Skip to content

Quickstart

Sign a file and verify it in under a minute. Signing happens in your Flowsta Vault - your keys never leave your device.

Sign a File

Prerequisites

Sign

  1. Open Flowsta Vault and unlock it
  2. Click Sign It in the sidebar
  3. Drag files onto the drop zone (or click Choose Files to select one or more)
  4. Vault hashes each file and runs integrity checks automatically
  5. Choose your metadata:
    • AI Generation - None, Assisted, or Generated
    • Content Rights - License, commercial availability, AI training policy, contact preference
    • Public Note - Optional signer comment (up to 280 characters) shown to verifiers
  6. Click Sign File (or Sign N Files for a batch)
  7. Vault signs each hash with your key and commits it to your local conductor

Your signatures publish to Flowsta's tamper-proof network, built on Holochain, via peer-to-peer gossip - verifiable by anyone within minutes. Works offline too: signatures made offline publish when you reconnect.

View Your Signatures

  • Recent Signatures shows your latest 5 on the Sign It page
  • Click View all to see everything, including revoked signatures

Verify a File

  1. Go to flowsta.com/sign-it
  2. Drop the file onto the page (or click Choose File)
  3. The file is hashed in your browser - it never leaves your device
  4. Exact match: finds signatures for the identical file
  5. Fuzzy match: for images and audio, finds similar versions (resized, re-encoded, trimmed)
  6. See all signatures: who signed, when, their declared rights, Public Notes, integrity check results

Verification is free and unlimited - no account needed.

Verify via API

bash
curl "https://auth-api.flowsta.com/api/v1/sign-it/verify?hash=a7f3b9c1e2d4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0"

Returns all signatures for that SHA-256 hash, including metadata and revocation status. See the Verification API.

Request Signatures from Your App (for developers)

Your app never signs anything itself - it asks the user's Vault, and the user approves each signature in a Vault dialog. App-initiated signatures draw from your organization's sponsored signing pool, not the user's personal quota.

Web Apps (OAuth + Vault)

typescript
import { FlowstaAuth, hashFile } from '@flowsta/auth';

const flowsta = new FlowstaAuth({
  clientId: 'your_client_id',
  redirectUri: 'https://your-app.com/callback',
  scopes: ['profile', 'sign'],
});

// After user logs in...
const hash = await hashFile(file);
const result = await flowsta.signFile({
  fileHash: hash,
  intent: 'Authorship',
  contentRights: { license: 'cc-by', aiTraining: 'not_allowed' },
});

signFile() detects the user's running Vault and signs through it - the user approves in the Vault dialog and the key stays on their device. If no Vault can sign, it throws VaultRequiredError so you can prompt the user to open or install Vault.

Desktop Holochain Apps (Vault IPC)

typescript
import { signDocument } from '@flowsta/holochain';

const result = await signDocument({
  clientId: 'flowsta_app_abc123...',
  appName: 'ArtStudio',
  fileHash: 'a7f3b9c1e2d4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0',
  label: 'Illustration.png',
  intent: 'authorship',
  contentRights: { license: 'cc-by', aiTraining: 'not_allowed' },
});

The user sees an approval dialog in Vault - your app name, the file label, and whose signing quota pays. If approved, the signature is committed locally and returned to your app, then gossips to the network.

Next Steps

Documentation licensed under CC BY-SA 4.0.