bedrock
chat
embedding
image
Test your AWS Bedrock API key.
Validate AWS access keys against Bedrock and list the foundation models your account has access to.
Stateless proxy — keys never logged, stored, or persisted. What happens to your key →
Detected
AWS Bedrock
What this key does
Bedrock hosts Anthropic, Meta, Cohere, Mistral, Amazon Titan, and AI21 models behind AWS SigV4-signed HTTP. Auth is an AWS access key ID + secret (and optional session token), region-scoped. Paste them as a JSON composite here.
How to get a AWS Bedrock API key
- Sign in to the AWS console.
- IAM → create a user with the AmazonBedrockFullAccess (or scoped) policy.
- Generate an access key for that user.
- Request access to the specific Bedrock models you want to use (some require approval).
- Paste {"accessKeyId":"…","secretAccessKey":"…","region":"us-east-1"} here.
Common errors and fixes
- 401 Unauthorized: Key is invalid, revoked, or pasted with extra whitespace. Generate a new key from the provider console and try again.
- 403 Forbidden: Key is valid but lacks permission for this resource. Check project / org / workspace scope, or that billing is set up for this key.
- 429 Too Many Requests: You hit the per-minute or per-day rate limit. Wait a moment and retry, or upgrade your tier.
- 404 Not Found: The endpoint or model id changed. Check the provider docs for the current path and model identifier.
- 5xx: The provider is having issues. Check their status page before assuming the bug is yours.
- AccessDeniedException: Either the IAM policy doesn't grant Bedrock or the model isn't enabled in this region. Check both.
Security best practices
- Store keys in an env var or secret manager — never commit them to a repo, even a private one.
- Restrict scope: prefer per-project or per-deployment keys over a single root key shared across services.
- Rotate on a schedule (90 days is a sane default) and immediately on suspected leak.
- Audit usage in the provider console after rotation to confirm the old key has zero traffic.
- Set per-key spend limits where the provider supports them, so a leaked key has a bounded blast radius.
- Prefer short-lived STS credentials over long-lived IAM access keys for Bedrock production traffic.
Pricing at a glance
Bedrock pricing mirrors the underlying provider, billed through AWS. Provisioned throughput is available for predictable latency and discounted bulk pricing.
FAQ
- Why does Bedrock need region?
- Models are deployed per region. us-east-1 has the broadest catalog; ap-northeast-1 / eu-central-1 have growing subsets.
- Why does my key validate but list zero models?
- Each Bedrock model needs to be opted in via the console (Model access page). The model exists but your account hasn't enabled it yet.
- Is the Bedrock body shape the same as Anthropic direct?
- Almost — anthropic_version becomes "bedrock-2023-05-31" instead of the date string Anthropic direct uses.
- Can I use the AWS SDK to call Bedrock?
- Yes, that's the recommended path. The SigV4 signing here is a manual workaround for browser/edge environments without the SDK.
- Does Bedrock support streaming?
- Yes, via InvokeModelWithResponseStream.
- How do I scope an IAM policy to one model?
- Use the bedrock:InvokeModel resource ARN with the foundation-model arn including the model id.