What is Expanso and how does it work?

Expanso is a managed platform for deploying intelligent data pipelines at the edge. It processes data where it's generated - reducing bandwidth, latency, and costs. You deploy lightweight agents on your infrastructure, build pipelines using our visual builder or YAML, and control everything from a central SaaS platform.

Can I run AI/ML models directly in my data pipelines?

Yes! Expanso supports running ONNX, TensorFlow Lite, and other models as native pipeline steps. Execute low-latency inference on streaming data, enrich events with model outputs (like risk scores), and make decisions at the edge without cloud round-trips.

How many pre-built components are available?

Expanso provides 200+ pre-built components including inputs (Kafka, HTTP, files), processors (transformations, filtering, PII masking, aggregations), and outputs (S3, Snowflake, Datadog, Splunk). Browse the complete catalog in our Component Reference.

Do I need to write code to build pipelines?

No - use our drag-and-drop visual pipeline builder to create sophisticated pipelines without code. For advanced use cases, you can also write pipelines in YAML or use the Bloblang transformation language for complex data mappings.

How does Expanso help with data governance and compliance?

Expanso includes built-in governance features: automatic PII detection and masking, policy enforcement at the edge, RBAC, SSO integration, and comprehensive audit trails. Mask sensitive data before it ever leaves your network.

types.NodeIdentity

credential_valid_untilstring

CredentialValidUntil is the wall-clock deadline after which the enrollment credential is no longer trusted. Enforced at every credential-issuance check. Zero value means no expiry (e.g. legacy bootstrap-token enrollments retained for backward compatibility).

enrolled_atstring

EnrolledAt is when the identity row was first written.

enrolled_bystring

EnrolledBy identifies the principal that triggered enrollment when applicable (e.g. the operator who minted a bootstrap token, formatted as "user:"). Empty for fully self-service enrollments such as customer OIDC or cloud attestation.

enrollment_claimsinteger[]

EnrollmentClaims is the verifier-specific JSON of attributes extracted from the credential at enrollment, preserved as raw bytes so claim shape remains source-faithful for audit and downstream policy.

enrollment_identity_uristring

EnrollmentIdentityURI is the canonical identity string extracted from the verified credential at enrollment (e.g. an x509 SAN, an OIDC sub claim, a cloud instance ARN). Used to detect identity drift on refresh.

enrollment_source_idstring

EnrollmentSourceID is a logical reference to the trust-anchor record that authorized this enrollment. Empty for bootstrap_token enrollments, which carry no anchor.

enrollment_source_typetypes.EnrollmentSourceType (string)

EnrollmentSourceType identifies the trust authority that validated the node at enrollment (e.g. bootstrap_token, x509_ca, oidc_issuer).

Possible values: [bootstrap_token, x509_ca, oidc_issuer, aws_iid, gcp_iit, azure_msi, tpm_ek, spire_bundle]

last_revocation_check_atstring

LastRevocationCheckAt is the timestamp of the most recent successful poll against the source's revocation mechanism (CRL/OCSP for x509, JWKS-availability for OIDC). Zero value means the source has no explicit revocation channel or has never been polled.

public_keyinteger[]

PublicKey is the node's locally-generated Ed25519 public key (32 bytes raw). The matching private key never leaves the node and is used to sign proof-of-possession on credential requests.

public_key_fingerprintstring

PublicKeyFingerprint is the lowercase hex SHA-256 of PublicKey, indexed for fast lookup. Set whenever PublicKey is set.

statustypes.NodeIdentityStatus (string)

Status is the lifecycle state of this identity binding (active, suspended, or revoked). See NodeIdentityStatus for transition rules.

Possible values: [active, suspended, revoked]

status_changed_atstring

StatusChangedAt is when Status was last updated.

status_changed_bystring

StatusChangedBy identifies the actor that drove the most recent status change (e.g. "user:" for an admin action, "system:revocation-poller" for an automated transition).

types.NodeIdentity
{
  "credential_valid_until": "string",
  "enrolled_at": "string",
  "enrolled_by": "string",
  "enrollment_claims": [
    0
  ],
  "enrollment_identity_uri": "string",
  "enrollment_source_id": "string",
  "enrollment_source_type": "bootstrap_token",
  "last_revocation_check_at": "string",
  "public_key": [
    0
  ],
  "public_key_fingerprint": "string",
  "status": "active",
  "status_changed_at": "string",
  "status_changed_by": "string"
}