Skip to content

Holochain Integration

Flowsta is built on Holochain, providing true zero-knowledge architecture and decentralized identity.

Holochain Powers Flowsta

Flowsta uses Holochain as the foundation for its zero-knowledge authentication system. Your private records are sealed on your own device — they never gossip to anyone. Public data, like your Identity profile and Sign It signatures, lives on Flowsta's tamper-proof network, built on Holochain, where anyone can verify it and no one can silently alter it.

What Holochain Enables

FeatureHow Holochain Helps
Zero-Knowledge StoragePrivate records stay sealed on the user's device - Flowsta staff physically cannot access them
Decentralized IdentityEach user has an agent public key that serves as their cryptographic identity
W3C DIDsUser identities are W3C Decentralized Identifiers (DIDs) anchored to Holochain
Censorship ResistanceNo central authority can revoke or modify user identities
Data PortabilityUsers own their data and can export it anytime

Architecture Overview

Holochain architecture overview: the user's device runs Flowsta Vault with device keys, a personal conductor, and sealed private records; Flowsta infrastructure holds only the Auth API, lookup metadata, and DHT nodes; both gossip with the shared network's Identity and Signing DNAs

Three Holochain DNAs

Flowsta uses three separate Holochain DNAs:

Identity DNA (Public)

  • W3C DID, agent public key
  • Agent linking attestations (cross-device identity proofs)
  • Publicly readable by other users

Private DNA (Encrypted)

  • Email (encrypted)
  • Recovery phrase (encrypted)
  • Session data (encrypted)
  • OAuth activity logs
  • Only readable by the user who created it

Signing DNA (Public)

  • File signatures (SHA-256 hash + Ed25519 signature)
  • Content rights manifests (license, AI training policy)
  • Perceptual hashes for fuzzy file matching
  • Publicly verifiable by anyone

Zero-Knowledge Guarantee

Private records are sealed on the user's device with keys derived from their recovery phrase — there is no password, and they never gossip to the network. Flowsta's servers never hold the data or the keys.

For Holochain Developers

If you're building a Holochain application, you have two options for integrating with Flowsta:

Option 1: Use Flowsta for Authentication Only

Use Flowsta's OAuth system for user authentication, but manage your own Holochain agent keys:

typescript
import { FlowstaAuth } from '@flowsta/auth';

const auth = new FlowstaAuth({
  clientId: 'your-client-id',
  redirectUri: 'https://yourapp.com/callback',
  scopes: ['openid', 'public_key', 'did'] // Get user identity, not signing
});

// User authenticates
const user = await auth.handleCallback();

// Use their Flowsta identity but your own Holochain keys
console.log('User DID:', user.did);
console.log('User agent key (Flowsta):', user.agentPubKey);

// Your app can generate its own agent key for the user
// or use the Flowsta key as an identifier

This approach:

  • ✅ Gives users a consistent identity across apps
  • ✅ You control your own Holochain infrastructure
  • ✅ No dependency on Flowsta for signing

Let users prove their Flowsta identity on your DHT using the flowsta-agent-linking crate and Flowsta Vault:

typescript
import { linkFlowstaIdentity } from '@flowsta/holochain';

const result = await linkFlowstaIdentity({
  appName: 'YourApp',
  clientId: 'your-client-id', // from dev.flowsta.com
  localAgentPubKey: myAgentKey, // uhCAk... format
});

// Commit attestation to your DHT
await appWebsocket.callZome({
  role_name: 'my-role',
  zome_name: 'agent_linking',
  fn_name: 'create_external_link',
  payload: {
    external_agent: decodeHashFromBase64(result.payload.vaultAgentPubKey),
    external_signature: base64ToSignature(result.payload.vaultSignature),
  },
});

This approach:

  • ✅ Users' private keys never leave their device (Flowsta Vault)
  • ✅ No shared DNA or API dependency required
  • ✅ Anyone on your DHT can verify the identity via Ed25519 cryptography
  • ✅ Works across separate Holochain conductors

Decentralized Identity Verification

Agent linking creates an IsSamePersonEntry attestation on your DHT with cryptographic signatures from both agent keys. No central authority is needed to verify the link.

→ Learn more about Agent Linking

For Non-Holochain Developers

You don't need to know anything about Holochain to use Flowsta! The standard OAuth integration works like any other identity provider:

typescript
import { FlowstaAuth } from '@flowsta/auth';

const auth = new FlowstaAuth({
  clientId: 'your-client-id',
  redirectUri: 'https://yourapp.com/callback',
  scopes: ['openid', 'display_name']
});

// Standard OAuth flow
auth.login();

// Get user info
const user = await auth.handleCallback();
console.log('User:', user.displayName, user.email);

Holochain runs behind the scenes to provide zero-knowledge data storage, but you interact with Flowsta through standard OAuth 2.0.

Next Steps

Learn More About Holochain

Documentation licensed under CC BY-SA 4.0.