Skip to content

Sign It

Decentralized document signing and verification. Signing happens in your own Flowsta Vault - your keys never leave your device, you approve every signature, and there's no one in between.

What It Does

Sign It lets you cryptographically sign any file to prove:

  • You signed it - Ed25519 signature made with your key, on your device, tied to your Flowsta identity
  • When you signed it - timestamp recorded on Flowsta's tamper-proof network, built on Holochain
  • Your terms - license, commercial availability, AI training policy, plus an optional Public Note
  • Content integrity - steganography and hidden content checks

Anyone can verify a signed file at flowsta.com/sign-it without an account. The file is hashed in the browser - nothing is uploaded.

How It Works

Sign

Signing lives in Flowsta Vault, the desktop app that holds your keys:

  1. Drop files into Vault - Drag one or multiple files. Vault hashes each file locally, runs integrity checks, and generates perceptual hashes for fuzzy matching.
  2. Choose metadata - Set content rights, AI disclosure, contact preferences, and an optional Public Note. Shared metadata applies to all files in a batch.
  3. Sign - Vault signs each hash with your Ed25519 key and commits it to your local Holochain conductor. The key never leaves your device.
  4. Publish - Signatures gossip to Flowsta's tamper-proof network automatically. Verifiable by anyone within minutes.

When a third-party app requests a signature, the same rule holds: Vault shows you an approval dialog for every signature - the app name, the file, the metadata, and whose quota pays. Nothing is signed without your explicit yes.

Verify

  1. Go to flowsta.com/sign-it - Drop the file.
  2. Exact match - SHA-256 hash lookup on the network. The file never leaves your browser.
  3. Fuzzy match - For images and audio, perceptual hashing detects re-encoded, resized, or trimmed versions.
  4. Results - See all signers, content rights, AI disclosure, Public Notes, integrity check results, and revocation status.

Verification is free and unlimited on every plan.

Key Features

Batch Signing

Sign multiple files at once in Vault - drop a folder or select multiple files. Each file gets its own independently verifiable signature, while shared metadata (license, AI policy, Public Note) applies to the whole batch.

Content Rights Manifest

Attach a machine-readable rights declaration to your signature:

  • License - All Rights Reserved, CC0, CC BY, CC BY-SA, CC BY-NC, CC BY-NC-SA, MIT, Apache 2.0, GPL 3.0
  • Commercial Licensing - Whether you're open to licensing inquiries
  • AI Training Policy - Allowed, allowed with attribution, requires license, not allowed
  • Contact Preference - Whether verifiers can contact you (via blind relay - your email is never exposed)

Public Note

Add a signer comment of up to 280 characters - context, dedication, terms, anything you want verifiers to see alongside your signature.

AI Generation Disclosure

Declare whether the content was:

  • None - Human-created, no AI involvement
  • Assisted - Partly AI-generated
  • Generated - Fully AI-generated

Perceptual Hashing (Fuzzy Matching)

Signatures include perceptual hashes that survive common transformations:

Media TypeAlgorithmSurvives
Images (PNG, JPEG, BMP, TIFF, GIF)Gradient dHash (64 bits)Resize, recompress, color change
Audio (MP3, WAV, FLAC, OGG)Chromaprint fingerprintRe-encode, resample, compression, trim
Video (MP4, MKV, AVI, WebM)Audio track ChromaprintRe-encode, resize, trim

File Integrity Analysis

Before signing, Vault checks your file for hidden content:

  • Post-EOF data (data appended after file end markers)
  • LSB steganography (statistical analysis of pixel values)
  • Unicode steganography (zero-width characters, homoglyphs)
  • Metadata anomalies (suspicious PNG chunks, JPEG comments, PDF JavaScript)
  • Entropy analysis (regions of unusual randomness)
  • Appended file detection (embedded files within files)

Results are recorded in the signature so verifiers can see what was checked.

Multi-Signer Support

Multiple people can sign the same file hash. Useful for contracts (all parties sign), approvals (multiple approvers), and attestations (witnesses).

Revocation

Signers can revoke their own signatures. The original record stays on the network but is marked as revoked with a timestamp and optional reason.

For Developers

Third-party apps request signatures through the user's Vault. Your app never touches keys - the user approves each signature in a Vault dialog:

typescript
import { FlowstaAuth, hashFile } from '@flowsta/auth';

const flowsta = new FlowstaAuth({
  clientId: 'your_client_id',
  redirectUri: 'https://your-app.com/callback',
  scopes: ['profile', 'sign'],
});

const hash = await hashFile(file);

// Signs through the user's Vault - they approve in the Vault dialog
const result = await flowsta.signFile({
  fileHash: hash,
  intent: 'Authorship',
  contentRights: { license: 'cc-by', aiTraining: 'not_allowed' },
});

App-initiated signatures are sponsored: they draw from your organization's monthly signing pool, not the user's personal quota - and the Vault dialog tells the user so. See Signing quotas & sponsored signing.

See the Developer Guide for full integration instructions.

Architecture

Sign It uses a dedicated Holochain signing DNA separate from the identity and private DNAs. This provides:

  • Privacy separation from identity profiles
  • Independent iteration without identity DNA migrations
  • Optimized file-hash lookups and perceptual hash band queries

The signing DNA runs on your local Vault conductor and on Flowsta's network nodes. Your Vault commits the signature locally; it then gossips to the rest of the network - typically verifiable everywhere within minutes. Signatures from all your linked devices appear in one signatures list, stitched together through Holochain agent linking - no central server required.

Next Steps

Documentation licensed under CC BY-SA 4.0.