Changelog
v3.1
Encrypted Public Entries
Apps can now store private data on the public DHT. Entries are encrypted client-side with lair's xsalsa20poly1305 crypto_box before being committed. Peers replicate the ciphertext for backup, but only the author can decrypt. See Encrypted Entries on Public DHT.
Improved Backups
@flowsta/holochainv2.1.0 — Backups work while the Vault is locked (after first unlock)- Auto-versioned snapshots — Each backup creates a new timestamped snapshot (up to 10 per app, oldest auto-rotated). No more overwriting "latest"
- Private data in exports — Encrypted entries are decrypted and included in backup exports for human readability
- Export format v4 — New
private_datasection with_readmefields and human-readable field names
Reference Implementation
ProofPoll v1.3 demonstrates the encrypted entry pattern with vote rationales (private notes on votes) and draft polls (encrypted until published), plus the complete DNA migration system across 4 versions.
v3.0
Flowsta Auth now supports web and desktop applications.
Previously, Flowsta Auth was an OAuth-only service for web apps. v3.0 introduces Flowsta Vault, identity linking for Holochain apps, and new SDK packages — making Flowsta Auth a complete authentication platform for both web and desktop.
New: Flowsta Vault
- Desktop identity manager — Tauri v2 app that runs a local Holochain conductor and lair keystore
- Agent linking — Third-party apps can request cryptographic identity attestations via IPC
- Connected apps management — Users see and control which apps are linked to their identity
- Auto-backups — CAL-compliant source chain backup support
- Data export — Users can export their Holochain data and keys at any time
New: Holochain App Integration
- Identity linking for Holochain apps — Apps add agent-linking zomes and use
@flowsta/holochainto link their agent key with a user's Flowsta identity - IsSamePersonEntry attestations — Cryptographic proof committed to your app's DHT, verifiable by any agent on the network
- IPC server — Vault exposes endpoints on
localhost:27777for app communication - CAL compliance — Built-in support for Cryptographic Autonomy License requirements (data access, key access, data portability)
New: SDK Packages
@flowsta/holochain— Agent linking and backup functions for Holochain apps@flowsta/auth-tauri(v0.1.0) — OAuth-style authentication for Tauri desktop apps through Vault@flowsta/login-button— Pre-built "Sign in with Flowsta" components for React, Vue, Qwik, and vanilla JS
New: Documentation
- Vault guide — Overview, Holochain app integration, agent linking, backups, Tauri apps, IPC reference
- Holochain section — Architecture, identity and DIDs, developer guide
- Security section — Zero-knowledge architecture, data portability
- SDK reference pages — Dedicated pages for each SDK package
Improved
- Getting started — Now covers both web OAuth and desktop Holochain integration paths
- Architecture docs — Two-DNA model, infrastructure diagram, cloud nodes
- Static SVG diagrams — All diagrams are now static SVGs for better SEO and accessibility
No Breaking Changes
Existing OAuth integrations using @flowsta/auth continue to work without changes. All v3.0 additions are new functionality.
v2.0
Initial public release of Flowsta Auth.
- OAuth 2.0 + PKCE — Authorization code flow without client secrets
@flowsta/authSDK (v2.0) — TypeScript SDK with React bindings- Zero-knowledge privacy — Client-side encryption with Holochain storage
- W3C DIDs — Decentralized identifiers for every user
- Cross-partner SSO — One account across all partner sites
- Developer dashboard — App registration, analytics, and management at dev.flowsta.com
Breaking Changes from v1.x
- Removed direct email/password authentication from the SDK
- All authentication now goes through Flowsta's hosted login page (OAuth redirect)
// v1.x (removed)
await auth.login(email, password);
// v2.0+
auth.login(); // Redirects to login.flowsta.com
const user = await auth.handleCallback();