Holochain Architecture
How Flowsta uses Holochain for decentralized, zero-knowledge identity storage.
Two-DNA Architecture
Flowsta uses two separate Holochain DNAs to separate public and private data:
Identity DNA (Public)
| Field | Description |
|---|---|
| Display name | User's chosen display name |
| Profile picture | URL or hash of profile picture |
| Agent public key | Ed25519 public key |
| Agent links | IsSamePersonEntry attestations from agent linking |
The Identity DNA is publicly readable. Any participant in the DHT can query another user's public profile.
Private DNA (Encrypted)
| Field | Description |
|---|---|
| Encrypted with user-derived key | |
| Recovery phrase | Encrypted backup of BIP39 mnemonic |
| Sessions | Encrypted session data |
| OAuth logs | Activity audit trail |
| 2FA config | TOTP configuration (encrypted) |
All Private DNA data is encrypted client-side before storage. Even Holochain validators cannot read the plaintext.
Encrypted Public Entries (Third-Party Apps)
Third-party Holochain apps can also store private data on the public DHT using client-side encryption. Entries are encrypted with lair's xsalsa20poly1305 crypto_box (256-bit X25519 key exchange) before being committed. Peers replicate the ciphertext for resilience, but only the author can decrypt.
This pattern is used for:
- Vote rationales — private notes explaining why a user voted
- Draft content — encrypted until the user publishes
- Any user-owned private data — the entry type hint is always
"private"to prevent metadata leakage
See Encrypted Entries on Public DHT for implementation details.
Infrastructure
Global DHT Nodes
Flowsta operates DHT nodes across multiple regions to ensure availability and low-latency access worldwide. As the network grows, the goal is to transition toward community-operated nodes — reducing reliance on Flowsta-managed infrastructure and strengthening the network's decentralization.
Flowsta Vault (Local)
When users install Flowsta Vault, it runs a local Holochain conductor that joins the same DHT network. This means:
- User data is replicated locally
- Agent linking attestations gossip across the network
- The network becomes more resilient with each Vault install
Key Derivation
Every user's keypair is deterministically derived from their recovery phrase. This means:
- Same phrase always produces the same identity
- Users can restore their identity on any device
- No key escrow or central key server needed
Holochain Version
Flowsta runs on Holochain 0.6.0 with the kitsune2 networking layer.
Next Steps
- Identity & DIDs - W3C Decentralized Identifiers
- For Holochain Developers - Integration guide for Holochain devs
- Zero-Knowledge Architecture - Encryption details
- Vault Overview - Local conductor and key management