Introducing Flowsta Sign It: Cryptographic Signatures for Everyone

Sign any file with your Flowsta identity. Declare how it can be licensed, whether AI companies can train on it, and how people should contact you. Verifiable by anyone, stored on a public distributed network, impossible for anyone — including us — to forge or delete.

Today we're launching Sign It — the simplest way to cryptographically prove you made something, and declare how the world should treat it.

If you're an artist, photographer, writer, musician, filmmaker, or anyone signing a contract — Sign It gives you a public, tamper-evident record of your authorship. No SaaS subscription to keep your signatures alive. No central platform that can be bought out, shut down, or quietly edited.

And if you're a developer, AI company, or platform building on top of signed content — we've built Sign It so you can integrate it into your own stack in an afternoon.

What You Can Do With It

Sign any file. Documents, images, audio, video, ZIP archives, source code — Sign It works on the SHA-256 hash, so the file type doesn't matter. The file itself never leaves your device. Only the hash and the metadata you choose to attach are recorded.

Declare your terms. Attach a license (Creative Commons, custom, or All Rights Reserved). State whether AI companies are allowed to train on it. Open yourself up to commercial inquiries without ever exposing your email. Your terms travel with the file.

Get signed by your collaborators. Co-writers, producers, editors, counter-parties — anyone can add their signature to the same file hash. No chasing PDFs around inboxes. Every contributor, verifiable.

Revoke with a trail. Change your mind? Sign a revocation. The original signature stays visible (it's permanent) but the revocation shows up alongside it. Honest, not hidden.

How to Verify a File

This is where it gets interesting — because anyone can check a Sign It signature, not just the signer.

On flowsta.com: Drop any file onto flowsta.com/sign-it/ and we'll tell you if it's signed, who signed it, when, and under what terms. Your file is hashed in your browser — we never see its contents. For finding resized, cropped or recompressed copies of signed images, you can opt into a server-side perceptual fingerprint, which is computed and immediately discarded.

Via the API: Any developer can query signatures programmatically:

GET https://auth-api.flowsta.com/api/v1/sign-it/verify?hash=<sha256>

Returns every signature for that hash, who signed, the declared intent, AI disclosure, content rights, contact preference, and revocation status. Public. No API key. No rate-limited gotcha tier. Full reference.

For AI companies and platforms that want to check content-rights before training or ingesting content, there's a dedicated endpoint:

GET https://auth-api.flowsta.com/api/v1/sign-it/content-rights?hash=<sha256>

If the signer set ai_training: NotAllowed, don't train. If they set commercial_licensing: OpenToLicensing, contact them. The schema is open and documented as a proposed standard. We want this to work regardless of which service signed the file.

For Developers

Two SDKs, both on npm:

npm install @flowsta/auth@latest       # Web apps with OAuth
npm install @flowsta/holochain@latest  # Desktop apps with Flowsta Vault

Web apps call signFile() after OAuth login (requires the sign scope). Desktop apps call signDocument() via Flowsta Vault's local IPC, and the user approves each signature in Vault. Files are hashed client-side in both paths — your server never has to handle file uploads just to sign. Developer guide.

We've also shipped an embeddable badge so anyone can display "Signed with Flowsta" on their own portfolio, blog, or release page:

<div data-flowsta-hash="<sha256 of your file>"></div>
<script src="https://flowsta.com/sign-it/widget.js" async></script>

Drops in anywhere. No build step. Badge reference.

Why This Hasn't Existed Before

Here's the honest pitch: there is no other service that does this. Not DocuSign. Not Adobe's CAI. Not any blockchain-based signing service. They all require you to trust a centralised company, or pay gas fees on every signature, or accept that your signatures are locked inside a walled garden.

Sign It is different because we built it on Holochain:

  • No central database. Signatures live on a peer-to-peer distributed hash table. There is no "flowsta signatures DB" anyone can be compelled to hand over or forced to shut down.
  • No gas fees. Holochain is agent-centric — each user has their own chain. Signing has no per-transaction cost. We can offer a free tier because there's no blockchain consensus bill to pay.
  • Zero knowledge. Your private signing key is either in your Flowsta Vault (desktop) or in a per-user cell on our conductor that only your password unlocks. We cannot sign on your behalf. We cannot see what you signed. We cannot delete it.
  • Survives us. If Flowsta ceased to exist tomorrow, your signatures would remain verifiable on the DHT. Your recovery phrase lets you continue signing from any compatible conductor. This isn't a marketing promise — it's how Holochain works.

No competitor can replicate this without rebuilding on agent-centric, user-owned infrastructure. And that's not a weekend project.

Get Started

Free tier includes a signature a month, so you can try the whole thing before committing. Verification is always free, always unlimited, no account required.

Go sign something.

Back to Blog