Sign It by Flowsta
Sign your work.
Prove it's yours.
Sign any file. Anyone can verify it's yours. No accounts required, no servers storing your work, no platform owns it.
Built for artists, photographers, writers, businesses, and developers.
Powered by Holochain — no central database, no blockchain gas fees, no vendor lock-in.
Find your fit
Who are you?
Tap the one that fits — we'll show you exactly how Sign It helps.
For Artists
Protect your art from unauthorised use
Worried AI scrapers, NFT minters, or content thieves will take your work and claim it as their own? Sign It gives you a public, verifiable record that proves authorship and declares exactly how your work can be used.
Declare exactly how your work can be used.
License, commercial availability, AI training policy, contact preference — every signature carries machine-readable rights that anyone (including AI pipelines) can check before using your work.
Prove you made it first
Every signature is timestamped and recorded publicly. If someone copies your work later, the timeline is on your side.
Tell AI to back off
Declare your AI training policy in the signature itself. Anyone — including AI companies — can read it before using your work.
License on your terms
Pick a Creative Commons or custom license. Allow contact for commercial use without exposing your email.
For Photographers
Stake your claim on every photo you shoot
Sign every file straight out of your editor. Sell prints, license commercially, or release as personal-use only — your terms travel with the file.
Find your photos in the wild
Sign It uses perceptual hashing — even cropped, resized, or recompressed copies can be linked back to your original.
Commercial inquiries, no spam
Anyone wanting to license your photo can contact you through Flowsta. Your email stays private.
Multi-shooter projects
Multiple photographers can sign the same file. Wedding shoots, agency work, collaborations — every contributor on the record.
Shooting RAWs? Flowsta Vault signs files up to 10 GB and runs locally — right-click straight from your file manager, no upload required.
For Writers, Musicians & Filmmakers
Lock in your authorship from the first draft
Manuscripts, demos, scripts, edits — sign every version as you go. Build a verifiable trail of authorship that holds up long after publication.
Version-by-version proof
Sign drafts, edits and final cuts. Every version timestamped, every contributor identifiable.
Disclose AI use upfront
Declare whether your work is human-only, AI-assisted, or AI-generated. Transparency builds trust with your audience.
Co-author signatures
Co-writers, producers, editors — everyone on the project can sign the same file. Credits become verifiable.
Editing big project files or long audio? Flowsta Vault signs files up to 10 GB locally — right-click from your file manager, no upload required.
For Business Documents
Sign contracts and approvals — no platform lock-in
Contracts, NDAs, statements of work, board resolutions. Sign It records who signed what and when, on a public ledger nobody can quietly edit.
Multi-party signing
Counter-parties sign the same document. All signatures appear on the same verification page — no chasing PDFs around inboxes.
No vendor between you
Signatures live on a distributed network, not a SaaS database. No subscription cancellation can erase your records.
Tamper-evident
Edit a signed document and the signature breaks. Anyone can verify the file matches what was originally signed.
Verify
Check a File
Drop any file to check if it has been signed. For exact matches, the file is hashed in your browser. For similar file detection, the file is sent to the server for fingerprinting and immediately discarded.
Drop a file here to verify
or click to choose a file
How It Works
Three Steps
Step 1
Sign your file
Drop a file into Flowsta Vault on your desktop, or sign from your dashboard at flowsta.com. Your file is hashed locally and signed with your private key.
Step 2
Stored on DHT
Your signature, metadata, and content rights are committed to a public Holochain DHT. No central server — distributed across the network.
Step 3
Verify anywhere
Anyone can drop the file on this page to check signatures. The file is hashed in the browser — nothing is uploaded. Free, forever.
Features
More Than a Signature
Content Rights
Declare your license, commercial availability, and AI training policy. A machine-readable rights manifest backed by cryptographic proof.
AI Disclosure
Declare whether content was human-created, AI-assisted, or AI-generated. Transparent, verifiable, and attached to the signature.
Integrity Checks
Before signing, Vault scans your file for hidden content — steganography, appended data, invisible Unicode. Results are recorded in the signature.
Multi-Signer
Multiple people can sign the same file. Contracts, approvals, attestations — all parties visible on one verification page.
What else you get
The small print nobody else offers
Find your work in the wild
Perceptual matching catches resized, cropped, recoloured, recompressed and re-encoded copies — not just exact files. Photographers and artists can spot stolen work even after it's been edited.
Public creator pages
Every signer gets a public profile listing all their signed work. Use it as a verifiable portfolio — proof of authorship across your whole catalogue, in one link.
Private contact relay
Anyone interested in licensing or commissioning your work can message you through Flowsta. Your email address is never exposed — they reach you, you decide whether to reply.
Free verification, forever
Anyone can drop a file on our verification page to check signatures — no account, no signup. Up to 30 lookups a minute per IP, plenty for typical audience-validation.
Bulk signing in the dashboard
Drop dozens of files at once into your Flowsta dashboard. Sign a whole shoot, an album, a portfolio drop, a release batch — one batch, full content rights applied to every file.
Right-click to Sign It
Use Flowsta Vault and you can sign any file straight from your OS file manager. Right-click, choose "Sign It with Flowsta Vault," and the file lands in Vault ready to sign — Linux, macOS, Windows.
Get Flowsta Vault →Sign files up to 10 GB
Flowsta Vault signs huge files locally — no upload, no size limit dance. RAWs, long-form audio, video edits, project bundles — sign without leaving your machine.
Get Flowsta Vault →Outlives any platform
Signatures are recorded on a public Holochain DHT, replicated across many nodes. Even if Flowsta itself disappeared tomorrow, your signatures and proofs of authorship would still be verifiable.
For Developers
Add Sign It to your app
OAuth scope, JS SDK, webhooks for sign and revoke events. Drop signing into your platform in an afternoon.
OAuth + JS SDK
Request the sign scope. Call flowstaAuth.sign(file). Done.
Webhooks
Subscribe to sign.created and sign.revoked events. HMAC-signed payloads.
Public verify API
Free, unauthenticated endpoint. Verify signatures from your own backend or browser.
Why Sign It
How it compares to the alternatives
Most provenance tools embed credentials inside your file. The problem: nearly every platform strips metadata on upload — Instagram, X, WhatsApp, most CMSes. Your proof of authorship disappears silently. Sign It stores nothing in your file. The signature lives on a distributed network, indexed by hash. Strip whatever you like — the proof remains.
| Sign It | C2PA / Adobe | Blockchain NFT | DocuSign | |
|---|---|---|---|---|
| Cost per signature | Free / paid plans | Tied to Adobe | Gas fees ($1-$50+) | Paid only |
| File hosting | Not stored anywhere | Embedded in file | IPFS/centralised | On their servers |
| Open ecosystem | Yes — anyone can verify | Adobe-led standard | Chain-specific | Vendor lock-in |
| AI training disclosure | Built in | Partial | No | No |
| Multi-signer | Yes | Yes | No (1 mint) | Yes |
| Revocable | Yes | No | No (immutable) | Limited |
| Privacy on verify | Hashed in browser (file only sent for similar-match, then discarded) | Local | Public chain | Server-side |
| Works offline | Yes (Vault) | Yes | No | No |
| Survives metadata stripping | Yes — signature is on the network, not in the file | No — most platforms strip it on upload | N/A | N/A |
| Survives vendor shutdown | Yes — DHT + recovery phrase | No — Adobe Verify required | Depends on chain | No |
| Verifies actual file content | Yes — SHA-256 hash of the file | Yes | No — token points to a URL | No — verifies identity only |
| Finds modified copies | Yes — perceptual fingerprint on DHT | No | No | No |
Comparison reflects typical use cases. Each tool serves valid but different needs.
Built on Holochain
Why this has never existed before
No central database
Your signatures live on a peer-to-peer Holochain DHT. There is no "Flowsta signatures server" that can be seized, subpoenaed, or shut down.
Nothing embedded in your file
Unlike metadata-based solutions, Sign It doesn't touch your file at all. Upload it anywhere, compress it, strip the EXIF — the signature is still verifiable by anyone with the hash.
No gas fees. No tokens. No wallet.
Holochain is agent-centric — each user has their own source chain. Signing costs fractions of a cent to replicate. We pass that on as a free tier.
Survives us
If Flowsta ceased to exist, your signatures would remain verifiable on the DHT. Your 24-word recovery phrase lets you keep signing from any compatible conductor. This isn't a promise — it's how the architecture works.
Finds your work even when it's been changed
Someone crops your photo, recompresses it, or rips your audio to a different format. The exact hash changes — but Sign It's perceptual fingerprinting can still match it back to your original signed work. The fingerprint is stored on the DHT alongside your signature, so modified copies are discoverable by anyone.
Not an NFT
NFTs promised "prove you own a thing" but delivered speculation, wallets, and URLs pointing to JPEGs on someone else's server. Sign It is cryptographic proof tied to actual file content — verified against the SHA-256 hash, not a token on a marketplace.
Built in Australia
Flowsta is a small team focused on user-owned identity infrastructure. We don't sell data, don't run ads, and don't take venture capital that conflicts with user interests.
Anyone can verify. No account needed.
Verification is free, unlimited, and requires no login — drop a file or query the API. Most signing services lock verification behind accounts or paid plans. Proof of authorship is only useful if anyone can check it.
For AI Companies & Platforms
Check before you train
Query any file's declared rights with a single API call — no key, no account required.
GET https://auth-api.flowsta.com/api/v1/sign-it/content-rights?hash=<sha256>Respect declared rights
If the creator set ai_training: NotAllowed, skip it. If they're open to licensing, contact them through our blind relay.
Open schema
The content-rights field set is open — no proprietary format, no API key, no license fee. We want every provenance tool to use the same fields.
Pipeline-friendly
JSON response, 5-minute CDN cache, edge-cacheable. Safe for checking millions of files without flooding the API.
Questions
Frequently asked
Is my file uploaded when I verify?
Your file is hashed in your browser with SHA-256, and we look for an exact match using just that hash. If no exact match is found, the file is briefly sent to our server to compute a perceptual fingerprint (which finds resized, cropped, or recompressed copies of signed work), then immediately discarded. The bytes of your file are never stored.
Where are signatures stored?
On a public Holochain DHT — a distributed hash table maintained by a network of nodes. There's no central server we could shut down, no database we could lose. Signatures are replicated across the network and can be verified by anyone.
Why not blockchain?
No gas fees, no per-transaction cost, no token speculation, no environmental footprint. Holochain is agent-centric — each user has their own chain — making per-action cost effectively zero. We didn't want signing your own work to require buying crypto.
How is Sign It different from NFTs?
With NFTs you mint a token on a public blockchain, the token is the thing you own, and the file itself usually lives somewhere else — a URL, an IPFS hash.
Sign It comes at it from the other end. When you sign a file, the hash, your signature, and a timestamp go on a public Holochain DHT. The file never has to leave your device — no IPFS, no public mirror, nothing. That record alone is a strong cryptographic claim: "this person made this, on this date, before anyone else." Which is what ownership actually means before trading gets layered on top.
Sign It also uses perceptual hashing alongside cryptographic hashing, which means modification doesn't break the proof. If someone takes your image and crops it, re-encodes it, or trims and remixes your audio and tries to claim it as theirs, your original signature can still be matched against the derivative.
NFTs went straight at tradeability. Sign It is built around proving you made something first — which is why the right time to sign something is before anything goes online, not after.
What happens if I lose my recovery phrase?
Your account can't be recovered — that's the cost of true zero-knowledge. Your existing signatures stay on the DHT (they're already public), but you won't be able to sign new files as the same identity. Back up your 24-word recovery phrase somewhere safe.
Can I revoke a signature?
Yes. Revocation is a separate signed entry that any verifier sees alongside the original. Useful if you signed something by mistake, or if you withdraw consent. The original signature stays visible — revocation is a public statement, not a deletion.
What file types are supported?
Any file. Sign It works on the SHA-256 hash, so it doesn't care if it's an image, video, PDF, .zip, source code, or anything else. Perceptual hashing (for similar-file detection) currently covers images, audio and video.
How does similar-file detection work?
When you sign an image, audio, or video file, Sign It computes a perceptual fingerprint — a compact representation of what the content looks or sounds like, not the exact bytes. This fingerprint is split into bands and stored on the Holochain DHT alongside your signature.
When someone verifies a file that has no exact SHA-256 match, Sign It computes the fingerprint of the uploaded file and searches the DHT for similar bands. This means cropped, resized, recompressed, or format-converted copies of your signed work can still be matched back to your original signature.
For images this uses perceptual hashing (pHash). For audio it uses Chromaprint (the same algorithm Shazam-style services use). For video it uses frame-sampled perceptual hashing. The file is sent to the server only for fingerprinting, and is immediately discarded — we never store it.
What's the cryptography under the hood?
Ed25519 signatures (the same scheme used by SSH, Signal, and Holochain itself). Keys are generated from your 24-word recovery phrase via HMAC-SHA256 derivation. Vault holds your private key; the public key is your identity on the network.
How does multi-signer work?
Each signer creates their own signature on the same file hash. All signatures show up on the same verification page. There's no 'document owner' coordinating signers — anyone with the file can add their signature at any time.
Can someone fake my signature?
Only if they have your private key (or your recovery phrase). The signature is cryptographically tied to your public key — anyone who finds someone else's public key can verify their signatures, but only the holder of the matching private key can create new ones.
What does it cost?
Free for Verify (always). Free tier for signing includes 2 signatures per month for individuals, 250 per month per developer org. Paid tiers scale up — see Premium pricing for individuals or Developer pricing for orgs.
Can I show a signature badge on my own website?
Yes. Drop this two-line snippet into any page, replacing the hash with your file's SHA-256:<div data-flowsta-hash="abc123..."></div>
<script src="https://flowsta.com/sign-it/widget.js" async></script>It renders a card showing signer, timestamp, and content rights. Light and dark themes auto-detect. Full reference: Badge & Widget docs.
How do AI training pipelines check a file's rights?
Any signed file exposes a machine-readable rights endpoint:GET https://auth-api.flowsta.com/api/v1/sign-it/content-rights?hash=<sha256>It returns the signer-declared license, AI-training policy, commercial-licensing stance, and contact preference as JSON. If the signer set ai_training: NotAllowed, pipelines should skip the file. Most restrictive policy wins when multiple signers disagree. Full spec: Content Rights API.
Want to see how easy it is to start signing?
Sign in at flowsta.com
Click Sign It on the Dashboard
Drag and drop your file
Click Sign
It's that easy.