Security & Privacy
Flowsta Auth is designed so that even Flowsta staff cannot access user private data.
Security Architecture
| Layer | Protection |
|---|---|
| Authentication | OAuth 2.0 + PKCE, no client secrets, CSRF protection |
| Data storage | Client-side encryption, Holochain DHT |
| Key management | BIP39 recovery phrase, Ed25519 keypairs, PBKDF2 key derivation |
| Sessions | Short-lived access tokens (1h), sliding refresh tokens (30d) |
| Network | Distributed Holochain DHT, no single point of failure |
Core Principles
Zero-Knowledge Privacy
Private user data (emails, recovery phrases, sessions) is encrypted client-side with keys derived from the user's password. Flowsta servers process encrypted data but never see the encryption keys or plaintext.
Zero-Knowledge Architecture - Detailed explanation
User-Owned Keys
Every user's identity is anchored to an Ed25519 keypair generated from a BIP39 recovery phrase. Users own their keys - Flowsta cannot revoke, modify, or access them.
No Client Secrets
Flowsta uses PKCE (Proof Key for Code Exchange) instead of client secrets. This is equally secure and works safely in browsers and mobile apps without exposing secrets.
Data Portability
Users can export their Holochain source chain and access their cryptographic keys at any time through Flowsta Vault.
Data Portability - How users access their data
For Developers
- OAuth Security Guide - PKCE implementation, token handling, production checklist
- Sessions - Token lifetimes, refresh flow, revocation
- Backups & CAL Compliance - Meeting CAL license requirements
Next Steps
- Zero-Knowledge Architecture - How encryption works
- Data Portability - User data export
- Sessions - Token management
- OAuth Security - Developer security guide