What is Expanso and how does it work?

Expanso is a managed platform for deploying intelligent data pipelines at the edge. It processes data where it's generated - reducing bandwidth, latency, and costs. You deploy lightweight agents on your infrastructure, build pipelines using our visual builder or YAML, and control everything from a central SaaS platform.

Can I run AI/ML models directly in my data pipelines?

Yes! Expanso supports running ONNX, TensorFlow Lite, and other models as native pipeline steps. Execute low-latency inference on streaming data, enrich events with model outputs (like risk scores), and make decisions at the edge without cloud round-trips.

How many pre-built components are available?

Expanso provides 200+ pre-built components including inputs (Kafka, HTTP, files), processors (transformations, filtering, PII masking, aggregations), and outputs (S3, Snowflake, Datadog, Splunk). Browse the complete catalog in our Component Reference.

Do I need to write code to build pipelines?

No - use our drag-and-drop visual pipeline builder to create sophisticated pipelines without code. For advanced use cases, you can also write pipelines in YAML or use the Bloblang transformation language for complex data mappings.

How does Expanso help with data governance and compliance?

Expanso includes built-in governance features: automatic PII detection and masking, policy enforcement at the edge, RBAC, SSO integration, and comprehensive audit trails. Mask sensitive data before it ever leaves your network.

types.AdminAuthConfig

actor_claimstring

ActorClaim names the JWT claim carrying the human-operator identity to attach to the request context for audit. Empty means the middleware uses its default ("email").

audiencestring

Audience is the required aud claim value. Distinct from the UI JWT audience (urn:expanso:orchestrator); admin tokens carry urn:expanso:orchestrator-admin so a UI-scoped token cannot be replayed against an admin route.

clock_skewinteger<int64>

ClockSkew is the tolerance applied to iat/nbf/exp validation. Zero means the middleware uses its default (60s).

Possible values: [-9223372036854776000, 9223372036854776000, 1, 1000, 1000000, 1000000000, 60000000000, 3600000000000]

enabledboolean

Enabled gates registration of admin-protected routes. When false (the zero value), routes that require admin auth refuse to register; the orchestrator still serves its UI, NATS, and OTel surfaces.

issuerstring

Issuer is the required iss claim value. Typically the web-api's hostname (e.g. "https://app.expanso.io").

max_body_bytesinteger

MaxBodyBytes caps the request body size the middleware will buffer for ath verification. Zero means the middleware uses its default (64 KiB).

pubkey_pathsstring[]

PubKeyPaths is the SET of PEM files holding ES256 public keys the orchestrator accepts for admin JWT signatures. A token verifies if its signature matches ANY key in the set.

require_athboolean

RequireATH controls whether the middleware enforces the ath claim (base64url-encoded SHA-256 of the request body). True by default per the design — admin tokens MUST be payload-bound to prevent replay against a different payload. Pointer type so the zero value (nil) means "default to enforce" rather than "silently off."

types.AdminAuthConfig
{
  "actor_claim": "string",
  "audience": "string",
  "clock_skew": -9223372036854776000,
  "enabled": true,
  "issuer": "string",
  "max_body_bytes": 0,
  "pubkey_paths": [
    "string"
  ],
  "require_ath": true
}