desktop apps.
- Sign It — cryptographic file signing and verification on a public DHT.
- Real-time webhooks — HMAC-signed events so your server reacts to user actions the moment they happen.
Integrate one. Integrate all three. It all runs on Holochain with zero-knowledge privacy.
The Problem
Traditional authentication services (Auth0, Firebase Auth, AWS Cognito) rely on centralized databases:
- Single point of failure - If their servers go down, so does your app
- Data breaches - Centralized honeypots attract attackers
- Censorship risk - Central authorities can shut down accounts
- Vendor lock-in - Your user data is trapped in their system
The Flowsta Solution
Flowsta Auth combines the simplicity of OAuth with decentralized infrastructure:
| Feature | Traditional Auth | Flowsta Auth |
|---|---|---|
| Infrastructure | Centralized database | Holochain DHT |
| Data ownership | Service provider owns it | Users own it |
| Identity Standard | Proprietary user IDs | W3C DIDs |
| Privacy | Provider has access | Zero-knowledge |
| Censorship | Can be shut down | Resistant |
| Single point of failure | Yes | No |
Integration Paths
Four ready-to-start integration patterns. Pick your login path first, then layer on what you need:
Path 1: Web Apps — OAuth SSO
Add "Sign in with Flowsta" to any website or web app. Standard OAuth 2.0 with PKCE — no client secrets needed.
How it works:
- Your app redirects users to Flowsta's login page
- Users authenticate with their Flowsta account
- Flowsta redirects back with an authorization code
- Your app exchanges the code for an access token (PKCE)
- You receive user profile data (name, email, DID, etc.)
import { FlowstaAuth } from '@flowsta/auth';
const auth = new FlowstaAuth({
clientId: 'your_client_id',
redirectUri: 'https://yourapp.com/auth/callback'
});
auth.login(); // Redirects to login.flowsta.com
const user = await auth.handleCallback();Path 2: Desktop Holochain Apps — Identity Linking
Let users prove their Flowsta identity on your Holochain app's DHT. Your app's agent key gets linked to the user's Flowsta identity through cryptographic attestations — no shared DNA required.
How it works:
- Your app checks if Flowsta Vault is running locally
- Your app sends an identity linking request via IPC
- The user approves the link in Flowsta Vault
- Vault signs a payload with its agent key
- Your app commits an
IsSamePersonEntryattestation to your DHT
import { linkFlowstaIdentity } from '@flowsta/holochain';
const result = await linkFlowstaIdentity({
appName: 'YourApp',
clientId: 'your_client_id',
localAgentPubKey: myAgentKey,
});
// result.attestation committed to your DHTGet started with Holochain Apps →
Desktop Tauri Apps
Building a Tauri desktop app that doesn't use Holochain? Use @flowsta/auth-tauri for OAuth-style authentication through Flowsta Vault. Learn more →
Path 3: Document Signing — Sign It
Let users cryptographically sign files through your app. Prove authorship, declare content rights, and verify signatures — all on a public Holochain DHT.
How it works:
- Your app hashes a file client-side (SHA-256)
- User signs via OAuth (web) or Vault IPC (desktop)
- Signature + metadata committed to the signing DNA DHT
- Anyone can verify by checking the file hash
import { FlowstaAuth, hashFile } from '@flowsta/auth';
const flowsta = new FlowstaAuth({
clientId: 'your_client_id',
redirectUri: 'https://yourapp.com/callback',
scopes: ['profile', 'sign'],
});
const hash = await hashFile(file);
const result = await flowsta.signFile({
fileHash: hash,
intent: 'authorship',
contentRights: { license: 'cc-by', aiTraining: 'not_allowed' },
});Path 4: Real-Time Webhooks (paid tiers)
Subscribe your server to events from your OAuth app's users — sign.created, sign.revoked, oauth.authorized, oauth.token.revoked, user.profile.updated. Every payload is HMAC-signed.
Webhooks are available on Spark, Pro, and Enterprise tiers. They layer on top of the OAuth path — no new app type to register.
curl -X POST https://auth-api.flowsta.com/api/v1/webhooks \
-H "Authorization: Bearer <your-app-jwt>" \
-H "Content-Type: application/json" \
-d '{
"url": "https://yourapp.com/hooks/flowsta",
"events": ["sign.created", "sign.revoked"]
}'The response includes the webhook secret used to verify every delivery. Store it — it's only returned on create.
Key Features
Zero-Knowledge Privacy
Flowsta staff physically cannot access your users' private data.
Private user data (email addresses, recovery phrases, sessions) is stored encrypted on Holochain with keys derived from user passwords. Only the user (with their password) can decrypt their private data. This zero-knowledge architecture is powered by Holochain's distributed storage.
W3C Decentralized Identifiers (DIDs)
Every user gets a globally unique, cryptographically verifiable identity:
- Format:
did:flowsta:uhCAk...(based on Ed25519 public key) - Self-sovereign: Users own their DID, not Flowsta
- Portable: Works across any DID-compatible system
Cross-Platform Identity
One Flowsta account works across web and desktop:
- Sign in to any partner website with OAuth SSO
- Link identity to any Holochain app through Vault
- Same DID and cryptographic identity everywhere
Secure by Default
- Ed25519 cryptography - Industry-standard public key cryptography
- BIP39 recovery phrases - 24-word mnemonics like hardware wallets
- OAuth 2.0 + PKCE - No client secrets needed for web apps
- PBKDF2 key derivation - Brute-force resistant password hashing
Architecture
Flowsta Auth uses three Holochain DNAs:
| DNA | Purpose | Data Stored |
|---|---|---|
| Identity DNA (Public) | Public profile | DID, agent public key, agent links |
| Private DNA (Encrypted) | Sensitive data | Email, recovery phrase, sessions, OAuth logs |
| Signing DNA (Public) | Document signing | File signatures, content rights, perceptual hashes |
Zero-Knowledge Guarantee
All Private DNA data is encrypted client-side with keys derived from the user's password. Flowsta servers never see the unencrypted data.
Learn more about Holochain Architecture →
What's Next?
Questions?
- Discord: Join our community
- Support: Find out about Flowsta support options
- GitHub: github.com/WeAreFlowsta