Provider access modes

Restormel Keys is a control layer (routing, policies, health, cost, UX). Your stack still needs a provider access layer to actually reach OpenAI/Anthropic/etc. This page explains the default modes and when to choose each.

Mode A — Gateway-backed (recommended)

You keep an external gateway/key host as the provider access layer. Restormel integrates cleanly and adds governance and progressive adoption.

Examples: OpenRouter, Vercel AI Gateway, Portkey
Where credentials live: In your gateway vendor account / your infra config
What Restormel stores: Routing/policy config, integration metadata, references (not raw provider secrets by default)
Why you’d pick it: Lowest migration risk; you keep existing auth/observability surfaces

Mode B — Builder-managed direct providers

Your backend calls providers directly using their SDKs or HTTP APIs. Provider credentials live in your env vars or secret manager. Restormel Resolve returns route/provider/model decisions and enforces policies in your control plane.

Where credentials live: Your env vars / secret manager
What Restormel stores: Routes, policies, health/analytics settings
Why you’d pick it: You want no extra hop and already have mature secret management

Mode C — End-user BYOK (builder-managed)

If your product lets end-users bring credentials, you can expose a KeyManager UI and store end-user credentials in your backend (or a gateway-backed scheme). Restormel remains the control layer; it does not need to become the custodian.

Recommended default — Start gateway-backed or builder-managed direct, then adopt Restormel routing/policies and dashboards progressively.