Environment & integration matrix
Purpose
Section titled “Purpose”Provide a single checklist of integration concerns and where credentials typically live in a Frappe / leekimerp deployment. This table lists names and roles only — never paste production secrets into documentation or git.
Use this page together with:
Core platform
Section titled “Core platform”| Concern | Typical storage | Rotation / notes | Owner |
|---|---|---|---|
| MariaDB password | site_config.json db_password | Rotate with DBA; update Bench | Ops |
| Frappe encryption key | site_config.json | Loss destroys encrypted fields | Ops |
| Redis / cache (if used) | site config / env | Match Frappe version docs | Ops |
| File storage | sites/<site>/private/files, public/files | Backup scope | Ops |
Integration: Xero
Section titled “Integration: Xero”| Item | Storage pattern | Notes |
|---|---|---|
| OAuth client ID / secret | Xero-related DocTypes / site config per policy | Redirect URIs must match Xero app registration |
| Webhook signing secret | DocType or site_config | Verify in xero_webhook_* handlers |
| Tenant mapping | xero_organization, company linkage | Wrong mapping causes cross-tenant data risk |
Integration: Stripe
Section titled “Integration: Stripe”| Item | Storage pattern | Notes |
|---|---|---|
| API keys (publishable / secret) | Stripe settings DocType or env | Use restricted keys where possible |
| Webhook signing secret | Stripe dashboard + Frappe storage | Validate stripe_webhook payload |
Integration: DocuSign
Section titled “Integration: DocuSign”| Item | Storage pattern | Notes |
|---|---|---|
| OAuth / integration key | DocuSign settings | Envelope routing depends on account |
| HMAC or callback secrets | Per environment | Separate UAT vs production |
Integration: Singpass
Section titled “Integration: Singpass”| Item | Storage pattern | Notes |
|---|---|---|
| Client credentials | site_config or dedicated DocType | Register redirect URIs per Singpass guidance |
| MyInfo / token endpoints | Environment-specific | Document UAT vs production in internal runbook |
Email & transactional
Section titled “Email & transactional”| Concern | Storage | Notes |
|---|---|---|
| SMTP / Mandrill / SendGrid | Email settings DocTypes | SPF/DKIM are domain/DNS concerns |
| From-address allowlists | Site / provider | Bounce handling |
AI / auxiliary (if enabled)
Section titled “AI / auxiliary (if enabled)”| Concern | Storage | Notes |
|---|---|---|
| OpenAI or other API keys | e.g. openai_settings DocType | Rate limits and data residency |
Documentation site (Astro)
Section titled “Documentation site (Astro)”| Concern | Storage | Notes |
|---|---|---|
PUBLIC_SITE_URL | CI / Cloudflare | Used for canonical URLs in astro.config.mjs |
| Build secrets | GitHub Actions / Cloudflare | No ERP credentials required for static build |
Audit questions (yes/no)
Section titled “Audit questions (yes/no)”- Every production secret is outside git and listed in a password manager or vault.
- Integration keys have named owners and a rotation calendar.
- Guest HTTP endpoints have been reviewed (API inventory).