Sign your work.
Prove it's yours.

Before you publish, ideally. Signatures are timestamped, so signing before the work goes online gives you the earliest possible record that it's yours — the strongest footing if it's ever copied or contested.

That said, it's still well worth signing work that's already out there. Because Sign It uses perceptual matching, your signature isn't bound to one exact file: sign your original and the copies already circulating on social media — resized, recompressed, re-uploaded — can still be matched back to it. Someone who downloads the version doing the rounds and verifies it will see your signature. Earlier is better, but signing late beats not signing at all.

Quite a lot — and it all travels with the signature as public, machine-readable terms anyone can check. When you sign you can declare:
• Licence — how others may use the work (a Creative Commons licence, or your own terms).
• AI training — explicitly allow or deny use of your work to train AI; pipelines can read this before they ingest it.
• Commercial use — whether the work is available for commercial licensing.
• Contact — let people reach you about licensing through a private relay, without exposing your email.
• AI-use disclosure — state whether the work is human-made, AI-assisted, or AI-generated.
You can also add an optional note and a signing intent (authorship, approval, witness, and so on). It's all optional — sign with as much or as little as you like — and anything you declare is published with the signature for a buyer, a platform, or an AI pipeline to read.

"Trust me" is exactly what a provenance tool shouldn't ask for. You don't have to take our word for any of this — here's why:

The proof doesn't live on a Flowsta server. Every signature — the file's SHA-256 hash, your Ed25519 signature over it, the timestamp, and the declared content rights — is written to a public Holochain DHT and replicated across many independent nodes. There's no central database we could quietly edit, lose, or be compelled to hand over.

The code that creates and checks signatures is open source. Flowsta Vault is MIT-licensed and public, and all three Holochain DNAs Flowsta runs are Apache-2.0 and public:
• flowsta-signing-dna — the Sign It signing logic (Ed25519 over file hashes)
• flowsta-identity-dna — public profiles and DID resolution
• flowsta-private-dna — your encrypted private data
Those exact DNAs are bundled inside the open-source Flowsta Vault, so you can read the source, build it yourself, and confirm the same DNA — identified by its content hash — is what actually runs.

You hold the keys. Your signing key is derived from your 24-word recovery phrase (HMAC-SHA256 → Ed25519) and lives in Vault on your own device — never on our servers. Only the holder of that key can sign as you, and only you can export it.

No lock-in. You can export your keys and your data at any time and keep using them on any compatible Holochain conductor. User data portability isn't a feature we chose to be nice — it's a core requirement of the Cryptographic Autonomy Licence that Holochain itself is released under.

Anyone can verify — no account. Verification is free, open, and needs no login: drop a file on the verify page or query the public API. (Our hosted web API is just a convenience layer for the website — it isn't where your proof lives, and the open-source Vault reads and writes the same network without us in the middle.)

Cryptographic hashing (SHA-256) changes completely if even a single byte changes — perfect for proving an exact file, useless for finding edited copies. Perceptual hashing is the opposite: it produces a fingerprint of what the content looks or sounds like, so near-duplicates produce near-identical fingerprints.

When you sign a supported file, Sign It computes that fingerprint and stores it on the Holochain DHT next to your signature. The fingerprint is split into smaller bands (buckets) so a verifier can pull candidate matches that share any band without scanning the whole network, then rank them by how close the full fingerprints are — a Hamming-distance similarity score, which is the "Similar (87%)" figure you see on a fuzzy match.

By media type: images use pHash, a DCT-based perceptual hash robust to resizing, recompression, format conversion and small colour/brightness shifts; audio uses Chromaprint (the acoustic fingerprinting behind Shazam-style matching), so a re-encode, bitrate change or format swap still matches; video uses frame-sampled perceptual hashing across sampled frames.

What survives: resizing, cropping (within reason), recompression, re-encoding, format conversion and minor edits. What won't: heavy re-composition, very aggressive crops, or content changed beyond recognition — at that point it isn't really your file any more.

Privacy: the file is sent to the server only to compute the fingerprint when there's no exact SHA-256 match, and is discarded immediately. The bytes are never stored.

Signing is public by design — that's what makes it useful as proof. What goes on the network is the file's hash, your signature, a timestamp, your public identity, and any rights you declared. Your signatures also appear on your public creator page, which doubles as a verifiable portfolio of your work.

What stays private: the file itself never leaves your device — only its hash is recorded, so the contents aren't published. Your email isn't exposed either; people can only reach you through the optional contact relay, and only if you turn it on. And signing is always your choice — if you'd rather a piece not be publicly tied to you, simply don't sign it.

Sign It records who signed what, and when — it doesn't gatekeep who's allowed to sign a given file, so in principle anyone could sign a copy of your work. What protects you is that every signature is public, timestamped, and tied to an identity, so anyone verifying sees the whole picture rather than a single unchallenged claim.

If you signed first, that earlier timestamp is strong evidence of priority. You can also add your own signature even when someone else got one in first — both show up together — and an established creator profile with a signing history carries weight that a throwaway identity doesn't. It's the clearest reason to sign early: the earliest, identity-backed signature is the one that holds up.

Signing gives you strong, independently verifiable evidence that a specific file existed, that you signed it, and when — together with whatever rights you declared. That's genuinely useful if your authorship is ever questioned.

What it isn't is a copyright registration or legal advice. In most places copyright arises automatically when you create something, and formal registration (where it exists) is a separate process. Think of a Sign It signature as a clear, timestamped, tamper-evident record you can point to — a strong piece of evidence, not a courtroom guarantee. For anything high-stakes, check with a lawyer in your jurisdiction.

Either — both produce the same signatures on the same network, under the same identity.
• The flowsta.com dashboard — sign straight from your browser, nothing to install. Your file is hashed locally before anything is sent. Great for everyday files.
• Flowsta Vault (the open-source desktop app for Linux, macOS and Windows) — signs entirely on your machine, handles large files (up to 10 GB), lets you right-click a file in your file manager to sign it, and works offline. Best for big media like RAWs, video and audio, and for keeping everything local.
Your recovery phrase works across both, so you can switch freely.

Verifying is free, open, and needs no account.

Check a file — drop any file on the verify page. It's hashed in your browser and matched against the network; if there's no exact match, perceptual matching looks for edited copies. You'll see who signed it, when, and the rights they declared.

Browse a creator — every signer has a public profile at flowsta.com/<username> that lists everything they've signed, so you can check a piece against their verifiable portfolio in one place.

Verify in code — developers and AI companies can check signatures programmatically through the free, unauthenticated API:
GET https://auth-api.flowsta.com/api/v1/sign-it/verify?hash=<sha256>It returns the matching signatures and declared content rights as JSON — no key, no account. Full reference in the Sign It API docs.

Verifying is always free and needs no account.

Signing comes with a monthly allowance of signatures that resets on your billing date:
• Free — 2 signatures per month.
• Premium ($10/month or $100/year) — 100 signatures per month, plus shorter usernames and priority support.
• Premium Plus ($50/month or $500/year) — 1,000 signatures per month, and a 5-character username included.
Full details on the Premium page.

Building signing into your own app or product? You can add Sign It through the Flowsta API and SDK, with its own plans and higher volumes — see dev.flowsta.com for pricing and docs.