Flowly Cloud is an optional hosted account that layers cross-device apps, sync, and a managed relay on top of the open-source agent. None of it is required to use Flowly.
without a Flowly account. Bring your own LLM key (BYOK), point it at a provider, and run the gateway on your own machine. Signing in only adds the hosted features described below β it never gates the core agent, tools, channels, or memory.
Self-host vs Cloud
Flowly's agent core is Apache 2.0. You can run it on a laptop, a VPS, or a Mac mini with your own keys and your own data β no account, no relay, no sign-in.
| Self-host (OSS, BYOK) | Flowly Cloud (optional) | |
|---|---|---|
| LLM provider | Your own key (OpenRouter, Anthropic, OpenAI, Gemini, Groq, xAI, Zhipu, vLLM, β¦) | Hosted flowly provider β no API key required |
| Reach | Terminal, Telegram, Discord, Slack, Teams, email, voice | All of those plus browser extension and Mac / iOS / Android apps |
| Cross-device sync | β | Conversations sync across your devices |
| Relay | β | Managed relay so your bot stays reachable when your laptop sleeps |
| Account | None needed | Flowly account (OAuth sign-in) |
The hosted flowly provider is just another entry in the provider list β see Providers & models. When you sign in, Flowly can set it as your default LLM so you can start chatting with zero key configuration.
Signing in β flowly login
flowly loginOn a fresh machine this runs a device-code OAuth flow:
- Flowly requests a device code from the backend and prints a one-click authorization URL (with the code and your device name pre-filled).
- Your browser opens that URL. Once you approve, the CLI polls until the backend reports
authorized(the device code expires after a few minutes). - Flowly exchanges the result for account tokens and saves them locally.
- It then asks whether to make this bot reachable remotely (from your phone or other devices). This is opt-in β the default is no. Accept and Flowly registers this machine with the backend and wires the relay credentials into your gateway config (see below); decline and sign-in simply stores your account, leaving the gateway local-only. Use
--relay/--no-relayto answer without the prompt. (A non-interactive shell keeps the legacy behavior of wiring the relay automatically.)
If you are already signed in and everything is healthy, flowly login is a no-op that prints your account email. If your tokens are present but the relay config is incomplete (e.g. someone edited config.json), it does not silently change anything β it tells you to run flowly login --repair.
Flags
| Flag | What it does |
|---|---|
--no-browser | Prints the authorization URL instead of trying to open a browser automatically. Useful over SSH or on headless machines. |
--repair | Re-registers the machine and re-writes the relay config using the tokens already on disk β no browser, no OAuth. Use it when sign-in succeeded but the relay wiring is broken. Exits non-zero if the saved token can't be refreshed (run a full flowly login to recover). |
--repair --dry-run | Prints exactly what --repair would change without writing anything to config, keychain, or the backend. |
--key <flw_β¦> | Sign in with a Flowly account key you already have (e.g. from the Desktop app) β sets the flowly provider, with no server record, no relay, and no browser. |
--relay / --no-relay | Skip the interactive prompt and force remote/phone reach (server registration + relay) on or off. |
0600 file at ~/.flowly/credentials/account.json. The id token is refreshed automatically before it expires.
What signing in registers β your machine
Flowly identifies your machine with a stable machineId. It reuses the same identifier the Flowly Desktop app writes (a UUID at the desktop app's data path), so the same physical machine de-duplicates to a single server entry across Desktop and CLI installs. If that path isn't writable, it falls back to a hash of the hardware UUID.
When you opt into remote reach (above), Flowly calls the backend to get-or-create a server for this machine:
- The call is idempotent β the same
machineIdalways maps to the sameserverId. Logging in repeatedly never creates duplicate servers. - The backend returns a
serverIdand agatewayAuthToken(and a JWT secret). These are the credentials your gateway uses to reach the relay.
These are then written into your gateway config under channels.web.
What Cloud adds
Grounded in the README and the bot code, signing in adds:
- Apps & extension β a browser extension and Mac / iOS / Android apps reach your agent through the relay.
- Cross-device sync β conversations flow through the relay into the hosted store, so the same chat shows up on every signed-in device.
- Hosted LLM β the
flowlyprovider lets you run without supplying your own API key. - Managed relay β your self-hosted gateway dials out to a relay, so clients can reach it without exposing an inbound port, SSH tunnel, or public IP β and your bot stays reachable when your laptop is asleep (when the gateway runs as a background service).
useflowlyapp.com for current Cloud offerings.
How the relay works
The relay is an outbound WebSocket. Your gateway connects to the relay (the way a Telegram bot polls Telegram), so there's nothing inbound to open. Clients (browser, desktop, iOS) connect to the relay and their messages are routed through your gateway's connection.
After flowly login, your config's web channel is wired:
{
"channels": {
"web": {
"enabled": true,
"serverId": "<from registration>",
"authToken": "<gatewayAuthToken>",
"jwtSecret": "<signing secret>",
"relayUrl": "wss://relay.useflowlyapp.com/relay"
}
}
}On the next gateway start, the web channel:
- Reads
serverId,authToken(thegatewayAuthToken),jwtSecret, andrelayUrlfrom config. - Builds a short-lived agent JWT (HS256) with claims
type: "agent",serverId,gatewayAuthToken,iss: "flowly",aud: "moltbot-proxy", valid for 24 hours. - Connects outbound to the relay URL with that token and reconnects automatically with backoff if dropped.
- Receives chat messages forwarded from clients, runs the agent, and streams responses back through the same connection. Outbound replies that can't be sent (transient drops) are queued and replayed on reconnect.
This is the mechanism behind iOS / desktop / browser access β clients talk to the relay, the relay routes to your gateway over this connection. For the channel-level detail, see Web (Flowly Cloud relay).
relayUrl yourself, Flowly preserves it across logins and only backfills the default when the field is empty.
How a message flows
Your iOS / desktop / browser client
β (Firebase JWT)
βΌ
Flowly relay (wss://relay.useflowlyapp.com/relay)
β (routed over your gateway's outbound WebSocket)
βΌ
Your self-hosted Flowly gateway
β
βΌ
Agent loop β your LLM provider (hosted flowly or BYOK)
β
βΌ (response streams back the same path)
Relay β clientSigning out β flowly logout
flowly logoutLogout performs three clean-ups and prints what it cleared:
- Keychain tokens β removes the account tokens (id token, refresh token,
gatewayAuthToken) from the keychain and any legacy file. channels.webrelay config β setsenabledtofalseand clearsserverId,authToken, andjwtSecret. This disables iOS / desktop relay access; without it the gateway would keep dialing the relay with revoked credentials.providers.activeβ cleared only if it currently points atflowly. Your BYOK provider keys are preserved, and the provider cascade resumes. (If your default was a BYOK provider, this is left untouched.)
flowly logout is idempotent β if you're not signed in it just says so.
flowly gateway so it stops trying to authenticate to the relay with the now-revoked credentials.
Relationship to pairing
Opting into remote reach at sign-in pairs this machine for app access: registration binds the machine to a serverId, and the wired relay credentials are what let your iOS / desktop / browser clients reach the gateway. (Sign in without remote reach and none of this is provisioned β the gateway stays local-only.) This is distinct from per-channel pairing for Telegram / WhatsApp / Discord / Slack (the flowly pairing commands), which authorizes individual chat users on a messaging channel rather than a device for relay access.
Privacy & data
- Without an account, nothing leaves your machine except the LLM API calls you make with your own key, to your chosen provider.
- With Flowly Cloud, conversations routed through the relay flow to the hosted store to enable cross-device sync. Account tokens, relay tokens, and gateway tokens are credential material β keep them private. Use them via official Flowly clients (the Acceptable Use Policy governs Cloud credentials).
- Self-hosted use with your own LLM keys is unrestricted.
Related
- Web (Flowly Cloud relay) β the channel-level detail of the relay WebSocket.
- Providers & models β the hosted
flowlyprovider and BYOK alternatives.