Flowsta Vault
Desktop identity manager for Holochain applications.
Flowsta Vault is a desktop app (built with Tauri v2) that runs a local Holochain conductor and lair keystore. It gives users full control over their cryptographic identity while enabling third-party apps to request identity linking.
What Vault Does
| Feature | Description |
|---|---|
| Local Holochain conductor | Runs Identity, Private, and Signing DNAs locally |
| Key management | BIP39 recovery phrase generates deterministic Ed25519 keypair |
| Document signing | Sign files cryptographically — single or batch. Integrity checks and perceptual hashing built in |
| Agent linking | Third-party apps request identity attestations via IPC |
| Connected apps | Users see and manage which apps are linked |
| User profile | Apps that integrate can read the user's display name, profile picture, and unique username via getVaultStatus() (scope-gated) — no signup forms or avatar uploads required |
| Cross-device signatures | Signatures from Vault and web dashboard visible in both places via DHT gossip |
| Auto-backups | Encrypted backups of connected apps' data, triggered by writes (debounced) plus a heartbeat retry. Single overwriting "latest" by default; up to 10 versioned snapshots if the app opts in |
| Reinstall recovery | Users restore their data with one click after a reinstall, device wipe, or move to a new machine — the SDK walks the backup and replays each entry via the app's dispatcher |
| Data export | One-click export of the user's data plus their cryptographic keys, in human-readable JSON — what every CAL-licensed Holochain app must provide under §4.2.1 |
How It Works
Vault communicates with third-party apps via an IPC server on localhost:27777. Apps use the @flowsta/holochain SDK to interact with the IPC server.
User Experience
When a user installs Flowsta Vault:
- Create or restore identity - Generate a new BIP39 recovery phrase or enter an existing one
- Set passphrase - Protects the local lair keystore
- Vault starts - Local conductor connects to the Holochain DHT
- Apps can link - Third-party apps request identity linking via IPC
Users manage their connected apps directly in Vault under Connected Apps. Web applications connected through OAuth are managed separately at flowsta.com/dashboard/connected-sites.
For Developers
Choose the right integration path:
Building a Holochain App?
Use @flowsta/holochain for agent linking. Your app requests identity attestation from Vault, then commits the result to your DHT.
Building Holochain Apps - Full integration guide
Building a Tauri Desktop App?
Use @flowsta/auth-tauri for OAuth-style authentication through Vault's IPC.
Tauri App Authentication - Desktop auth guide
Want Document Signing?
Use @flowsta/holochain for document signing via Vault. Your app sends a file hash, the user approves in Vault, and the signature is committed to the signing DNA DHT.
Sign It Developer Guide — Signing integration guide
Need Backups, Reinstall Recovery, and CAL §4.2.1 Compliance?
Use the SDK's canonical-shape backup pipeline. You write a small match per entry type for decode + restore; Vault provides the encryption, storage, the Your Data UI, the restore walker, and a human-readable user-data export with the user's cryptographic keys — the export every CAL-licensed Holochain app is obliged to provide.
Backups & Reinstall Recovery — Integration guide
Storing Private Data on the DHT?
Encrypt entries client-side with lair's crypto_box before committing. Peers replicate the ciphertext, only the author can decrypt.
Encrypted Entries — Private data pattern
Architecture
Next Steps
- Building Holochain Apps - Integrate agent linking into your Holochain app
- Agent Linking - How identity attestations work
- Backups & Reinstall Recovery - Data portability, restore on reinstall, and CAL §4.2.1 compliance
- Tauri App Authentication - Desktop OAuth through Vault
- IPC Endpoints - Complete IPC API reference