Extension URLs

Synapse extensions are self-contained, compiled code modules. They can be loaded from many different sources including the local file system, S3-compatible storage, and HTTP servers. For security purposes, it’s highly recommended that you only use extensions from trusted sources and pin them to specific versions using checksums.

A typical extension URL takes the following form:

https://cdn.cerbos.cloud/synapse/extensions/awesome_extension.wasm?checksum=sha256:677cce2788330f16f27981130eaa50aa4189beab2121903bcea5b3c4c918dccc

The checksum parameter is optional but is highly recommended for security. It can be appended to any URL kind listed below — including plain file paths.

Supported URL types

Local files

/path/to/extension
/path/to/extension?checksum=sha256:677cce2788330f16f27981130eaa50aa4189beab2121903bcea5b3c4c918dccc

HTTP

S3

s3::https://s3.amazonaws.com/bucket/extension.crbs?aws_profile=synapse
s3::https://s3.amazonaws.com/bucket/extension.crbs?checksum=sha256:682fbae4eb8607a9bae23ca8f31fb30becdc8c0a9cecc89e81589db4fc5edac5

GCS

gcs::https://www.googleapis.com/storage/v1/bucket/extension.wasm
gcs::https://www.googleapis.com/storage/v1/bucket/extension.wasm?checksum=sha256:682fbae4eb8607a9bae23ca8f31fb30becdc8c0a9cecc89e81589db4fc5edac5

Credentials for accessing S3 and GCS objects are sourced from the environment using the standard credential resolution method recommended by the provider.