Credential Management Modes
Tapistry supports three credential delivery patterns—PMK, DMK, and UBYOK—so creators can integrate third-party services securely. This page summarizes the options; the Markdown source lives in docs/guides/CREDENTIAL_MODES.md.
| Mode | Owner | Best for |
|---|---|---|
| Platform-Managed Keys (PMK) | Tapistry provisions and rotates credentials. | Turnkey integrations where you rely on Tapistry-provided accounts (e.g., OpenAI). |
| Developer-Managed Keys (DMK) | Creators upload secrets; Tapistry stores them encrypted. | Shared creator-owned accounts like Stripe or Twilio. |
| User Bring-Your-Own Key (UBYOK) | Consumers connect personal accounts via OAuth. | Workflows that require per-user data, such as GitHub or Salesforce connectors. |
Setup Highlights
- PMK: Enable the tool in Settings → Tools; Tapistry injects credentials automatically.
- DMK: Upload secrets via Settings → Secrets or `tapi secrets set` and reference them in your app configuration.
- UBYOK: Provide OAuth connection instructions in your marketplace listing; Tapistry handles token storage and refresh.
Pair this guide with the Security & Guardrails page and the Creator Quickstart to see how credentials flow through publishing and runtime enforcement.