Developer Agreement

Effective Date: December 12, 2025
Last Updated: March 12, 2026

---

1. Agreement Overview

This agreement covers API usage, SDK licensing, billing, and support for developers using Flowsta Auth.

---

2. Developer Account

Eligibility

• 18+ years old
• Authority to bind your organization
• Compliance with applicable laws

Organizations

• New accounts automatically create a personal organization (Free tier)
• Subscriptions and billing belong to organizations, not individual users
• Users can belong to multiple organizations with different roles
• Roles: Owner (full control), Admin (manage team/apps), Member (view access)

Security

• You are responsible for API key security
• Rotate keys if compromised
• Notify us of unauthorized access

---

3. API Access & License

We Grant You

• Non-exclusive license to use Flowsta Auth API
• OAuth 2.0 + PKCE authentication (no client secrets required)
• Right to integrate into your applications
• Use of SDKs (MIT license)

You May NOT

• Reverse engineer the API
• Circumvent rate limits
• Resell API access without authorization
• Create competing identity service

---

4. Rate Limits & Pricing

---

5. Billing

Calendar Month Billing

• All subscriptions charged on the 1st of each month
• First month is pro-rated (days remaining ÷ days in month)

Example:

• Sign up on January 15th for Spark ($29/mo)
• January charge: $29 × (16/31) = $14.97 (pro-rated)
• February 1st charge: $29.00 (full month)
• All future charges: 1st of each month

Payment

• Via Stripe
• Auto-renewal unless cancelled
• 3-day grace period for failed payments

Cancellation

• Cancel anytime via dashboard
• Service continues until end of billing period
• No refunds for partial months

Downgrades

• Take effect on 1st of next month
• Keep current features until then

---

6. Monthly Active Users (MAU)

Definition

A unique user who authenticates during a calendar month.

Zero-Knowledge MAU Tracking

• We use random analytics_id (not user ID or DID)
• You see aggregate counts only
• You cannot identify individual users from MAU data
• Same user across multiple apps = 1 billable MAU

Billing

• "Billable MAU" = unique users across all your apps
• "Total App Usage" = total logins (informational only)
• You're billed on Billable MAU

---

7. Support & SLA

Downtime Credits (Paid Tiers)

• 99.9% - 99.0%: 10% credit
• 99.0% - 95.0%: 25% credit
• Below 95.0%: 50% credit

---

8. SDK & Open Source

SDK 2.0 (@flowsta/auth) - MIT License

• OAuth-only authentication with PKCE
• No client secrets required
• Use in commercial projects
• Modify source code

Holochain SDK (@flowsta/holochain) - MIT License

• Optional Holochain signing integration
• Sign actions on behalf of users (with permission)
• Sign raw bytes for custom use cases

You Must:

• Preserve copyright notices
• Include license file

---

9. Agent Linking (Optional)

An optional feature that allows your app to link its Holochain agent key with the user's Flowsta Vault identity, providing verifiable identity attestations on your DHT.

How It Works

• Users open Flowsta Vault and approve a link request
• A cryptographic attestation (IsSamePersonEntry) is committed to your DHT
• Anyone on your DHT can verify the user's Flowsta identity via Ed25519 signatures
• Users' private keys never leave their device

Integration

• Integrate the flowsta-agent-linking Rust crate into your Holochain DNA to verify attestations
• The crate is open-source under the MIT license

Your Responsibilities

• Register your app at dev.flowsta.com to get a client_id
• Clearly explain to users why identity linking is being requested
• Handle link revocation gracefully
• Attestations are immutable on the DHT — inform users before they approve

Learn more: docs.flowsta.com/holochain/agent-linking

---

10. Acceptable Use

You May NOT

• Abuse API or exceed rate limits
• Use for illegal purposes
• Store end user passwords
• Share end user data without consent
• Use for CSAM or violence threats
• Use signing service to sign illegal content

Your Obligations

• Have your own privacy policy
• Inform users Flowsta is used
• Obtain user consent
• Handle user data requests
• If using signing service: clearly explain why signing permission is needed

---

11. End User Data

Data Flow

End Users → OAuth Login → Flowsta → Your Callback

What You Receive (via OAuth profile scope)

• DID, display name, username, profile picture, agent key
• Email (if user consents and email scope requested)

What You DON'T Receive

• Passwords (we don't have them)
• Activity logs (stored in user's Holochain)
• IP addresses (we don't collect them)

Your Responsibilities

• Secure JWT tokens
• Use HTTPS only
• Implement proper session management
• Comply with GDPR/CCPA

---

12. Termination

By You

Cancel anytime, export data first

By Us

• For material breach (immediate)
• For any reason (30 days notice)

Effect

• API keys revoked
• Data available for export (30 days)
• Outstanding fees due

---

13. Liability

Maximum Liability

• Free: $100
• Paid: Fees paid in past 12 months
• Enterprise: Per contract

Not Liable For

• Indirect damages
• Third-party claims
• Force majeure

---

14. Governing Law

Jurisdiction: Victoria, Australia

This Agreement and any disputes arising from it shall be governed by and construed in accordance with the laws of Victoria, Australia. Any legal proceedings shall be brought in the courts of Victoria, Australia.

---

15. Contact

• Developer Support: dev.flowsta.com/support
• Privacy: privacy@flowsta.com
• Legal: legal@flowsta.com
• Billing: billing@flowsta.com
• Sales: sales@flowsta.com

---

Changes to This Agreement

We may update this Agreement from time to time. We will notify you of material changes via:

• Email notification (60 days advance notice)
• Notice on this page

Continued use of Flowsta after changes constitutes acceptance of the new Agreement.