Sign It

Decentralized document signing and verification powered by Flowsta and Holochain.

What It Does

Sign It lets you cryptographically sign any file to prove:

You signed it — Ed25519 signature tied to your Flowsta identity
When you signed it — timestamp recorded on a public DHT
Your terms — license, commercial availability, AI training policy
Content integrity — steganography and hidden content checks

Anyone can verify a signed file at flowsta.com/sign-it without an account. The file is hashed in the browser — nothing is uploaded.

How It Works

Sign from Vault (Desktop)

Drop files into Vault — Drag one or multiple files. Vault hashes each file locally, runs integrity checks, and generates perceptual hashes for fuzzy matching.
Choose metadata — Set content rights, AI disclosure, and contact preferences. Shared metadata applies to all files in a batch.
Sign — Vault signs each hash with your Ed25519 key and commits to your local Holochain conductor.
Gossip — Signatures gossip to the server DHT automatically. Verifiable within minutes.

Sign from Web Dashboard

Login at flowsta.com — Navigate to the Sign It dashboard page.
Drop files — Drag one or multiple files. Files are hashed client-side (SHA-256) — nothing is uploaded.
Choose metadata — Same content rights options as Vault.
Sign — The server signs the hash using your keypair stored in the conductor's keystore. No password needed. Signatures are immediately verifiable.

Verify

Go to flowsta.com/sign-it — Drop the file.
Exact match — SHA-256 hash lookup on the DHT. File never leaves your browser.
Fuzzy match — For images and audio, perceptual hashing detects re-encoded, resized, or trimmed versions.
Results — See all signers, content rights, AI disclosure, integrity check results, and revocation status.

Key Features

Batch Signing

Sign multiple files at once — drop a folder or select multiple files. Each file gets its own signature on the DHT (independently verifiable), but shared metadata (license, AI policy, etc.) applies to all files in the batch. Maximum 100 files per batch via API.

Content Rights Manifest

Attach a machine-readable rights declaration to your signature:

License — All Rights Reserved, CC0, CC BY, CC BY-SA, CC BY-NC, CC BY-NC-SA, MIT, Apache 2.0, GPL 3.0
Commercial Licensing — Whether you're open to licensing enquiries
AI Training Policy — Allowed, allowed with attribution, requires license, not allowed
Contact Preference — Whether verifiers can contact you (via blind relay — your email is never exposed)

AI Generation Disclosure

Declare whether the content was:

None — Human-created, no AI involvement
Assisted — Partly AI-generated
Generated — Fully AI-generated

Perceptual Hashing (Fuzzy Matching)

Signatures include perceptual hashes that survive common transformations:

Media Type	Algorithm	Survives
Images (PNG, JPEG, BMP, TIFF, GIF)	Gradient dHash (64 bits)	Resize, recompress, colour change
Audio (MP3, WAV, FLAC, OGG)	Chromaprint fingerprint	Re-encode, resample, compression, trim
Video (MP4, MKV, AVI, WebM)	Audio track Chromaprint	Re-encode, resize, trim

File Integrity Analysis

Before signing, Vault checks your file for hidden content:

Post-EOF data (data appended after file end markers)
LSB steganography (statistical analysis of pixel values)
Unicode steganography (zero-width characters, homoglyphs)
Metadata anomalies (suspicious PNG chunks, JPEG comments, PDF JavaScript)
Entropy analysis (regions of unusual randomness)
Appended file detection (embedded files within files)

Results are recorded in the signature so verifiers can see what was checked.

Cross-Device Signatures

Signatures from all your linked devices (Vault + web) appear in both places. If you sign a photo in Vault and a document on the web dashboard, both show in your signatures list everywhere. This works through Holochain agent linking and DHT gossip — no central server involved.

Multi-Signer Support

Multiple people can sign the same file hash. Useful for contracts (all parties sign), approvals (multiple approvers), and attestations (witnesses).

Revocation

Signers can revoke their own signatures. The original record stays on the DHT but is marked as revoked with a timestamp and optional reason.

For Developers

Third-party apps can sign files on behalf of their users via OAuth:

typescript

import { FlowstaAuth, hashFile } from '@flowsta/auth';

const flowsta = new FlowstaAuth({
  clientId: 'your_client_id',
  redirectUri: 'https://your-app.com/callback',
  scopes: ['profile', 'sign'],
});

const hash = await hashFile(file);
const result = await flowsta.signFile({
  fileHash: hash,
  intent: 'authorship',
  contentRights: { license: 'cc-by', aiTraining: 'not_allowed' },
});

See the Developer Guide for full integration instructions.

Architecture

Sign It uses a dedicated Holochain signing DNA separate from the identity and private DNAs. This provides:

Privacy separation from identity profiles
Independent iteration without identity DNA migrations
Optimised for file-hash lookups and perceptual hash band queries

The signing DNA runs on all Flowsta conductor nodes and on local Vault conductors. Signatures gossip between all nodes on the same network.

Next Steps

Quickstart — Sign your first file
Content Rights — Detailed rights manifest guide
Developer Guide — OAuth signing for third-party apps
Verification API — Programmatic file verification
SDK Reference — All SDK methods for signing and verification

Sign It ​

What It Does ​

How It Works ​

Sign from Vault (Desktop) ​

Sign from Web Dashboard ​

Verify ​

Key Features ​

Batch Signing ​

Content Rights Manifest ​

AI Generation Disclosure ​

Perceptual Hashing (Fuzzy Matching) ​

File Integrity Analysis ​

Cross-Device Signatures ​

Multi-Signer Support ​

Revocation ​

For Developers ​

Architecture ​

Next Steps ​