What is Expanso and how does it work?

Expanso is a managed platform for deploying intelligent data pipelines at the edge. It processes data where it's generated - reducing bandwidth, latency, and costs. You deploy lightweight agents on your infrastructure, build pipelines using our visual builder or YAML, and control everything from a central SaaS platform.

Can I run AI/ML models directly in my data pipelines?

Yes! Expanso supports running ONNX, TensorFlow Lite, and other models as native pipeline steps. Execute low-latency inference on streaming data, enrich events with model outputs (like risk scores), and make decisions at the edge without cloud round-trips.

How many pre-built components are available?

Expanso provides 200+ pre-built components including inputs (Kafka, HTTP, files), processors (transformations, filtering, PII masking, aggregations), and outputs (S3, Snowflake, Datadog, Splunk). Browse the complete catalog in our Component Reference.

Do I need to write code to build pipelines?

No - use our drag-and-drop visual pipeline builder to create sophisticated pipelines without code. For advanced use cases, you can also write pipelines in YAML or use the Bloblang transformation language for complex data mappings.

How does Expanso help with data governance and compliance?

Expanso includes built-in governance features: automatic PII detection and masking, policy enforcement at the edge, RBAC, SSO integration, and comprehensive audit trails. Mask sensitive data before it ever leaves your network.

api.GetNodeResponse

node object

idstring

ID is the unique identifier for the node

identity object

Identity holds the cryptographic and provenance fields populated at enrollment. Nil until the node has been enrolled or migrated.

credential_valid_untilstring

CredentialValidUntil is the wall-clock deadline after which the enrollment credential is no longer trusted. Enforced at every credential-issuance check. Zero value means no expiry (e.g. legacy bootstrap-token enrollments retained for backward compatibility).

enrolled_atstring

EnrolledAt is when the identity row was first written.

enrolled_bystring

EnrolledBy identifies the principal that triggered enrollment when applicable (e.g. the operator who minted a bootstrap token, formatted as "user:"). Empty for fully self-service enrollments such as customer OIDC or cloud attestation.

enrollment_claimsinteger[]

EnrollmentClaims is the verifier-specific JSON of attributes extracted from the credential at enrollment, preserved as raw bytes so claim shape remains source-faithful for audit and downstream policy.

enrollment_identity_uristring

EnrollmentIdentityURI is the canonical identity string extracted from the verified credential at enrollment (e.g. an x509 SAN, an OIDC sub claim, a cloud instance ARN). Used to detect identity drift on refresh.

enrollment_source_idstring

EnrollmentSourceID is a logical reference to the trust-anchor record that authorized this enrollment. Empty for bootstrap_token enrollments, which carry no anchor.

enrollment_source_typetypes.EnrollmentSourceType (string)

EnrollmentSourceType identifies the trust authority that validated the node at enrollment (e.g. bootstrap_token, x509_ca, oidc_issuer).

Possible values: [bootstrap_token, x509_ca, oidc_issuer, aws_iid, gcp_iit, azure_msi, tpm_ek, spire_bundle]

last_revocation_check_atstring

LastRevocationCheckAt is the timestamp of the most recent successful poll against the source's revocation mechanism (CRL/OCSP for x509, JWKS-availability for OIDC). Zero value means the source has no explicit revocation channel or has never been polled.

public_keyinteger[]

PublicKey is the node's locally-generated Ed25519 public key (32 bytes raw). The matching private key never leaves the node and is used to sign proof-of-possession on credential requests.

public_key_fingerprintstring

PublicKeyFingerprint is the lowercase hex SHA-256 of PublicKey, indexed for fast lookup. Set whenever PublicKey is set.

statustypes.NodeIdentityStatus (string)

Status is the lifecycle state of this identity binding (active, suspended, or revoked). See NodeIdentityStatus for transition rules.

Possible values: [active, suspended, revoked]

status_changed_atstring

StatusChangedAt is when Status was last updated.

status_changed_bystring

StatusChangedBy identifies the actor that drove the most recent status change (e.g. "user:" for an admin action, "system:revocation-poller" for an automated transition).

spec object

Spec contains the desired configuration and capabilities of the node

agent_versionstring

AgentVersion is the version of the agent software running on the node

archstring

Arch is the CPU architecture (amd64, arm64)

capabilities object

Capabilities defines what this node can do

inputsstring[]

Inputs are the data input types the node can handle (e.g., "syslog", "beats")

outputsstring[]

Outputs are the data output types the node can send to (e.g., "elasticsearch", "s3")

processorsstring[]

Processors are the data processors available (e.g., "grok", "json")

runtimesstring[]

Runtimes are the execution runtimes available (e.g., "docker", "wasm")

hardware_fingerprintstring

HardwareFingerprint is a unique identifier for the hardware configuration

hostnamestring

Hostname is the network hostname of the node

labels object

Labels are key-value pairs for node selection and filtering

property name*string

namestring

Name is the human-readable name of the node

osstring

OS is the operating system (linux, windows, darwin)

status object

Status contains system-managed fields for the node

connected_sincestring

ConnectedSince is when the node connected in the current session

connection_statetypes.NodeConnectionState (string)

ConnectionState is the current connection state of the node

Possible values: [disconnected, connecting, connected, lost, deleted]

created_atstring

CreatedAt is when the node was first registered

disconnected_sincestring

DisconnectedSince is when the node last disconnected

last_heartbeatstring

LastHeartbeat is when the last heartbeat was received

messagestring

Message provides additional context about the current state

resource_usage object

ResourceUsage contains the current resource usage metrics (updated with each heartbeat)

cpu_percentnumber

CPUPercent is the CPU usage percentage (0-100)

disk_capacity_bytesinteger

DiskCapacityBytes is the total disk capacity in bytes

disk_percentnumber

DiskPercent is the disk usage percentage (0-100)

disk_used_bytesinteger

DiskUsedBytes is the disk space used in bytes

memory_capacity_bytesinteger

MemoryCapacityBytes is the total available memory in bytes

memory_percentnumber

MemoryPercent is the memory usage percentage (0-100)

memory_used_bytesinteger

MemoryUsedBytes is the memory currently in use in bytes

revisioninteger

Revision is incremented on each update for optimistic concurrency control

session_idstring

SessionID uniquely identifies the current connection session

updated_atstring

UpdatedAt is when the node was last updated

api.GetNodeResponse
{
  "node": {
    "id": "node-edge-us-west-01",
    "spec": {
      "agent_version": "1.2.0",
      "arch": "amd64",
      "hardware_fingerprint": "hw-abc123",
      "hostname": "edge01.example.com",
      "labels": {
        "env": "production",
        "gpu": "nvidia-t4",
        "region": "us-west",
        "role": "app-server"
      },
      "name": "edge-us-west-01",
      "os": "linux"
    },
    "status": {
      "connected_since": "2025-01-15T10:00:00Z",
      "connection_state": "connected",
      "created_at": "2025-01-10T08:00:00Z",
      "last_heartbeat": "2025-01-15T12:45:30Z",
      "message": "Healthy",
      "resource_usage": {
        "cpu_percent": 45.5,
        "disk_capacity_bytes": 536870912000,
        "disk_percent": 20,
        "disk_used_bytes": 107374182400,
        "memory_capacity_bytes": 17179869184,
        "memory_percent": 25,
        "memory_used_bytes": 4294967296
      },
      "revision": 42,
      "session_id": "sess-xyz789",
      "updated_at": "2025-01-15T12:45:30Z"
    }
  }
}