Developer Agreement

Effective Date: December 12, 2025
Last Updated: April 15, 2026

---

1. Agreement Overview

This agreement covers API usage, SDK licensing, billing, and support for developers using Flowsta Auth.

---

2. Developer Account

Eligibility

• 18+ years old
• Authority to bind your organization
• Compliance with applicable laws

Organizations

• New accounts automatically create a personal organization (Free tier)
• Subscriptions and billing belong to organizations, not individual users
• Users can belong to multiple organizations with different roles
• Roles: Owner (full control), Admin (manage team/apps), Member (view access)

Security

• You are responsible for API key security
• Rotate keys if compromised
• Notify us of unauthorized access

---

3. API Access & License

We Grant You

• Non-exclusive license to use Flowsta Auth API
• OAuth 2.0 + PKCE authentication (no client secrets required)
• Right to integrate into your applications
• Use of SDKs (MIT license)

You May NOT

• Reverse engineer the API
• Circumvent rate limits
• Resell API access without authorization
• Create competing identity service

---

4. Rate Limits & Pricing

Sign It verification is always free and unlimited. Overage on Spark and Pro is billed via Stripe metered billing in the following month's invoice.

---

5. Billing

Calendar Month Billing

• All subscriptions charged on the 1st of each month
• First month is pro-rated (days remaining ÷ days in month)

Example:

• Sign up on January 15th for Spark ($29/mo)
• January charge: $29 × (16/31) = $14.97 (pro-rated)
• February 1st charge: $29.00 (full month)
• All future charges: 1st of each month

Payment

• Via Stripe
• Auto-renewal unless cancelled
• 3-day grace period for failed payments

Cancellation

• Cancel anytime via dashboard
• Service continues until end of billing period
• No refunds for partial months

Downgrades

• Take effect on 1st of next month
• Keep current features until then

---

6. Monthly Active Users (MAU)

Definition

A unique user who authenticates during a calendar month.

Zero-Knowledge MAU Tracking

• We use random analytics_id (not user ID or DID)
• You see aggregate counts only
• You cannot identify individual users from MAU data
• Same user across multiple apps = 1 billable MAU

Billing

• "Billable MAU" = unique users across all your apps
• "Total App Usage" = total logins (informational only)
• You're billed on Billable MAU

---

7. Support & SLA

Downtime Credits (Paid Tiers)

• 99.9% - 99.0%: 10% credit
• 99.0% - 95.0%: 25% credit
• Below 95.0%: 50% credit

---

8. SDK & Open Source

@flowsta/auth (v2.2+) — MIT License

• OAuth 2.0 + PKCE authentication (no client secrets required)
• Sign It: signFile, signBatch, verifyFile, getContentRights, hashFile
• Use in commercial projects; modify source code freely

@flowsta/holochain (v2.2+) — MIT License

• Agent linking via Flowsta Vault (IsSamePersonEntry attestations)
• Encrypted backups to Vault
• Sign It: signDocument, getSigningStatus — request user-approved signatures from the Vault

@flowsta/auth-tauri — MIT License

• Desktop app authentication via Flowsta Vault (for Tauri apps)

You Must:

• Preserve copyright notices
• Include license file

---

9. Agent Linking (Optional)

An optional feature that allows your app to link its Holochain agent key with the user's Flowsta Vault identity, providing verifiable identity attestations on your DHT.

How It Works

• Users open Flowsta Vault and approve a link request
• A cryptographic attestation (IsSamePersonEntry) is committed to your DHT
• Anyone on your DHT can verify the user's Flowsta identity via Ed25519 signatures
• Users' private keys never leave their device

Integration

• Integrate the flowsta-agent-linking Rust crate into your Holochain DNA to verify attestations
• The crate is open-source under the MIT license

Your Responsibilities

• Register your app at dev.flowsta.com to get a client_id
• Clearly explain to users why identity linking is being requested
• Handle link revocation gracefully
• Attestations are immutable on the DHT — inform users before they approve

Learn more: docs.flowsta.com/holochain/agent-linking

---

9A. Sign It & Content Rights (Optional)

Your app can let users sign files via @flowsta/auth.signFile() (web) or @flowsta/holochain.signDocument() (desktop).

How It Works

• Users' files are hashed client-side — the file itself never leaves their device or reaches your server via our SDK
• Signatures are committed to the public Holochain signing DHT under the user's agent key (not your app's)
• Declared content rights (license, AI-training policy, commercial licensing, contact preference) are the user's statement — Flowsta does not enforce them
• Signature records are immutable; revocation is a separate signed entry

Querying Content Rights

The GET /api/v1/sign-it/content-rights?hash=<sha256> endpoint is public and rate-limited per IP. Use it in compliance checks (e.g. AI training pipelines) to respect signer-declared terms. See docs.flowsta.com/sign-it/content-rights.

Webhooks (Optional)

Register webhooks to receive sign.created and sign.revoked events when your app's users sign or revoke. Payloads include the action hash, file hash, and signer — never the file contents. Every payload is HMAC-SHA256 signed with a per-webhook secret. Delivery is fire-and-forget with a 10-second timeout. See docs.flowsta.com/webhooks.

Your Responsibilities

• Clearly disclose to users what signing means and that signatures are public and immutable
• Do not misrepresent what content rights mean (they are signer declarations, not legal enforcement)
• Comply with Sign It quotas on your tier; overages are billed per §4

---

10. Acceptable Use

You May NOT

• Abuse API or exceed rate limits
• Use for illegal purposes
• Store end user passwords
• Share end user data without consent
• Use for CSAM or credible threats of violence
• Use Sign It to help users launder authorship claims, misrepresent content rights, or sign content they cannot lawfully sign

Your Obligations

• Have your own privacy policy
• Inform users Flowsta is used
• Obtain user consent
• Handle user data requests
• If using signing service: clearly explain why signing permission is needed

---

11. End User Data

Data Flow

End Users → OAuth Login → Flowsta → Your Callback

What You Receive (via OAuth profile scope)

• DID, display name, username, profile picture, agent key
• Email (if user consents and email scope requested)

What You DON'T Receive

• Passwords (we don't have them)
• Activity logs (stored in user's Holochain)
• IP addresses (we don't collect them)

Your Responsibilities

• Secure JWT tokens
• Use HTTPS only
• Implement proper session management
• Comply with GDPR/CCPA

---

12. Termination

By You

Cancel anytime, export data first

By Us

• For material breach (immediate)
• For any reason (30 days notice)

Effect

• API keys revoked
• Data available for export (30 days)
• Outstanding fees due

---

13. Liability

Maximum Liability

• Free: $100
• Paid: Fees paid in past 12 months
• Enterprise: Per contract

Not Liable For

• Indirect damages
• Third-party claims
• Force majeure

---

14. Governing Law

Jurisdiction: Victoria, Australia

This Agreement and any disputes arising from it shall be governed by and construed in accordance with the laws of Victoria, Australia. Any legal proceedings shall be brought in the courts of Victoria, Australia.

---

15. Contact

• Developer Support: dev.flowsta.com/support
• Privacy: privacy@flowsta.com
• Legal: legal@flowsta.com
• Billing: billing@flowsta.com
• Sales: sales@flowsta.com

---

Changes to This Agreement

We may update this Agreement from time to time. We will notify you of material changes via:

• Email notification (60 days advance notice)
• Notice on this page

Continued use of Flowsta after changes constitutes acceptance of the new Agreement.