What is Expanso and how does it work?

Expanso is a managed platform for deploying intelligent data pipelines at the edge. It processes data where it's generated - reducing bandwidth, latency, and costs. You deploy lightweight agents on your infrastructure, build pipelines using our visual builder or YAML, and control everything from a central SaaS platform.

Can I run AI/ML models directly in my data pipelines?

Yes! Expanso supports running ONNX, TensorFlow Lite, and other models as native pipeline steps. Execute low-latency inference on streaming data, enrich events with model outputs (like risk scores), and make decisions at the edge without cloud round-trips.

How many pre-built components are available?

Expanso provides 200+ pre-built components including inputs (Kafka, HTTP, files), processors (transformations, filtering, PII masking, aggregations), and outputs (S3, Snowflake, Datadog, Splunk). Browse the complete catalog in our Component Reference.

Do I need to write code to build pipelines?

No - use our drag-and-drop visual pipeline builder to create sophisticated pipelines without code. For advanced use cases, you can also write pipelines in YAML or use the Bloblang transformation language for complex data mappings.

How does Expanso help with data governance and compliance?

Expanso includes built-in governance features: automatic PII detection and masking, policy enforcement at the edge, RBAC, SSO integration, and comprehensive audit trails. Mask sensitive data before it ever leaves your network.

types.SecretSpec

encodingstring

Encoding specifies the file encoding: "raw" (default) or "base64".

engine_versioninteger

EngineVersion is the KV engine version: 1 or 2 (default: 2).

fieldstring

Field extracts a single JSON key from the secret value.

fromstring

From references a key in the job's SecretProviders map (required).

mountstring

Mount is the Vault secret engine mount (e.g. "kv", "secret").

namestring

Name is the parameter name or ARN. Supports ":version" and ":label" suffixes.

pathstring

Path is the absolute path on the node to read from.

refreshinteger<int64>

Refresh overrides the refresh interval for this secret.

Possible values: [-9223372036854776000, 9223372036854776000, 1, 1000, 1000000, 1000000000, 60000000000, 3600000000000, 3600000000000, 10000000000]

secretstring

Secret is the GCP secret name.

secret_idstring

SecretID is the Secrets Manager secret name or ARN.

secret_namestring

SecretName is the Azure Key Vault secret name.

secret_pathstring

SecretPath is the path within the mount.

versionstring

Version pins a specific version (Vault KV v2, GCP, Azure).

version_idstring

VersionID selects the secret by version ID. Mutually exclusive with VersionStage.

version_stagestring

VersionStage selects the secret version (default: AWSCURRENT).

with_decryptionboolean

WithDecryption controls parameter decryption (default: true).

types.SecretSpec
{
  "encoding": "string",
  "engine_version": 0,
  "field": "string",
  "from": "string",
  "mount": "string",
  "name": "string",
  "path": "string",
  "refresh": -9223372036854776000,
  "secret": "string",
  "secret_id": "string",
  "secret_name": "string",
  "secret_path": "string",
  "version": "string",
  "version_id": "string",
  "version_stage": "string",
  "with_decryption": true
}