What is Expanso and how does it work?

Expanso is a managed platform for deploying intelligent data pipelines at the edge. It processes data where it's generated - reducing bandwidth, latency, and costs. You deploy lightweight agents on your infrastructure, build pipelines using our visual builder or YAML, and control everything from a central SaaS platform.

Can I run AI/ML models directly in my data pipelines?

Yes! Expanso supports running ONNX, TensorFlow Lite, and other models as native pipeline steps. Execute low-latency inference on streaming data, enrich events with model outputs (like risk scores), and make decisions at the edge without cloud round-trips.

How many pre-built components are available?

Expanso provides 200+ pre-built components including inputs (Kafka, HTTP, files), processors (transformations, filtering, PII masking, aggregations), and outputs (S3, Snowflake, Datadog, Splunk). Browse the complete catalog in our Component Reference.

Do I need to write code to build pipelines?

No - use our drag-and-drop visual pipeline builder to create sophisticated pipelines without code. For advanced use cases, you can also write pipelines in YAML or use the Bloblang transformation language for complex data mappings.

How does Expanso help with data governance and compliance?

Expanso includes built-in governance features: automatic PII detection and masking, policy enforcement at the edge, RBAC, SSO integration, and comprehensive audit trails. Mask sensitive data before it ever leaves your network.

types.APIConfig

auth object

Auth configures authentication for the API

jwt object

JWT/OIDC auth

audiencestring

Audience is the expected 'aud' claim in JWTs. Defaults to "urn:expanso:orchestrator" if not set. Set to empty string explicitly to disable audience validation.

issuerstring

Issuer URL - required to enable JWT authentication. e.g., "https://cloud.expanso.io" JWKS URL is derived by appending /.well-known/jwks.json Also used to validate the 'iss' claim in JWTs If empty, JWT authentication is disabled.

network_claim_namestring

NetworkClaimName is the JWT claim containing network IDs (default: "networkId")

organization_claim_namestring

OrganizationClaimName is the JWT claim containing organization IDs (default: "organizationId")

token_endpointstring

TokenEndpoint is the OAuth2-compatible endpoint for exchanging API keys (exp_ak_*) for short-lived JWTs. Optional — when set, the orchestrator accepts API keys as Bearer tokens and exchanges them server-side. Requires Issuer to be configured (the exchanged JWTs are validated via JWKS).

organization_idstring

OrganizationID this node belongs to - optional If empty, organization validation is skipped (allow all access).

cors object

CORS configures Cross-Origin Resource Sharing for browser-based clients

allowed_originsstring[]

AllowedOrigins is a list of origins that are allowed to make cross-origin requests. Use exact origins like "https://cloud.expanso.io" or patterns like "https://localhost:*" to match any port on localhost.

listen_addrstring

Listen address - defaults to localhost:9010 Empty string disables the API server

types.APIConfig
{
  "auth": {
    "jwt": {
      "audience": "string",
      "issuer": "string",
      "network_claim_name": "string",
      "organization_claim_name": "string",
      "token_endpoint": "string"
    },
    "organization_id": "string"
  },
  "cors": {
    "allowed_origins": [
      "string"
    ]
  },
  "listen_addr": "string"
}