Content Rights
When you sign a file with Sign It, you can attach a Content Rights manifest — a machine-readable declaration of your terms, backed by your cryptographic signature.
Why It Matters
There's no standardised way for creators to declare terms for commercial use and AI training that is:
- Verifiable — cryptographically signed, can't be forged
- Discoverable — on a public DHT, not buried in metadata
- Machine-readable — AI crawlers and pipelines can check programmatically
- Persistent — not dependent on a single server
Sign It addresses this gap. Your rights declaration is attached to cryptographic proof of authorship.
Fields
All fields are optional. You control what to include at signing time.
License
| Value | Meaning |
|---|---|
| All Rights Reserved | No permissions granted |
| CC0 | Public domain dedication |
| CC BY | Attribution required |
| CC BY-SA | Attribution + ShareAlike |
| CC BY-NC | Attribution + NonCommercial |
| CC BY-NC-SA | Attribution + NonCommercial + ShareAlike |
| MIT | MIT License |
| Apache 2.0 | Apache License 2.0 |
| GPL 3.0 | GNU GPL v3 |
Commercial Licensing
| Value | Meaning |
|---|---|
| Not available | Not open to commercial licensing |
| Open to licensing | Contact me to discuss licensing (via Flowsta relay) |
AI Training Policy
| Value | Meaning |
|---|---|
| Allowed | Free to include in AI training data |
| Allowed with attribution | May train on, but credit the creator |
| Requires license | Must obtain a license before training |
| Not allowed | Do not include in AI training data |
Contact Preference
| Value | Meaning |
|---|---|
| No contact | Do not contact me about this file |
| Allow contact requests | I'm open to messages via Flowsta's blind relay |
Contact Relay
When a signer sets "Allow contact requests", the verification page shows a Contact signer button. The requester fills in their name, email, purpose, and a message. Flowsta relays this as an email to the signer.
Privacy guarantees:
- The signer's email is never exposed to the requester
- The API returns the same response whether the signer exists or not (prevents enumeration)
- Rate limited: 3 messages per hour per IP
- The signer decides whether to reply
What It Does NOT Do
- It's not DRM — it doesn't prevent copying or training
- It's not legally binding by itself — but a signed, timestamped, publicly verifiable declaration is strong evidence in disputes
- It doesn't enforce compliance — but it makes terms clear and discoverable
Example
A photographer signs a photo with:
Intent: Authorship
AI Content: None
License: CC BY-NC 4.0
Commercial: Open to licensing
AI Training: Requires license
Contact: Allow contact requestsThis means: "I created this photo without AI. You can share it non-commercially with attribution. For commercial use or AI training, contact me to arrange a license."
Anyone verifying the file sees this declaration, backed by the photographer's cryptographic identity.
API Endpoint
For AI training pipelines, search engines, and content platforms that need to check rights programmatically, Sign It exposes a machine-readable endpoint.
Request
GET https://auth-api.flowsta.com/api/v1/sign-it/content-rights?hash=<sha256>Parameters:
| Name | Required | Description |
|---|---|---|
hash | yes | 64-character hex SHA-256 of the file you want to check |
Response
{
"file_hash": "abc123...",
"signed": true,
"signer_count": 2,
"content_rights": {
"license": "CC BY-NC 4.0",
"ai_training": "NotAllowed",
"commercial_licensing": "OpenToLicensing",
"contact_preference": "AllowContactRequests"
},
"contact_available": true,
"verify_url": "https://flowsta.com/sign-it/?hash=abc123..."
}If the file has never been signed:
{
"file_hash": "abc123...",
"signed": false,
"signer_count": 0
}Aggregation Rules
When multiple signers set different policies, the most restrictive policy wins per field:
ai_training:NotAllowed>RequiresLicense>AllowedWithAttribution>Allowedcommercial_licensing:NotAvailable>OpenToLicensingcontact_preference:NoContact>AllowContactRequestslicense: returned as a list if signers disagree, else the single agreed value
Revoked signatures are ignored in the aggregation.
Cache
Responses include Cache-Control: public, max-age=300 (5 minutes). Safe for CDN edge caching — pipelines checking millions of files won't flood the API.
For AI Training Pipelines
Before adding a file to a training corpus, check:
import hashlib, requests
def is_training_allowed(file_bytes: bytes) -> bool:
h = hashlib.sha256(file_bytes).hexdigest()
r = requests.get(
"https://auth-api.flowsta.com/api/v1/sign-it/content-rights",
params={"hash": h},
timeout=5,
)
if r.status_code != 200 or not r.json().get("signed"):
return True # No signature, no explicit objection
policy = r.json().get("content_rights", {}).get("ai_training")
return policy in (None, "Allowed", "AllowedWithAttribution")If the policy is RequiresLicense, use the contact_preference to reach the signer (via the verify URL) before proceeding.
Unsigned Files
The endpoint returns signed: false for any hash that has never been signed. Absence of a signature is not an objection — it just means the creator hasn't declared rights through Sign It. Pipelines should fall back to site-level signals (robots.txt, terms of service, licensing metadata).
Adopting the Standard
The Content Rights field set is open — there's no proprietary schema, no license to use, and no API key required to query. If you're building a content-rights system, we'd love the same enum values to become a de-facto standard so a single query surfaces rights regardless of which service signed the file.
Contact us at hello@flowsta.com if you're implementing this on your platform.