Developer Agreement

Effective Date: December 12, 2025
Last Updated: January 5, 2025

1. Agreement Overview

This agreement covers API usage, SDK licensing, billing, and support for developers using Flowsta Auth.

2. Developer Account

Eligibility

  • 18+ years old
  • Authority to bind your organization
  • Compliance with applicable laws

Organizations

  • New accounts automatically create a personal organization (Free tier)
  • Subscriptions and billing belong to organizations, not individual users
  • Users can belong to multiple organizations with different roles
  • Roles: Owner (full control), Admin (manage team/apps), Member (view access)

Security

  • You are responsible for API key security
  • Rotate keys if compromised
  • Notify us of unauthorized access

3. API Access & License

We Grant You

  • Non-exclusive license to use Flowsta Auth API
  • OAuth 2.0 + PKCE authentication (no client secrets required)
  • Right to integrate into your applications
  • Use of SDKs (MIT license)

You May NOT

  • Reverse engineer the API
  • Circumvent rate limits
  • Resell API access without authorization
  • Create competing identity service

4. Rate Limits & Pricing

TierPriceMAUsAppsTeamAPI Rate
Free$0/mo10,0003110/sec, 10K/day
Starter$29/mo30,00010125/sec, unlimited
Pro$99/mo150,000255100/sec, unlimited
EnterpriseFrom $299/moCustomUnlimitedUnlimitedCustom

5. Billing

Calendar Month Billing

  • All subscriptions charged on the 1st of each month
  • First month is pro-rated (days remaining ÷ days in month)

Example:

  • Sign up on January 15th for Starter ($29/mo)
  • January charge: $29 × (16/31) = $14.97 (pro-rated)
  • February 1st charge: $29.00 (full month)
  • All future charges: 1st of each month

Payment

  • Via Stripe
  • Auto-renewal unless cancelled
  • 3-day grace period for failed payments

Cancellation

  • Cancel anytime via dashboard
  • Service continues until end of billing period
  • No refunds for partial months

Downgrades

  • Take effect on 1st of next month
  • Keep current features until then

6. Monthly Active Users (MAU)

Definition

A unique user who authenticates during a calendar month.

Zero-Knowledge MAU Tracking

  • We use random analytics_id (not user ID or DID)
  • You see aggregate counts only
  • You cannot identify individual users from MAU data
  • Same user across multiple apps = 1 billable MAU

Billing

  • "Billable MAU" = unique users across all your apps
  • "Total App Usage" = total logins (informational only)
  • You're billed on Billable MAU

7. Support & SLA

TierSupportResponse TimeUptime SLA
FreeCommunityBest effortNone
StarterEmail48 hours99.5%
ProEmail24 hours99.9%
BusinessPriority12 hours99.9%
EnterpriseDedicatedCustom99.99%

Downtime Credits (Paid Tiers)

  • 99.9% - 99.0%: 10% credit
  • 99.0% - 95.0%: 25% credit
  • Below 95.0%: 50% credit

8. SDK & Open Source

SDK 2.0 (@flowsta/auth) - MIT License

  • OAuth-only authentication with PKCE
  • No client secrets required
  • Use in commercial projects
  • Modify source code

Holochain SDK (@flowsta/holochain) - MIT License

  • Optional Holochain signing integration
  • Sign actions on behalf of users (with permission)
  • Sign raw bytes for custom use cases

You Must:

  • Preserve copyright notices
  • Include license file

9. Holochain Signing Service (Optional)

An optional service that allows your app to request cryptographic signatures using users' Flowsta agent keys.

How It Works

  • Request the holochain:sign OAuth scope
  • Users see a special consent screen (marked as sensitive permission)
  • If approved, you can request signatures via API
  • Users' private keys never leave Flowsta - you receive only signatures

Use Cases

  • Holochain apps: Sign actions without running your own conductor
  • Non-Holochain apps: Document signing, audit trails, multi-party workflows

Your Responsibilities

  • Only request holochain:sign if your app needs it
  • Clearly explain why signing permission is needed
  • Provide a reason parameter when signing (shown in user's audit log)
  • Handle permission revocation gracefully

Learn more: docs.flowsta.com/holochain/signing-service

10. Acceptable Use

You May NOT

  • Abuse API or exceed rate limits
  • Use for illegal purposes
  • Store end user passwords
  • Share end user data without consent
  • Use for CSAM or violence threats
  • Use signing service to sign illegal content

Your Obligations

  • Have your own privacy policy
  • Inform users Flowsta is used
  • Obtain user consent
  • Handle user data requests
  • If using signing service: clearly explain why signing permission is needed

11. End User Data

Data Flow

End Users → OAuth Login → Flowsta → Your Callback

What You Receive (via OAuth profile scope)

  • DID, display name, username, profile picture, agent key
  • Email (if user consents and email scope requested)

What You DON'T Receive

  • Passwords (we don't have them)
  • Activity logs (stored in user's Holochain)
  • IP addresses (we don't collect them)

Your Responsibilities

  • Secure JWT tokens
  • Use HTTPS only
  • Implement proper session management
  • Comply with GDPR/CCPA

12. Termination

By You

Cancel anytime, export data first

By Us

  • For material breach (immediate)
  • For any reason (30 days notice)

Effect

  • API keys revoked
  • Data available for export (30 days)
  • Outstanding fees due

13. Liability

Maximum Liability

  • Free: $100
  • Paid: Fees paid in past 12 months
  • Enterprise: Per contract

Not Liable For

  • Indirect damages
  • Third-party claims
  • Force majeure

14. Contact

Changes to This Agreement

We may update this Agreement from time to time. We will notify you of material changes via:

  • Email notification (60 days advance notice)
  • Notice on this page

Continued use of Flowsta after changes constitutes acceptance of the new Agreement.