First-Party Providers
Gestalt does not compile authentication, authorization, agent, workflow, runtime,
IndexedDB, or S3 providers into the gestaltd binary. They are loaded at
startup as external provider processes through the same runtime model that also
powers apps. The first-party implementations are published from
valon-technologies/gestalt-providers
and maintained alongside the server.
Two simple secrets providers (env and file), telemetry, and audit remain built into the binary. Cloud secret backends (Google Secret Manager, AWS Secrets Manager, HashiCorp Vault, Azure Key Vault) are available as external providers from valon-technologies/gestalt-providers. See Config File for package names and configuration.
Authentication Providers
Authentication providers handle platform login. They are configured under
providers.authentication.<name> in your config file. Omit
providers.authentication for local or unauthenticated deployments.
| Package | Purpose |
|---|---|
github.com/valon-technologies/gestalt-providers/auth/oidc | Generic OpenID Connect. Works with Okta, Auth0, Azure AD, Keycloak, and others. |
providers:
authentication:
oidc:
source:
package: github.com/valon-technologies/gestalt-providers/auth/oidc
version: 0.0.1-alpha.1
config:
issuerUrl: https://login.example.com
clientId: ${OIDC_CLIENT_ID}
clientSecret:
secret:
provider: default
name: oidc-client-secretTo disable platform authentication entirely, omit the providers.authentication block.
Authorization Providers
Authorization providers back dynamic subject authorization state. They are
configured under providers.authorization.<name>, and
server.providers.authorization selects which one Gestalt uses.
server:
providers:
indexeddb: main
authorization: indexeddb
providers:
indexeddb:
main:
source:
package: github.com/valon-technologies/gestalt-providers/indexeddb/relationaldb
version: 0.0.1-alpha.2
config:
dsn: ${DATABASE_URL}
authorization:
indexeddb:
source:
package: github.com/valon-technologies/gestalt-providers/authorization/indexeddb
version: 0.0.1-alpha.1
config:
indexeddb: main| Name | Purpose |
|---|---|
indexeddb | Stores authorization models and relationships in a host IndexedDB provider. |
IndexedDB Providers
Datastore providers back the persistent state layer. They are configured under named entries in providers.indexeddb, and server.providers.indexeddb selects which one the host uses. Gestalt does not compile datastore drivers into the binary; it starts the configured external datastore provider process at runtime.
server:
providers:
indexeddb: main
providers:
indexeddb:
main:
source:
package: github.com/valon-technologies/gestalt-providers/indexeddb/relationaldb
version: 0.0.1-alpha.2
config:
dsn: ${DATABASE_URL}| Name | Purpose |
|---|---|
relationaldb | SQL-backed IndexedDB provider for PostgreSQL, MySQL, SQLite, and SQL Server. |
dynamodb | Amazon DynamoDB-backed IndexedDB provider for managed key-value and document storage. |
mongodb | MongoDB-backed IndexedDB provider for document-oriented storage. |
Runtime Providers
Runtime providers manage hosted execution backends for executable apps,
hosted agent providers, and hosted workflow providers. They are configured
under top-level runtime.providers, and providers opt into them with their
own runtime block.
runtime:
providers:
kubernetes:
source:
package: github.com/valon-technologies/gestalt-providers/runtime/kubernetes
version: 0.0.1-alpha.1
default: true
config:
namespace: gestalt-runtime
apps:
support:
source: ./apps/support/manifest.yaml
runtime:
image: ghcr.io/example/support-app:2026-04-21| Name | Purpose |
|---|---|
local | Built-in same-machine runtime driver. Used by default when a provider does not opt into hosted execution. |
kubernetes | First-party hosted runtime provider for native Kubernetes Pods. |
Workflow Providers
Workflow providers back global runs, schedules, and triggers. They are
configured under providers.workflow.<name>, then referenced by top-level
workflows.* config or the global workflow API/CLI.
providers:
indexeddb:
workflow_state:
source:
package: github.com/valon-technologies/gestalt-providers/indexeddb/relationaldb
version: 0.0.1-alpha.2
config:
dsn: ${DATABASE_URL}
workflow:
local:
source:
package: github.com/valon-technologies/gestalt-providers/workflow/indexeddb
version: 0.0.1-alpha.1
indexeddb:
provider: workflow_state
db: workflow
config:
pollInterval: 1s
workflows:
schedules:
nightly_sync:
provider: local
cron: "0 3 * * *"
target:
steps:
- id: sync_items
app:
name: roadmap
operation: sync_items| Name | Purpose |
|---|---|
indexeddb | Stores workflow runs, schedules, and triggers in IndexedDB and invokes app operations through the workflow host. |
Agent Providers
Agent providers are configured under providers.agent.<name>, but there is
not yet a first-party agent provider published from
valon-technologies/gestalt-providers.
If you need one today, implement it with Agent.
S3 Providers
S3 providers expose portable object storage to executable apps. They are
configured under named entries in providers.s3, then bound into apps with
apps.<name>.s3.
providers:
s3:
assets:
source:
package: github.com/valon-technologies/gestalt-providers/s3/s3
version: 0.0.1-alpha.1
config:
region: us-east-1
endpoint: https://s3.us-east-1.amazonaws.com
forcePathStyle: false
accessKeyId: ${AWS_ACCESS_KEY_ID}
secretAccessKey:
secret:
provider: default
name: aws-secret-access-key
apps:
media:
source: ./apps/media/manifest.yaml
s3:
- assets| Name | Purpose |
|---|---|
s3 | Portable S3-compatible object store provider for AWS S3, MinIO, GCS XML interoperability, and similar backends. |
If accessKeyId and secretAccessKey are omitted, the first-party provider
falls back to the AWS SDK default credential chain. sessionToken, custom
endpoint, and forcePathStyle are available for temporary credentials and
non-AWS S3-compatible backends.
Secret Managers
Two secret managers are compiled into the gestaltd binary and resolve structured secret refs during bootstrap. Cloud secret backends are available as external providers published from valon-technologies/gestalt-providers.
| Name | Purpose |
|---|---|
env | Resolves secrets from environment variables. Default when providers.secrets is omitted. |
file | Resolves secrets from files in a configured directory. Works with Kubernetes volume-mounted secrets. |
For cloud backends (Google Secret Manager, AWS Secrets Manager, HashiCorp Vault, Azure Key Vault), see Config File. These use a source: config key under providers.secrets.<name>.
Telemetry Providers (built-in)
Telemetry providers are compiled into the binary.
| Name | Purpose |
|---|---|
stdout | Outputs structured logs to standard output. Traces stay disabled, and metrics are exposed locally through the built-in Prometheus bridge. Default when telemetry is omitted. |
otlp | Exports traces, metrics, and logs via OpenTelemetry Protocol. |
noop | Disables all telemetry collection. |
Apps
Apps and installable runtime providers are published separately from valon-technologies/gestalt-providers. Apps are configured under apps; installable hosted runtimes are configured under runtime.providers:
apps:
jira:
source:
package: github.com/valon-technologies/gestalt-providers/app/jira
version: 0.0.1-alpha.1Community and Custom Providers
Third-party authentication providers, datastore providers, and apps use the same provider package model as the first-party packages. Package your implementation with a provider manifest that includes the appropriate kind and spec block, publish it through a provider index, and reference that package source in config. For one-off releases, you can still point directly at the exact provider-release.yaml URL.