Developer Agreement

Effective Date: December 12, 2025
Last Updated: January 24, 2026

---

1. Agreement Overview

This agreement covers API usage, SDK licensing, billing, and support for developers using Flowsta Auth.

---

2. Developer Account

Eligibility

• 18+ years old
• Authority to bind your organization
• Compliance with applicable laws

Organizations

• New accounts automatically create a personal organization (Free tier)
• Subscriptions and billing belong to organizations, not individual users
• Users can belong to multiple organizations with different roles
• Roles: Owner (full control), Admin (manage team/apps), Member (view access)

Security

• You are responsible for API key security
• Rotate keys if compromised
• Notify us of unauthorized access

---

3. API Access & License

We Grant You

• Non-exclusive license to use Flowsta Auth API
• OAuth 2.0 + PKCE authentication (no client secrets required)
• Right to integrate into your applications
• Use of SDKs (MIT license)

You May NOT

• Reverse engineer the API
• Circumvent rate limits
• Resell API access without authorization
• Create competing identity service

---

4. Rate Limits & Pricing

---

5. Billing

Calendar Month Billing

• All subscriptions charged on the 1st of each month
• First month is pro-rated (days remaining ÷ days in month)

Example:

• Sign up on January 15th for Starter ($29/mo)
• January charge: $29 × (16/31) = $14.97 (pro-rated)
• February 1st charge: $29.00 (full month)
• All future charges: 1st of each month

Payment

• Via Stripe
• Auto-renewal unless cancelled
• 3-day grace period for failed payments

Cancellation

• Cancel anytime via dashboard
• Service continues until end of billing period
• No refunds for partial months

Downgrades

• Take effect on 1st of next month
• Keep current features until then

---

6. Monthly Active Users (MAU)

Definition

A unique user who authenticates during a calendar month.

Zero-Knowledge MAU Tracking

• We use random analytics_id (not user ID or DID)
• You see aggregate counts only
• You cannot identify individual users from MAU data
• Same user across multiple apps = 1 billable MAU

Billing

• "Billable MAU" = unique users across all your apps
• "Total App Usage" = total logins (informational only)
• You're billed on Billable MAU

---

7. Support & SLA

Downtime Credits (Paid Tiers)

• 99.9% - 99.0%: 10% credit
• 99.0% - 95.0%: 25% credit
• Below 95.0%: 50% credit

---

8. SDK & Open Source

SDK 2.0 (@flowsta/auth) - MIT License

• OAuth-only authentication with PKCE
• No client secrets required
• Use in commercial projects
• Modify source code

Holochain SDK (@flowsta/holochain) - MIT License

• Optional Holochain signing integration
• Sign actions on behalf of users (with permission)
• Sign raw bytes for custom use cases

You Must:

• Preserve copyright notices
• Include license file

---

9. Holochain Signing Service (Optional)

An optional service that allows your app to request cryptographic signatures using users' Flowsta agent keys.

How It Works

• Request the holochain:sign OAuth scope
• Users see a special consent screen (marked as sensitive permission)
• If approved, you can request signatures via API
• Users' private keys never leave Flowsta - you receive only signatures

Use Cases

• Holochain apps: Sign actions without running your own conductor
• Non-Holochain apps: Document signing, audit trails, multi-party workflows

Your Responsibilities

• Only request holochain:sign if your app needs it
• Clearly explain why signing permission is needed
• Provide a reason parameter when signing (shown in user's audit log)
• Handle permission revocation gracefully

Learn more: docs.flowsta.com/holochain/signing-service

---

10. Acceptable Use

You May NOT

• Abuse API or exceed rate limits
• Use for illegal purposes
• Store end user passwords
• Share end user data without consent
• Use for CSAM or violence threats
• Use signing service to sign illegal content

Your Obligations

• Have your own privacy policy
• Inform users Flowsta is used
• Obtain user consent
• Handle user data requests
• If using signing service: clearly explain why signing permission is needed

---

11. End User Data

Data Flow

End Users → OAuth Login → Flowsta → Your Callback

What You Receive (via OAuth profile scope)

• DID, display name, username, profile picture, agent key
• Email (if user consents and email scope requested)

What You DON'T Receive

• Passwords (we don't have them)
• Activity logs (stored in user's Holochain)
• IP addresses (we don't collect them)

Your Responsibilities

• Secure JWT tokens
• Use HTTPS only
• Implement proper session management
• Comply with GDPR/CCPA

---

12. Termination

By You

Cancel anytime, export data first

By Us

• For material breach (immediate)
• For any reason (30 days notice)

Effect

• API keys revoked
• Data available for export (30 days)
• Outstanding fees due

---

13. Liability

Maximum Liability

• Free: $100
• Paid: Fees paid in past 12 months
• Enterprise: Per contract

Not Liable For

• Indirect damages
• Third-party claims
• Force majeure

---

14. Governing Law

Jurisdiction: Victoria, Australia

This Agreement and any disputes arising from it shall be governed by and construed in accordance with the laws of Victoria, Australia. Any legal proceedings shall be brought in the courts of Victoria, Australia.

---

15. Contact

• Developer Support: dev.flowsta.com/support
• Billing: billing@flowsta.com
• Sales: sales@flowsta.com

---

Changes to This Agreement

We may update this Agreement from time to time. We will notify you of material changes via:

• Email notification (60 days advance notice)
• Notice on this page

Continued use of Flowsta after changes constitutes acceptance of the new Agreement.