First-Party Providers

Gestalt does not compile authentication, authorization, agent, workflow, runtime, IndexedDB, or S3 providers into the gestaltd binary. They are loaded at startup as external provider processes through the same runtime model that also powers plugins. The first-party implementations are published from valon-technologies/gestalt-providers and maintained alongside the server.

Two simple secrets providers (env and file), telemetry, and audit remain built into the binary. Cloud secret backends (Google Secret Manager, AWS Secrets Manager, HashiCorp Vault, Azure Key Vault) are available as external providers from valon-technologies/gestalt-providers. See Secrets Providers for the full list and configuration.

Authentication Providers

Authentication providers handle platform login. They are configured under providers.authentication.<name> in your config file.

Name	Purpose
`local`	Single-user authentication for local development. No external identity provider required.
`oidc`	Generic OpenID Connect. Works with Okta, Auth0, Azure AD, Keycloak, and others.


providers:
  authentication:
    oidc:
      source: https://artifacts.example.com/auth/oidc/v0.0.1-alpha.1/provider-release.yaml
      config:
        issuerUrl: https://login.example.com
        clientId: ${OIDC_CLIENT_ID}
        clientSecret:
          secret:
            provider: default
            name: oidc-client-secret

To disable platform authentication entirely, omit the providers.authentication block.

Authorization Providers

Authorization providers back dynamic subject authorization state. They are configured under providers.authorization.<name>, and server.providers.authorization selects which one Gestalt uses.


server:
  providers:
    indexeddb: main
    authorization: indexeddb
 
providers:
  indexeddb:
    main:
      source: https://artifacts.example.com/indexeddb/relationaldb/v0.0.1-alpha.1/provider-release.yaml
      config:
        dsn: ${DATABASE_URL}
 
  authorization:
    indexeddb:
      source: https://artifacts.example.com/authorization/indexeddb/v0.0.1-alpha.1/provider-release.yaml
      config:
        indexeddb: main

Name	Purpose
`indexeddb`	Stores authorization models and relationships in a host IndexedDB provider.

IndexedDB Providers

Datastore providers back the persistent state layer. They are configured under named entries in providers.indexeddb, and server.providers.indexeddb selects which one the host uses. Gestalt does not compile datastore drivers into the binary; it starts the configured external datastore provider process at runtime.


server:
  providers:
    indexeddb: main
 
providers:
  indexeddb:
    main:
      source: https://artifacts.example.com/indexeddb/relationaldb/v0.0.1-alpha.1/provider-release.yaml
      config:
        dsn: ${DATABASE_URL}

Name	Purpose
`relationaldb`	SQL-backed IndexedDB provider for PostgreSQL, MySQL, SQLite, and SQL Server.
`dynamodb`	Amazon DynamoDB-backed IndexedDB provider for managed key-value and document storage.
`mongodb`	MongoDB-backed IndexedDB provider for document-oriented storage.

Runtime Providers

Runtime providers manage hosted execution backends for executable plugins. They are configured under top-level runtime.providers, and plugins opt into them with plugins.<name>.execution.mode: hosted.


runtime:
  providers:
    modal:
      source: https://artifacts.example.com/runtime/modal/v0.0.1-alpha.1/provider-release.yaml
      default: true
      config:
        app: gestalt-runtime
 
plugins:
  support:
    source: ./plugins/support/manifest.yaml
    execution:
      mode: hosted
      runtime:
        image: ghcr.io/example/support-plugin:2026-04-21

Name	Purpose
`local`	Built-in same-machine runtime driver. Used by default when a plugin does not opt into hosted execution.
`modal`	First-party hosted runtime provider for Modal sandboxes.

Workflow Providers

Workflow providers back global runs, schedules, and triggers. They are configured under providers.workflow.<name>, then referenced by top-level workflows.* config or the global workflow API/CLI.


providers:
  indexeddb:
    workflow_state:
      source: https://artifacts.example.com/indexeddb/relationaldb/v0.0.1-alpha.1/provider-release.yaml
      config:
        dsn: ${DATABASE_URL}
 
  workflow:
    local:
      source: https://artifacts.example.com/workflow/indexeddb/v0.0.1-alpha.1/provider-release.yaml
      indexeddb:
        provider: workflow_state
        db: workflow
      config:
        pollInterval: 1s
 
workflows:
  schedules:
    nightly_sync:
      provider: local
      cron: "0 3 * * *"
      target:
        plugin:
          name: roadmap
          operation: sync_items

Name	Purpose
`indexeddb`	Stores workflow runs, schedules, and triggers in IndexedDB and invokes plugin operations through the workflow host.

Agent Providers

Agent providers are configured under providers.agent.<name>, but there is not yet a first-party agent provider published from valon-technologies/gestalt-providers.

If you need one today, implement it with Custom Providers > Agent.

S3 Providers

S3 providers expose portable object storage to executable plugins. They are configured under named entries in providers.s3, then bound into plugins with plugins.<name>.s3.


providers:
  s3:
    assets:
      source: https://artifacts.example.com/s3/s3/v0.0.1-alpha.1/provider-release.yaml
      config:
        region: us-east-1
        endpoint: https://s3.us-east-1.amazonaws.com
        forcePathStyle: false
        accessKeyId: ${AWS_ACCESS_KEY_ID}
        secretAccessKey:
          secret:
            provider: default
            name: aws-secret-access-key
 
plugins:
  media:
    source: ./plugins/media/manifest.yaml
    s3:
      - assets

Name	Purpose
`s3`	Portable S3-compatible object store provider for AWS S3, MinIO, GCS XML interoperability, and similar backends.

If accessKeyId and secretAccessKey are omitted, the first-party provider falls back to the AWS SDK default credential chain. sessionToken, custom endpoint, and forcePathStyle are available for temporary credentials and non-AWS S3-compatible backends.

Secret Managers

Two secret managers are compiled into the gestaltd binary and resolve structured secret refs during bootstrap. Cloud secret backends are available as external providers published from valon-technologies/gestalt-providers.

Name	Purpose
`env`	Resolves secrets from environment variables. Default when `providers.secrets` is omitted.
`file`	Resolves secrets from files in a configured directory. Works with Kubernetes volume-mounted secrets.

For cloud backends (Google Secret Manager, AWS Secrets Manager, HashiCorp Vault, Azure Key Vault), see Secrets Providers. These use a source: config key under providers.secrets.<name>.

Telemetry Providers (built-in)

Telemetry providers are compiled into the binary.

Name	Purpose
`stdout`	Outputs structured logs to standard output. Traces stay disabled, and metrics are exposed locally through the built-in Prometheus bridge. Default when `telemetry` is omitted.
`otlp`	Exports traces, metrics, and logs via OpenTelemetry Protocol.
`noop`	Disables all telemetry collection.

Plugins

Plugins and installable runtime providers are published separately from valon-technologies/gestalt-providers. Plugins are configured under plugins; installable hosted runtimes are configured under runtime.providers:


plugins:
  jira:
    source: https://artifacts.example.com/plugin/jira/v0.0.1-alpha.1/provider-release.yaml

Community and Custom Providers

Third-party authentication providers, datastore providers, and plugins use the same provider package model as the first-party packages. Package your implementation with a provider manifest that includes the appropriate kind and spec block, publish a release with provider-release.yaml, and reference that metadata URL in config the same way you would reference any first-party provider.