The File Gateway lets workflows exchange files with external storage systems (FTP, SFTP, S3, Azure Blob) and start processes when new files land in a watched location.
Dependencies
Before setting up the File Gateway, ensure you have the following dependencies in place:- MongoDB for storing file-trigger definitions and poll state
- Kafka for publishing process start events
- Keycloak (or compatible OAuth2 provider) for authentication and authorization
- SpiceDB for fine-grained, workspace-level authorization
- Document service for storing ingested and generated files
- File storage targets β the FTP, SFTP, S3, or Azure Blob systems you connect to (credentials are tenant-supplied per connection, not set as service env vars)
Infrastructure prerequisites
Configuration
Authorization configuration
The File Gateway validates incoming tokens with the JWT public key mechanism and authenticates to other FlowX services with a dedicated service account (themainIdentity client registration) in the service-accounts realm:
MongoDB configuration
The File Gateway uses the runtime MongoDB instance (the same one used by the Email Gateway) to store file-trigger definitions and polling state.Kafka configuration
The File Gateway publishes a process-start event when a watched location receives a new file (a file trigger).Core Kafka settings
OAuth authentication (when using SASL_PLAINTEXT)
When using the
kafka-auth profile, the security protocol will automatically be set to SASL_PLAINTEXT and the SASL mechanism will be set to OAUTHBEARER.Kafka topics
CAS lib configuration (SpiceDB)
Service communication
The File Gateway communicates with the following FlowX services:Logging configuration
File storage connections
File storage targets (FTP, SFTP, S3, Azure Blob) are not configured through service environment variables. Each connection β including its host, path, and credentials β is defined per workspace in the FlowX Designer as a File Storage data source. Credentials are tenant-supplied and stored securely; the File Gateway never uses pod identity, IAM roles, or managed identities to reach a customerβs storage. Supported authentication methods:Secrets management
Deployment
Helm values example
The File Gateway makes outbound connections to customer-managed FTP/SFTP/S3/Azure Blob endpoints. Ensure egress network policies allow traffic to those destinations.
Verify your setup
The File Gateway pod is running and healthy:
kubectl get pods -l app=file-gatewayThe health endpoint returns HTTP 200:
curl http://file-gateway:8080/actuator/healthMongoDB collections appear (
file_triggers, seen_file_cursors, failed_files, poll_leases) with the expected indexesSpiceDB connection is established β check pod logs for successful CAS client initialization
Troubleshooting
Files are not picked up from a watched location
Files are not picked up from a watched location
Solutions:
- Confirm the File Storage data source and file trigger are configured and toggled ON in the Designer
- Verify the connection credentials and path in the data source
- Check egress network policies allow the File Gateway to reach the storage host
- Review pod logs for poll or authentication errors
SpiceDB connection failures
SpiceDB connection failures
Solutions:
- Verify SpiceDB is running and reachable at the configured host and port
- Check that the SpiceDB token is correct
- Ensure network policies allow gRPC traffic to SpiceDB on port
50051
Processes not starting from file triggers
Processes not starting from file triggers
Solutions:
- Verify Kafka bootstrap servers are reachable
- Check that the
ai.flowx.core.trigger.start-for-event.process.v1topic exists - Confirm the bound Message Start Event and active build for the process
Related resources
SpiceDB Configuration
Fine-grained authorization setup
Kafka Authentication
Configure Kafka security and authentication
Email Gateway setup
The email-trigger gateway this service mirrors
IAM Configuration
Identity and access management setup

