Skip to main content

Resold vs BYO

Frayme draws a hard line between the two provisioning models:
  • The UI hides credential fields entirely and shows the Reselling agreement notice.
  • Credentials are stored in the Frayme platform secret store (Vault / AWS Secrets Manager in production), never exposed to client tenants.
  • Billing flows through Frayme; clients see consumption metrics, not vendor invoices.

Rotation

1

Open the provider's Settings

Gear icon in the Data Sources table.
2

Paste the new API key

The input is masked. The placeholder reads “Paste new key to rotate”. Leaving the field blank keeps the current key.
3

Save

The next outgoing call uses the new key. In-flight calls continue with the old key for graceful drain.
4

Test

Click Test to confirm the new key works before disabling the old one upstream.

Reveal vs rotate

The Reveal toggle on the API key field shows the current key in plaintext. Every reveal is audit-logged (actor, provider_id, action: reveal, ts). Production deployments can require an additional confirmation step (re-MFA) before reveal.

Workflow-level secrets

Custom API nodes can also reference {{secrets.<name>}} variables that aren’t tied to a Data Source — for example {{secrets.sumsub_app_token}} and {{secrets.sumsub_signature}} used by Sumsub admin endpoints (override review answer, generate scoped access token). These are stored on the workflow’s connections map and managed under Workflows → Connections & secrets.

What never gets logged

The credential value itself — only the credential_id reference.
Sumsub X-App-Access-Sig request signatures — replay-resistant by design but still treated as sensitive.
Bearer tokens in Authorization headers — masked to Bearer ****** in audit entries.