Appearance

Agent Linking

Cryptographic identity attestations between your app and Flowsta Vault.

Agent linking creates an IsSamePersonEntry on your DHT that proves a user's app agent key and Flowsta Vault agent key belong to the same person. The proof is a pair of Ed25519 signatures - verifiable by anyone on your network without contacting Flowsta.

How It Works

Agent linking flow between Your App, Flowsta Vault, and Your DHT

The 78-Byte Payload

Vault constructs the signing payload itself (apps cannot influence what gets signed):

BytesContent
0-38First agent public key (39 bytes: 3-byte prefix + 32-byte key + 4-byte checksum)
39-77Second agent public key (39 bytes, same format)

The two 39-byte Holochain AgentPubKeys are sorted lexicographically to produce a canonical 78-byte payload. Both agents sign this payload. The dual-signature design means:

  • The app agent attests "I am the same person as this Vault agent"
  • The Vault agent attests "I am the same person as this app agent"
  • Anyone can verify both signatures using the public keys in the payload

SDK Functions

FunctionDescription
linkFlowstaIdentity(options)Request identity link from Vault
getFlowstaIdentity(options)Query linked agents on your DHT
getVaultStatus(ipcUrl?)Check if Vault is running and unlocked
revokeFlowstaIdentity(options)Notify Vault of revocation
checkFlowstaLinkStatus(options)Check if Vault still considers agent linked

linkFlowstaIdentity

typescript
import { linkFlowstaIdentity } from '@flowsta/holochain';

const result = await linkFlowstaIdentity({
  appName: 'ChessChain',              // Shown in Vault's approval dialog
  clientId: 'flowsta_app_abc123',      // From dev.flowsta.com
  localAgentPubKey: myAgentKey,        // uhCAk... format (your app's agent key)
  ipcUrl: 'http://localhost:27777',    // Optional, this is the default
});

// result.payload:
// {
//   vaultAgentPubKey: string,  // uhCAk... format
//   vaultSignature: string,    // Base64-encoded Ed25519 signature
// }

getFlowstaIdentity

typescript
import { getFlowstaIdentity } from '@flowsta/holochain';

const linkedAgents = await getFlowstaIdentity({
  appWebsocket,                        // @holochain/client AppWebsocket
  roleName: 'my-role',                 // DNA role name
  agentPubKey: someAgentKey,           // Uint8Array - agent to look up
});

// Returns Uint8Array[] - array of linked agent public keys
// Empty array if not linked to any Flowsta identity

Zome Functions

These are the Holochain zome calls available after adding the flowsta-agent-linking zomes to your DNA:

FunctionInputOutputDescription
create_direct_linkDirectLinkInputActionHashCommit attestation to DHT
get_linked_agentsAgentPubKeyVec<AgentPubKey>Get all linked agents
are_agents_linkedAgentPairboolCheck if two agents are linked
revoke_linkActionHashActionHashRevoke a link (either agent can revoke)

DirectLinkInput

typescript
{
  other_agent: Uint8Array,     // 39-byte Holochain AgentPubKey
  other_signature: Uint8Array, // 64-byte Ed25519 signature
}

Error Handling

ErrorCauseSuggested UX
VaultNotFoundErrorVault not running or not installed"Install or start Flowsta Vault"
VaultLockedErrorVault is locked (passphrase required)"Please unlock your Flowsta Vault"
UserDeniedErrorUser rejected the approval dialog"Identity linking cancelled"
InvalidClientIdErrorclient_id not registered or invalidDeveloper error - check registration
MissingClientIdErrorNo client_id providedDeveloper error
ApiUnreachableErrorCan't reach Flowsta API to verify app"Check internet connection"

Security

  • User-custodied keys - Private keys never leave the user's device
  • Purpose-specific signatures - Vault computes the payload itself; apps cannot trick users into signing arbitrary data
  • User approval required - Every link request shows an approval dialog in Vault
  • Verifiable on-chain - Anyone on your DHT can verify using Ed25519 public key cryptography
  • Revocable - Either agent can revoke a link at any time
  • No shared infrastructure - Verification requires no API calls or shared DNAs

Next Steps

Documentation licensed under CC BY-SA 4.0.

Copyright © 2025-2026 Flowsta