Skip to main content
The File Gateway lets workflows exchange files with external storage systems (FTP, SFTP, S3, Azure Blob) and start processes when new files land in a watched location.

Dependencies

Before setting up the File Gateway, ensure you have the following dependencies in place:
  • MongoDB for storing file-trigger definitions and poll state
  • Kafka for publishing process start events
  • Keycloak (or compatible OAuth2 provider) for authentication and authorization
  • SpiceDB for fine-grained, workspace-level authorization
  • Document service for storing ingested and generated files
  • File storage targets β€” the FTP, SFTP, S3, or Azure Blob systems you connect to (credentials are tenant-supplied per connection, not set as service env vars)

Infrastructure prerequisites


Configuration

Authorization configuration

The File Gateway validates incoming tokens with the JWT public key mechanism and authenticates to other FlowX services with a dedicated service account (the mainIdentity client registration) in the service-accounts realm:
Upgrading from 5.1.x? Remove the legacy opaque-token env vars: SECURITY_OAUTH2_REALM, SECURITY_OAUTH2_CLIENT_CLIENTID, SECURITY_OAUTH2_CLIENT_CLIENTSECRET, and SECURITY_OAUTH2_SERVICEACCOUNT_ADMIN_*. These belong to the removed introspection model and prevent the service from starting on 5.9.x. See the authentication and IAM migration guide for the full list.

MongoDB configuration

The File Gateway uses the runtime MongoDB instance (the same one used by the Email Gateway) to store file-trigger definitions and polling state.

Kafka configuration

The File Gateway publishes a process-start event when a watched location receives a new file (a file trigger).

Core Kafka settings

OAuth authentication (when using SASL_PLAINTEXT)

When using the kafka-auth profile, the security protocol will automatically be set to SASL_PLAINTEXT and the SASL mechanism will be set to OAUTHBEARER.

Kafka topics


CAS lib configuration (SpiceDB)


Service communication

The File Gateway communicates with the following FlowX services:

Logging configuration


File storage connections

File storage targets (FTP, SFTP, S3, Azure Blob) are not configured through service environment variables. Each connection β€” including its host, path, and credentials β€” is defined per workspace in the FlowX Designer as a File Storage data source. Credentials are tenant-supplied and stored securely; the File Gateway never uses pod identity, IAM roles, or managed identities to reach a customer’s storage. Supported authentication methods:

Secrets management


Deployment

Helm values example

The File Gateway makes outbound connections to customer-managed FTP/SFTP/S3/Azure Blob endpoints. Ensure egress network policies allow traffic to those destinations.

Verify your setup

The File Gateway pod is running and healthy: kubectl get pods -l app=file-gateway
The health endpoint returns HTTP 200: curl http://file-gateway:8080/actuator/health
MongoDB collections appear (file_triggers, seen_file_cursors, failed_files, poll_leases) with the expected indexes
SpiceDB connection is established β€” check pod logs for successful CAS client initialization

Troubleshooting

Solutions:
  1. Confirm the File Storage data source and file trigger are configured and toggled ON in the Designer
  2. Verify the connection credentials and path in the data source
  3. Check egress network policies allow the File Gateway to reach the storage host
  4. Review pod logs for poll or authentication errors
Solutions:
  1. Verify SpiceDB is running and reachable at the configured host and port
  2. Check that the SpiceDB token is correct
  3. Ensure network policies allow gRPC traffic to SpiceDB on port 50051
Solutions:
  1. Verify Kafka bootstrap servers are reachable
  2. Check that the ai.flowx.core.trigger.start-for-event.process.v1 topic exists
  3. Confirm the bound Message Start Event and active build for the process

SpiceDB Configuration

Fine-grained authorization setup

Kafka Authentication

Configure Kafka security and authentication

Email Gateway setup

The email-trigger gateway this service mirrors

IAM Configuration

Identity and access management setup
Last modified on June 24, 2026