DEV Community: Azeem Siddiqui The latest articles on DEV Community by Azeem Siddiqui (@azeemsidd3). https://dev.to/azeemsidd3 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3997104%2F69d7e6ff-7a28-4f91-bfa7-22c0dafe39de.png DEV Community: Azeem Siddiqui https://dev.to/azeemsidd3 en If You're Giving Developers AI Tools, You Need Per-User Keys, Audit Logging, and Cost Controls on Day One Azeem Siddiqui Mon, 22 Jun 2026 14:36:48 +0000 https://dev.to/azeemsidd3/if-youre-giving-developers-ai-tools-you-need-per-user-keys-audit-logging-and-cost-controls-on-47ia https://dev.to/azeemsidd3/if-youre-giving-developers-ai-tools-you-need-per-user-keys-audit-logging-and-cost-controls-on-47ia <p>The rollout looks responsible. A team wants AI in their editors, so someone wires up the tooling against a hosted model, drops a shared key into the config, ships it to the team, and moves on to the next thing. An afternoon's work. Everyone's happy. It feels like the careful version of "just let people use it."</p> <p>It isn't, and the reason it isn't is that everything wrong with it is invisible on day one. There's no error. Nothing breaks. The tools work, the developers are productive, and the problems you've created don't announce themselves — they wait. That's what makes this the dangerous version, not the careful one.</p> <p>I've built the thing that sits between a team of developers and a hosted model — the gateway that fronts the API, hands out keys, and logs the traffic. And the single most useful decision I made was treating three controls as non-negotiable from the first commit rather than features to add once we'd "proven it out": per-user keys, audit logging, and cost controls. Not because we were big. Because they're trivial to build in and genuinely painful to bolt on later, and that asymmetry is the whole argument.</p> <h2> Per-user keys </h2> <p>A shared key is one key that everyone's tooling carries. It works right up until you need it not to.</p> <p>Someone leaves the company. Now you either rotate the key — which breaks every developer's tools at once and turns into a coordinated fire drill — or you don't, and a former employee's laptop still talks to your models. A key leaks into a screenshot, a commit, a pasted config in a support channel. Same fork. Rotate and break everyone, or shrug and hope. Neither is a position you want to be standing in.</p> <p>And every day in between, you can't answer the most basic question: who did this? Who sent that request? Who's responsible for that spike? With a shared key the answer is "the team," which is the same as no answer.</p> <p>Per-user keys make all of that boring. One person leaves, you deactivate one key, nobody else notices. One key leaks, you kill one key. Every request carries a person's identity, so "who did this" is a lookup instead of an investigation. The cost to build this in on day one is one table and a five-line CLI to mint a key. The cost to add it later is touching every developer's machine to swap the shared key for an individual one, coordinated across the whole team, while everyone's mid-task. Same outcome, an order of magnitude more pain, and you only do it after something already went wrong.</p> <h2> Audit logging </h2> <p>Here's a question someone will eventually ask you, and the only thing that varies is who and when: <em>what did the AI tool actually see, do, and cost?</em> Could be security after an incident. Could be compliance during a review. Could be you, at 2 a.m., trying to understand why something went sideways.</p> <p>If you logged from day one, that's a query. If you didn't, it's an investigation with no evidence, because the logs you didn't write don't exist. You cannot audit the past retroactively. That's the trap with logging specifically — every other control you can add late and at least cover yourself going forward, but the gap in your audit trail is permanent. The day you wish you'd been logging is the day it's already too late to have been.</p> <p>One thing worth getting right, since it's where I see people overcorrect: log metadata by default, not content. Who, when, which model, how many tokens, what it cost. The moment you start logging the actual prompts and completions, you've built a store of potentially sensitive text — source code, internal data, whatever developers paste in — and that store has its own retention, access, and compliance weight hanging off it. Good auditing isn't "record everything." It's recording enough to answer the questions you'll be asked, and making the choice to capture content a deliberate one with a reason behind it, not a default you backed into.</p> <h2> Cost controls </h2> <p>Token spend is invisible until the invoice, and AI usage is spiky in a way that makes that especially dangerous. It's not a smooth line you can extrapolate. It's a flat baseline with occasional cliffs — an agent stuck in a retry loop, someone pasting an entire repository into context, a script that was supposed to run once running ten thousand times. The spend that hurts you is the spend you didn't see coming, and without controls you see none of it coming.</p> <p>Two cheap things change that. A per-user cap, checked before the request goes through, so one runaway can't run away very far. And a budget alert at the provider level as a backstop, so even if your app-level accounting has a blind spot, the cloud bill itself trips a wire. The difference between having these and not is the difference between a Slack notification on a Tuesday and a meeting with finance about last month.</p> <p>Notice this one needs the first one. You can't cap or attribute spend per person if you can't tell people apart — per-user keys are what make per-user cost controls <em>possible</em>. The three aren't a checklist of separate features. They're one posture, and they reinforce each other: identity makes attribution possible, attribution makes both auditing and cost control meaningful, and all three come for nearly free if you lay them down together at the start.</p> <h2> "We're moving fast — isn't this premature?" </h2> <p>This is the real objection, and it deserves a real answer rather than a dismissal, because the instinct behind it is correct most of the time. Early on, you <em>shouldn't</em> gold-plate. Most "enterprise readiness" work genuinely is premature, and shipping beats polishing more often than engineers like to admit. If I thought these three were gold-plating, I'd agree with the objection.</p> <p>They're not, and here's the distinction. Gold-plating is work whose payoff is speculative and whose cost is the same whenever you do it. These three are the opposite: their payoff is near-certain — someone <em>will</em> leave, a key <em>will</em> leak, a bill <em>will</em> surprise you, given enough time — and their cost is wildly different depending on when you do them. A day at the start. A migration under pressure after an incident later. When the cost of doing something is low now and high later, and the need is a matter of when rather than if, "we're moving fast" is the argument <em>for</em> doing it now, not against. Speed is exactly why you don't want to be retrofitting auth and accounting across a live fleet six months from now.</p> <p>The fast path and the responsible path are the same path here. That's not usually true. It's true this time.</p> <h2> Day one is the cheap day </h2> <p>You don't earn these controls by hitting some headcount or some spend threshold where they suddenly become worth it. The first developer and the first key is the cheapest moment they'll ever be — one table, one CLI, one budget alert, an afternoon. Every day after that, the team grows, the configs proliferate, the unattributed spend piles up, and the same work gets a little more expensive and a little more disruptive to do.</p> <p>I built all three in on day one. It cost me about a day, and I have never once wished I'd skipped it. The regret in this space only ever runs the other direction — it's always the team that handed out a shared key and figured they'd sort out the rest later, standing in the rubble of a leaked credential or a surprise invoice, doing the expensive version of the work they could have done cheap. Do it cheap. Do it first.</p> ai devops security Centralized Logging Across a Mixed-OS Server Fleet with Grafana Alloy and Loki Azeem Siddiqui Mon, 22 Jun 2026 14:32:11 +0000 https://dev.to/azeemsidd3/centralized-logging-across-a-mixed-os-server-fleet-with-grafana-alloy-and-loki-51c6 https://dev.to/azeemsidd3/centralized-logging-across-a-mixed-os-server-fleet-with-grafana-alloy-and-loki-51c6 <p>For a long time, finding a log on our fleet meant SSH-ing into the box and running <code>grep</code>. Which box? Depends. If you knew exactly where the thing ran, fine. If you didn't — and during an incident you usually don't — you were hopping between hosts, scrolling Tomcat logs, trying to line up timestamps across three machines by eye. It works right up until the moment you need it to work fast.</p> <p>So I rolled out centralized logging: every log line from every server, in one place, queryable, with a Slack command so people didn't even have to open Grafana to check something. The stack is Grafana Alloy on each host shipping to Loki. This post is that rollout — including the parts the docs don't warn you about, which is most of what made it take longer than the happy-path tutorial suggests.</p> <p>A quick word on why Alloy and Loki, since there are other options. I'd run ELK before, and the Elasticsearch side is a lot of machine to feed and babysit for what amounts to "let me search my logs." Loki indexes labels, not the full log text, so it's dramatically cheaper to run and the storage footprint is sane. The paid SaaS log tools are great until you see the bill for a chatty fleet. Alloy is Grafana's agent — it replaced Promtail and the old Grafana Agent — and it does the collecting. The combination gave me searchable logs without standing up a search cluster or signing a contract.</p> <h2> What the pipeline looks like </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> each host central ┌───────────────┐ │ app logs │ │ /var/log/... │ │ │ │ │ Grafana │ push (HTTP) ┌──────────┐ ┌──────────┐ │ Alloy │ ───────────────► │ Loki │ ◄── │ Grafana │ │ (per box) │ └──────────┘ └──────────┘ └───────────────┘ ▲ │ LogQL over HTTP API ┌──────────┐ │ Slack bot│ └──────────┘ </code></pre> </div> <p>Alloy reads files on each host, tags each line with a few labels (which host, which environment, which service), and pushes to Loki. Grafana queries Loki for the dashboard view. The Slack bot hits Loki's HTTP API directly so people can pull logs without leaving the channel they're already in. That last piece turned out to be the one everybody actually uses.</p> <h2> Standing up Loki </h2> <p>For trying this out, a single Loki container is plenty. Here's a <code>docker-compose.yml</code> that gets you Loki and Grafana side by side:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">loki</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">grafana/loki:3.0.0</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3100:3100"</span> <span class="na">command</span><span class="pi">:</span> <span class="s">-config.file=/etc/loki/config.yaml</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./loki-config.yaml:/etc/loki/config.yaml</span> <span class="pi">-</span> <span class="s">loki-data:/loki</span> <span class="na">grafana</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">grafana/grafana:11.0.0</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3000:3000"</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">GF_AUTH_ANONYMOUS_ENABLED=true</span> <span class="pi">-</span> <span class="s">GF_AUTH_ANONYMOUS_ORG_ROLE=Admin</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">loki-data</span><span class="pi">:</span> </code></pre> </div> <p>And a minimal <code>loki-config.yaml</code> that stores everything on the local filesystem:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">auth_enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">server</span><span class="pi">:</span> <span class="na">http_listen_port</span><span class="pi">:</span> <span class="m">3100</span> <span class="na">common</span><span class="pi">:</span> <span class="na">instance_addr</span><span class="pi">:</span> <span class="s">127.0.0.1</span> <span class="na">path_prefix</span><span class="pi">:</span> <span class="s">/loki</span> <span class="na">storage</span><span class="pi">:</span> <span class="na">filesystem</span><span class="pi">:</span> <span class="na">chunks_directory</span><span class="pi">:</span> <span class="s">/loki/chunks</span> <span class="na">rules_directory</span><span class="pi">:</span> <span class="s">/loki/rules</span> <span class="na">replication_factor</span><span class="pi">:</span> <span class="m">1</span> <span class="na">ring</span><span class="pi">:</span> <span class="na">kvstore</span><span class="pi">:</span> <span class="na">store</span><span class="pi">:</span> <span class="s">inmemory</span> <span class="na">schema_config</span><span class="pi">:</span> <span class="na">configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">from</span><span class="pi">:</span> <span class="s">2024-01-01</span> <span class="na">store</span><span class="pi">:</span> <span class="s">tsdb</span> <span class="na">object_store</span><span class="pi">:</span> <span class="s">filesystem</span> <span class="na">schema</span><span class="pi">:</span> <span class="s">v13</span> <span class="na">index</span><span class="pi">:</span> <span class="na">prefix</span><span class="pi">:</span> <span class="s">index_</span> <span class="na">period</span><span class="pi">:</span> <span class="s">24h</span> <span class="na">limits_config</span><span class="pi">:</span> <span class="na">retention_period</span><span class="pi">:</span> <span class="s">744h</span> <span class="c1"># 31 days</span> </code></pre> </div> <p><code>docker compose up -d</code> and you've got Loki listening on 3100 and Grafana on 3000.</p> <p>Filesystem storage is fine for a single node and for following along. In a real deployment I point <code>object_store</code> at S3 (or whatever object storage you've got) — Loki is built to keep chunks in object storage, and that's where it gets cheap and durable. Don't run a real fleet on local disk. But for getting the pipeline working end to end, this is one less thing to set up.</p> <h2> The Alloy agent </h2> <p>Now the part that runs on every host. Install on Debian/Ubuntu from Grafana's apt repo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo mkdir</span> <span class="nt">-p</span> /etc/apt/keyrings/ wget <span class="nt">-q</span> <span class="nt">-O</span> - https://apt.grafana.com/gpg.key | gpg <span class="nt">--dearmor</span> <span class="se">\</span> | <span class="nb">sudo tee</span> /etc/apt/keyrings/grafana.gpg <span class="o">&gt;</span> /dev/null <span class="nb">echo</span> <span class="s2">"deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main"</span> <span class="se">\</span> | <span class="nb">sudo tee</span> /etc/apt/sources.list.d/grafana.list <span class="nb">sudo </span>apt-get update <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> alloy </code></pre> </div> <p>On RHEL-family boxes (Rocky, Alma, and so on) it's the rpm repo and <code>dnf install alloy</code> instead. Same agent, different package manager — keep that in mind, because "mixed fleet" is the whole theme here and the install step is the first place it shows up.</p> <p>Alloy's config lives at <code>/etc/alloy/config.alloy</code> and it speaks its own config language. Here's a working config that watches an app's logs and ships them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// Discover the files to read, and stamp each one with labels. local.file_match "app" { path_targets = [ { __path__ = "/var/log/myapp/*.log", host = constants.hostname, env = "prod", service = "api", }, ] } // Read those files. loki.source.file "app" { targets = local.file_match.app.targets forward_to = [loki.process.app.receiver] } // Process: stitch multiline entries, pull out the log level. loki.process "app" { stage.multiline { firstline = "^\\d{4}-\\d{2}-\\d{2}[ T]\\d{2}:\\d{2}:\\d{2}" max_wait_time = "3s" } stage.regex { expression = "\\s(?P&lt;level&gt;TRACE|DEBUG|INFO|WARN|ERROR|FATAL)\\s" } stage.labels { values = { level = "" } } forward_to = [loki.write.central.receiver] } // Ship to Loki. loki.write "central" { endpoint { url = "http://loki-host:3100/loki/api/v1/push" } } </code></pre> </div> <p>The shape is always the same: find files, read files, process, write. The labels I set in <code>local.file_match</code> — <code>host</code>, <code>env</code>, <code>service</code> — ride along with every line, and they're what you'll select on later. <code>constants.hostname</code> fills in the box's hostname so you don't have to hardcode it per machine, which matters when you're templating this across a fleet.</p> <p>Reload after editing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl reload alloy journalctl <span class="nt">-u</span> alloy <span class="nt">-f</span> </code></pre> </div> <p>Watch that journal the first time. It'll tell you if it can't find files, can't reach Loki, or doesn't like your config — and one of those three is almost always your first problem.</p> <h2> Where "mixed-OS fleet" stops being a footnote </h2> <p>The happy-path tutorial assumes every box is the same and every log is readable. A real fleet is neither. Here's what actually slowed me down.</p> <p><strong>Permissions, every time.</strong> Alloy runs as the <code>alloy</code> user. Your application logs are very often owned by the app's user and group, mode <code>0640</code>, which means a process that isn't root and isn't in that group can't read them. Alloy starts up clean, reports no errors, and ships nothing — because it can't open the file, and "can't read it" looks a lot like "nothing to read." The fix is to put the <code>alloy</code> user in the app's group:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>usermod <span class="nt">-aG</span> tomcat alloy <span class="nb">sudo </span>systemctl restart alloy </code></pre> </div> <p>I lost more time to this than I'd like to admit, precisely because it fails silently. If a host is shipping nothing and the journal looks fine, check whether <code>alloy</code> can actually <code>cat</code> the file. That's the first thing now.</p> <p><strong>The box that's two years past EOL.</strong> Every fleet has one. The distro's so old the vendor stopped shipping security patches, nobody's volunteering to migrate it, and it is of course running something important. The agent will usually still install, but the older init and a couple of defaults don't behave like they do on a current release, and you don't want a routine package update yanking the version out from under you. I pin the package version on those boxes and treat them as their own little special case rather than pretending they're like the rest.</p> <p><strong>Ripping out the old shipper.</strong> Most fleets that have been around a while already have <em>some</em> log agent — a leftover vendor thing, an old Promtail, a Filebeat somebody set up in 2019. Leave it running next to Alloy and you've got two processes tailing the same files, double-shipping, and a config nobody remembers the login for. Part of this rollout was finding and removing those:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl stop legacy-log-agent <span class="nb">sudo </span>systemctl disable legacy-log-agent </code></pre> </div> <p>Decommissioning the old thing is genuinely part of the job, not a cleanup task for later. Two agents disagreeing about what they've shipped is a debugging session you don't want.</p> <h2> Multiline: the parsing that bites everyone </h2> <p>Here's the one that everybody hits. A Java stack trace is one logical event spread across forty physical lines. By default, Alloy treats every line as its own log entry — so your stack trace lands in Loki as forty separate, context-free entries, and when you go looking for the error during an incident, you find the first line and none of the cause.</p> <p>The <code>stage.multiline</code> block fixes it, and the whole thing turns on one field: <code>firstline</code>. That regex describes what the <em>start</em> of a new entry looks like. Anything that doesn't match gets appended to the entry above it. So if your log lines begin with a timestamp:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>stage.multiline { firstline = "^\\d{4}-\\d{2}-\\d{2}[ T]\\d{2}:\\d{2}:\\d{2}" max_wait_time = "3s" } </code></pre> </div> <p>a new line that starts with <code>2024-01-15 10:23:45</code> is a new entry, and the indented <code>at com.example...</code> frames underneath it get glued on where they belong. One readable event instead of forty fragments.</p> <p>Now the part that actually cost me time. <strong>One firstline regex does not cover a mixed fleet</strong>, because different applications start their lines differently. One service logs ISO timestamps. Another leads with a bracketed <code>[2024-01-15T10:23:45]</code>. A third uses a syslog-style <code>Jan 15 10:23:45</code>. A regex tuned for the first silently fails on the others — and "silently" is the dangerous word. It doesn't error. It mostly looks fine. The single-line entries parse correctly, so the dashboards look healthy, and you don't find out the multiline is broken until you're staring at a stack trace shredded into thirty rows in the middle of an outage. That is the worst possible moment to learn your firstline regex was written for a different app.</p> <p>So I stopped trying to write one config to rule them all. Each application family gets its own firstline pattern, and I template the Alloy config per app-type — same skeleton, the <code>firstline</code> and the paths swapped in. The discipline is: when you onboard a new kind of app, go look at three or four raw log lines and confirm what the start-of-entry marker actually is <em>before</em> you trust the multiline. Thirty seconds of looking saves you that incident.</p> <p>One more knob: <code>max_wait_time</code> is how long Alloy waits for continuation lines before it gives up and flushes what it has. Too short and you'll occasionally guillotine the tail of a slow-written stack trace. A few seconds is a sane default.</p> <h2> Querying it: LogQL </h2> <p>With logs flowing, you query them with LogQL. It reads like PromQL's cousin. You start by selecting a stream with labels, then filter the text:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{env="prod", service="api"} |= "ERROR" </code></pre> </div> <p>That's "lines from the prod api service containing ERROR." The label selector narrows down which streams Loki even looks at — that's the cheap part — and the <code>|=</code> filters the text. A few more that I reach for constantly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{env="prod"} |= "ERROR" != "favicon" # errors fleet-wide, minus the noise {service="api"} | json | status &gt;= 500 # parse JSON logs, filter on a field {host="web-03"} | level="ERROR" # the label we extracted earlier sum by (service) (rate({env="prod"} |= "ERROR" [5m])) # error rate per service </code></pre> </div> <p>That last one is a metric built straight out of logs, which is where Loki starts earning its place beyond grep-in-a-box: you can alert on it.</p> <h2> Logs in Slack </h2> <p>The dashboard is fine, but the thing that got people to actually adopt this was the Slack bot. Nobody wants to context-switch to a browser to answer "is the api throwing errors right now." So the bot queries Loki's HTTP API and posts results back in the channel.</p> <p>The core is one function that hits Loki's <code>query_range</code> endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">queryLoki</span><span class="p">({</span> <span class="nx">query</span><span class="p">,</span> <span class="nx">sinceMs</span><span class="p">,</span> <span class="nx">limit</span> <span class="o">=</span> <span class="mi">50</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">end</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()}</span><span class="s2">000000`</span><span class="p">;</span> <span class="c1">// ns; Loki wants nanoseconds</span> <span class="kd">const</span> <span class="nx">start</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">sinceMs</span><span class="p">}</span><span class="s2">000000`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://loki-host:3100/loki/api/v1/query_range</span><span class="dl">"</span><span class="p">);</span> <span class="nx">url</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">query</span><span class="dl">"</span><span class="p">,</span> <span class="nx">query</span><span class="p">);</span> <span class="nx">url</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">start</span><span class="dl">"</span><span class="p">,</span> <span class="nx">start</span><span class="p">);</span> <span class="nx">url</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">end</span><span class="dl">"</span><span class="p">,</span> <span class="nx">end</span><span class="p">);</span> <span class="nx">url</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">limit</span><span class="dl">"</span><span class="p">,</span> <span class="nc">String</span><span class="p">(</span><span class="nx">limit</span><span class="p">));</span> <span class="nx">url</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">direction</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">backward</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// newest first</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// result: [{ stream: {labels...}, values: [[ts_ns, line], ...] }]</span> <span class="k">return</span> <span class="nx">body</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">result</span><span class="p">.</span><span class="nf">flatMap</span><span class="p">((</span><span class="nx">s</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">s</span><span class="p">.</span><span class="nx">values</span><span class="p">.</span><span class="nf">map</span><span class="p">(([</span><span class="nx">ts</span><span class="p">,</span> <span class="nx">line</span><span class="p">])</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="nx">ts</span><span class="p">,</span> <span class="nx">line</span> <span class="p">})));</span> <span class="p">}</span> </code></pre> </div> <p>A small gotcha lives in that first line. Loki timestamps are nanoseconds, and <code>Date.now()</code> gives milliseconds, so you'd naturally write <code>Date.now() * 1e6</code>. Don't — that number is bigger than JavaScript's safe integer range and you'll get a subtly wrong, rounded timestamp that makes your queries return the wrong window. Building the string by hand (<code>${Date.now()}000000</code>, six zeros for ms-to-ns) sidesteps the whole floating-point problem. This one is not in the docs; it's in the "why are my time ranges off" stage of debugging.</p> <p>Now wire it to a slash command. Using Slack's Bolt framework, a <code>/logs</code> command with a tiny argument parser handles the cases people actually ask for:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">pkg</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@slack/bolt</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">App</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">pkg</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="p">({</span> <span class="na">token</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SLACK_BOT_TOKEN</span><span class="p">,</span> <span class="na">signingSecret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SLACK_SIGNING_SECRET</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// "/logs service=api ERROR" -&gt; {service="api"} |= "ERROR", last 15m</span> <span class="c1">// "/logs tail service=api" -&gt; same selector, last few lines</span> <span class="c1">// "/logs service=api ERROR yesterday" -&gt; shift the window back a day</span> <span class="kd">function</span> <span class="nf">parse</span><span class="p">(</span><span class="nx">text</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tokens</span> <span class="o">=</span> <span class="nx">text</span><span class="p">.</span><span class="nf">trim</span><span class="p">().</span><span class="nf">split</span><span class="p">(</span><span class="sr">/</span><span class="se">\s</span><span class="sr">+/</span><span class="p">).</span><span class="nf">filter</span><span class="p">(</span><span class="nb">Boolean</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">selectors</span> <span class="o">=</span> <span class="p">[];</span> <span class="kd">const</span> <span class="nx">filters</span> <span class="o">=</span> <span class="p">[];</span> <span class="kd">let</span> <span class="nx">sinceMs</span> <span class="o">=</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">limit</span> <span class="o">=</span> <span class="mi">50</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">t</span> <span class="k">of</span> <span class="nx">tokens</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">t</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">tail</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nx">limit</span> <span class="o">=</span> <span class="mi">20</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">t</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">yesterday</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nx">sinceMs</span> <span class="o">=</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">t</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">=</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">k</span><span class="p">,</span> <span class="nx">v</span><span class="p">]</span> <span class="o">=</span> <span class="nx">t</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">=</span><span class="dl">"</span><span class="p">);</span> <span class="nx">selectors</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">k</span><span class="p">}</span><span class="s2">="</span><span class="p">${</span><span class="nx">v</span><span class="p">}</span><span class="s2">"`</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">filters</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="s2">`|= "</span><span class="p">${</span><span class="nx">t</span><span class="p">}</span><span class="s2">"`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="s2">`{</span><span class="p">${</span><span class="nx">selectors</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2">, </span><span class="dl">"</span><span class="p">)}</span><span class="s2">} </span><span class="p">${</span><span class="nx">filters</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="p">)}</span><span class="s2">`</span><span class="p">.</span><span class="nf">trim</span><span class="p">();</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">query</span><span class="p">,</span> <span class="nx">sinceMs</span><span class="p">,</span> <span class="nx">limit</span> <span class="p">};</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">command</span><span class="p">(</span><span class="dl">"</span><span class="s2">/logs</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">({</span> <span class="nx">command</span><span class="p">,</span> <span class="nx">ack</span><span class="p">,</span> <span class="nx">respond</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">ack</span><span class="p">();</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">query</span><span class="p">,</span> <span class="nx">sinceMs</span><span class="p">,</span> <span class="nx">limit</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">parse</span><span class="p">(</span><span class="nx">command</span><span class="p">.</span><span class="nx">text</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">rows</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">rows</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">queryLoki</span><span class="p">({</span> <span class="nx">query</span><span class="p">,</span> <span class="nx">sinceMs</span><span class="p">,</span> <span class="nx">limit</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">respond</span><span class="p">(</span><span class="s2">`Query failed: </span><span class="se">\`</span><span class="p">${</span><span class="nx">query</span><span class="p">}</span><span class="se">\`</span><span class="s2">`</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">rows</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">respond</span><span class="p">(</span><span class="s2">`No matches for </span><span class="se">\`</span><span class="p">${</span><span class="nx">query</span><span class="p">}</span><span class="se">\`</span><span class="s2"> in the window.`</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">block</span> <span class="o">=</span> <span class="nx">rows</span> <span class="p">.</span><span class="nf">reverse</span><span class="p">()</span> <span class="c1">// oldest -&gt; newest reads better</span> <span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">line</span><span class="p">)</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="se">\n</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">3500</span><span class="p">);</span> <span class="c1">// stay under Slack's message limit</span> <span class="k">await</span> <span class="nf">respond</span><span class="p">(</span><span class="dl">"</span><span class="s2">``` </span><span class="se">\n</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">block</span> <span class="o">+</span> <span class="dl">"</span><span class="se">\n</span><span class="s2"> ```</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">app</span><span class="p">.</span><span class="nf">start</span><span class="p">();</span> </code></pre> </div> <p>So in any channel: <code>/logs service=api ERROR</code> gives you the last fifteen minutes of API errors, <code>tail</code> trims it to a handful of recent lines, and <code>yesterday</code> shifts the window when you're chasing something from the day before. The parser is deliberately dumb — label-ish tokens become selectors, bare words become line filters, two keywords adjust the window. It covers the questions people actually ask, and it's small enough to extend in an afternoon when they ask for more.</p> <p>(If you want to take this further, the same Loki results make a clean input to an LLM for "summarize what went wrong here" — but that's a different post.)</p> <h2> Before you trust it in production </h2> <p>A few things I'd make sure are handled before leaning on this:</p> <ul> <li> <strong>Object storage, not local disk.</strong> Point Loki at S3 or equivalent. Local filesystem is for the demo; it doesn't survive the node, and it doesn't scale.</li> <li> <strong>Retention, set on purpose.</strong> Decide how long you keep logs and configure <code>retention_period</code> to match — for compliance reasons, for cost reasons, or both. Don't let it default into "forever" by accident.</li> <li> <strong>Label cardinality is the trap.</strong> This is the Loki mistake. Labels are an index; every unique combination of label values is a separate stream. Put something high-cardinality in a label — a request ID, a user ID, a raw timestamp — and you'll blow up the index and bring Loki to its knees. Keep labels low-cardinality (host, env, service, level) and filter on everything else <em>inside</em> the query with <code>|=</code> and <code>| json</code>. When in doubt, it's a filter, not a label.</li> <li> <strong>Alert on patterns.</strong> Once error rate is a LogQL metric, wire an alert to it — a Grafana alert rule into a Slack channel, say — so a spike pages you instead of waiting to be noticed. The logs being centralized is step one; the logs telling you something's wrong before a human looks is the actual payoff.</li> </ul> <h2> Wrapping up </h2> <p>The rollout itself is the easy part: install Alloy, point it at your files, label the streams, ship to Loki. The work that doesn't show up in the quickstart is the fleet being a fleet — the permission that fails silently, the EOL box that needs special handling, the old agent you have to evict, and the multiline regex that's wrong for half your apps and won't admit it until the worst possible moment. None of those are hard once you know to look. They're just the difference between "it worked on my one test box" and "it works across everything I actually run."</p> <p>What you get at the end is worth the fuss: every line from every server in one place, a query language that turns logs into alertable metrics, and a Slack command that means people check the logs because it's easy instead of avoiding it because it isn't. The day an incident hits and the answer is one <code>/logs</code> away instead of a tour of five machines, the whole thing pays for itself.</p> ai grafana devops logs Putting an OpenAI-Compatible Gateway in Front of AWS Bedrock Azeem Siddiqui Mon, 22 Jun 2026 14:24:46 +0000 https://dev.to/azeemsidd3/putting-an-openai-compatible-gateway-in-front-of-aws-bedrock-5da8 https://dev.to/azeemsidd3/putting-an-openai-compatible-gateway-in-front-of-aws-bedrock-5da8 <p>The request that kicked this off was simple enough: the developers wanted an AI coding assistant in their editors. The constraints were where it got interesting. No AWS credentials on laptops. No third-party SaaS that meant a data-handling review. And whoever set it up had to be able to answer "who spent what" when the bill showed up.</p> <p>AWS Bedrock solved the backend question. The models are good, inference stays inside our account, and there's nothing to sign off on legally. The trouble is everything sitting <em>in front</em> of Bedrock.</p> <p>Here's the mismatch. Bedrock has its own API and authenticates with AWS SigV4. The tools developers actually reach for — Continue.dev, Cursor, aider, a big chunk of the LangChain ecosystem — all speak the OpenAI API instead: <code>POST /v1/chat/completions</code>, an <code>Authorization: Bearer</code> header, done. So if you want your team using their preferred tools against Bedrock, something has to bridge those two worlds.</p> <p>The naive bridge is to mint an IAM user per developer so their editor can sign requests. Don't do this. You'll have AWS credentials scattered across a dozen machines, no per-person attribution, and no way to throttle or cut off one person without going and editing IAM policies. I went a different way: a small gateway that speaks OpenAI on the front, Bedrock on the back, and owns auth, rate limiting, audit logging, and cost tracking in between.</p> <p>I've been running a version of this in production for a team of about a dozen developers. What follows is a clean, self-contained build of it — you can have it answering requests in an afternoon.</p> <h2> What we're building </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer tools (Continue.dev, Cursor, aider, curl) │ OpenAI format + Bearer key (sk-...) ▼ ┌──────────────────────────────────────┐ │ Gateway │ │ auth → rate limit → translate → │ │ call Bedrock → translate back → │ │ audit + cost log │ └──────────────────────────────────────┘ │ SigV4, one IAM role ▼ AWS Bedrock (Converse API) </code></pre> </div> <p>One IAM role lives on the gateway and nowhere else. Developers hold a <code>sk-...</code> key that I issue and can kill from one place. Every request passes through a single service, which is exactly where you want auth, throttling, and accounting to sit. That last point is the whole argument for doing this, so I'll keep coming back to it.</p> <p>Before any code: should you even build this? LiteLLM has a proxy that covers a lot of the same ground, and AWS publishes a <code>bedrock-access-gateway</code> sample. Look at both. I went custom because I wanted auth tied to our own notion of identity, audit logs in a shape our existing tooling already understood, and per-developer cost numbers rather than a per-key blob — and because the translation layer turned out to be about 80 lines. If your needs are generic, use the off-the-shelf option and save yourself the maintenance. If you want to own the four things in the title, it's a weekend, and you'll know every line.</p> <h2> Prerequisites </h2> <ul> <li>Node.js 18+ and an AWS account with Bedrock model access turned on. (You enable it per-model in the Bedrock console. For most models it's effectively instant.)</li> <li>An IAM role or user the gateway can assume, with <code>bedrock:InvokeModel</code> and <code>bedrock:InvokeModelWithResponseStream</code> on the model ARNs you plan to serve.</li> <li>Comfort with Express. Nothing fancy.</li> </ul> <p>I'm using SQLite here so the whole thing runs with zero external services. In production I back it with a managed database instead, but the schema doesn't change — you swap the driver and move on.</p> <h2> Step 1: Project setup </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>bedrock-gateway <span class="o">&amp;&amp;</span> <span class="nb">cd </span>bedrock-gateway npm init <span class="nt">-y</span> npm <span class="nb">install </span>express @aws-sdk/client-bedrock-runtime express-rate-limit better-sqlite3 </code></pre> </div> <p>Add <code>"type": "module"</code> to <code>package.json</code> so the ES module imports work.</p> <p>Give the gateway its AWS credentials however you normally would — an instance role if it's on EC2 or ECS, environment variables if you're running it locally to test. The one rule: these credentials live on the gateway and only on the gateway.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">AWS_REGION</span><span class="o">=</span>us-east-1 </code></pre> </div> <h2> Step 2: The data layer (keys + usage) </h2> <p>Two tables. One maps an issued key to a developer. One records every call so you can audit it and bill it back.</p> <p><code>db.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">Database</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">better-sqlite3</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Database</span><span class="p">(</span><span class="dl">"</span><span class="s2">gateway.db</span><span class="dl">"</span><span class="p">);</span> <span class="nx">db</span><span class="p">.</span><span class="nf">exec</span><span class="p">(</span><span class="s2">` CREATE TABLE IF NOT EXISTS api_keys ( id TEXT PRIMARY KEY, name TEXT NOT NULL, key_hash TEXT NOT NULL UNIQUE, active INTEGER NOT NULL DEFAULT 1, created_at TEXT NOT NULL DEFAULT (datetime('now')) ); CREATE TABLE IF NOT EXISTS usage ( id INTEGER PRIMARY KEY AUTOINCREMENT, developer_id TEXT NOT NULL, ts TEXT NOT NULL DEFAULT (datetime('now')), model TEXT NOT NULL, input_tokens INTEGER NOT NULL, output_tokens INTEGER NOT NULL, cost_usd REAL NOT NULL, latency_ms INTEGER NOT NULL, streamed INTEGER NOT NULL, status INTEGER NOT NULL ); `</span><span class="p">);</span> </code></pre> </div> <p>The keys table stores a hash of the key, never the key itself. You see the raw value once, at creation, and it's unrecoverable after that — same deal as a password. If <code>gateway.db</code> ever leaks, no usable key leaks with it.</p> <h2> Step 3: Issuing keys </h2> <p>A throwaway CLI so you can hand a developer a key without building a UI first:</p> <p><code>create-key.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">node:crypto</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./db.js</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">name</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">usage: node create-key.js </span><span class="se">\"</span><span class="s2">developer name</span><span class="se">\"</span><span class="dl">"</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">raw</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">sk-</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">24</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">id</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">keyHash</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">raw</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="nx">db</span><span class="p">.</span><span class="nf">prepare</span><span class="p">(</span> <span class="dl">"</span><span class="s2">INSERT INTO api_keys (id, name, key_hash) VALUES (?, ?, ?)</span><span class="dl">"</span> <span class="p">).</span><span class="nf">run</span><span class="p">(</span><span class="nx">id</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">keyHash</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Created key for </span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Key (shown once, store it now): </span><span class="p">${</span><span class="nx">raw</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>node create-key.js <span class="s2">"Jordan"</span> <span class="c"># Key (shown once, store it now): sk-1f3c...e9a2</span> </code></pre> </div> <p>The <code>sk-</code> prefix is cosmetic, but it earns its keep. Some OpenAI-compatible clients sanity-check the shape of the key, and it tells the developer this drops into the same field where an OpenAI key would go. Small thing, fewer support pings.</p> <h2> Step 4: Auth middleware </h2> <p>Pull the bearer token, hash it, look it up. Attach the developer to the request so everything downstream — the rate limiter, the audit log — knows who's calling.</p> <p><code>auth.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">node:crypto</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./db.js</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">lookup</span> <span class="o">=</span> <span class="nx">db</span><span class="p">.</span><span class="nf">prepare</span><span class="p">(</span> <span class="dl">"</span><span class="s2">SELECT id, name FROM api_keys WHERE key_hash = ? AND active = 1</span><span class="dl">"</span> <span class="p">);</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">authenticate</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">header</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">authorization</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="dl">""</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">match</span> <span class="o">=</span> <span class="nx">header</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="sr">/^Bearer</span><span class="se">\s</span><span class="sr">+</span><span class="se">(</span><span class="sr">.+</span><span class="se">)</span><span class="sr">$/i</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">match</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Missing bearer token</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">invalid_request_error</span><span class="dl">"</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">keyHash</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">match</span><span class="p">[</span><span class="mi">1</span><span class="p">]).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">dev</span> <span class="o">=</span> <span class="nx">lookup</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">keyHash</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">dev</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid API key</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">invalid_request_error</span><span class="dl">"</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">req</span><span class="p">.</span><span class="nx">developer</span> <span class="o">=</span> <span class="nx">dev</span><span class="p">;</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>I'm matching OpenAI's error envelope — <code>{ error: { message, type } }</code> — on purpose. Client tools parse that shape. Return a bare string and some of them surface a vague generic failure instead of your message, and then you're debugging "the gateway is down" tickets that were really just expired keys. Ask me how I know.</p> <h2> Step 5: The translation layer </h2> <p>This is the part that does the actual work. OpenAI's chat format and Bedrock's Converse format are close, with three differences that'll trip you up if you don't watch for them:</p> <ol> <li>Converse roles are only <code>user</code> and <code>assistant</code>. The system prompt goes in its own top-level <code>system</code> field, not in the messages array.</li> <li>Converse message content is an array of blocks — <code>[{ text: "..." }]</code> — not a plain string.</li> <li>Inference params live under <code>inferenceConfig</code>, and the keys are renamed (<code>maxTokens</code>, not <code>max_tokens</code>).</li> </ol> <p><code>bedrock.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">BedrockRuntimeClient</span><span class="p">,</span> <span class="nx">ConverseCommand</span><span class="p">,</span> <span class="nx">ConverseStreamCommand</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/client-bedrock-runtime</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">BedrockRuntimeClient</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AWS_REGION</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">us-east-1</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Friendly names the clients send -&gt; real Bedrock model IDs.</span> <span class="c1">// Check current IDs with: aws bedrock list-foundation-models</span> <span class="c1">// IDs and regional availability move around. If you need a model in a</span> <span class="c1">// region that doesn't host it directly, look at cross-region inference</span> <span class="c1">// profiles (the "us." / "eu." prefixed IDs).</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">MODELS</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">claude-3-5-sonnet</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">anthropic.claude-3-5-sonnet-20240620-v1:0</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">claude-3-5-haiku</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">anthropic.claude-3-5-haiku-20241022-v1:0</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="c1">// OpenAI content can be a string or an array of parts. Normalize to text.</span> <span class="kd">function</span> <span class="nf">extractText</span><span class="p">(</span><span class="nx">content</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">content</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">string</span><span class="dl">"</span><span class="p">)</span> <span class="k">return</span> <span class="nx">content</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nb">Array</span><span class="p">.</span><span class="nf">isArray</span><span class="p">(</span><span class="nx">content</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">content</span> <span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="nx">p</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">p</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">p</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">p</span><span class="p">.</span><span class="nx">text</span><span class="p">)</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="dl">""</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// OpenAI request body -&gt; Converse arguments</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">toBedrock</span><span class="p">(</span><span class="nx">body</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">modelId</span> <span class="o">=</span> <span class="nx">MODELS</span><span class="p">[</span><span class="nx">body</span><span class="p">.</span><span class="nx">model</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">modelId</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ModelNotFound</span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">model</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">system</span> <span class="o">=</span> <span class="p">[];</span> <span class="kd">const</span> <span class="nx">messages</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">m</span> <span class="k">of</span> <span class="nx">body</span><span class="p">.</span><span class="nx">messages</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">m</span><span class="p">.</span><span class="nx">role</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">system</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nx">system</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">text</span><span class="p">:</span> <span class="nf">extractText</span><span class="p">(</span><span class="nx">m</span><span class="p">.</span><span class="nx">content</span><span class="p">)</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">messages</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">role</span><span class="p">:</span> <span class="nx">m</span><span class="p">.</span><span class="nx">role</span><span class="p">,</span> <span class="c1">// "user" | "assistant"</span> <span class="na">content</span><span class="p">:</span> <span class="p">[{</span> <span class="na">text</span><span class="p">:</span> <span class="nf">extractText</span><span class="p">(</span><span class="nx">m</span><span class="p">.</span><span class="nx">content</span><span class="p">)</span> <span class="p">}],</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">inferenceConfig</span> <span class="o">=</span> <span class="p">{};</span> <span class="k">if </span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">max_tokens</span> <span class="o">!=</span> <span class="kc">null</span><span class="p">)</span> <span class="nx">inferenceConfig</span><span class="p">.</span><span class="nx">maxTokens</span> <span class="o">=</span> <span class="nx">body</span><span class="p">.</span><span class="nx">max_tokens</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">temperature</span> <span class="o">!=</span> <span class="kc">null</span><span class="p">)</span> <span class="nx">inferenceConfig</span><span class="p">.</span><span class="nx">temperature</span> <span class="o">=</span> <span class="nx">body</span><span class="p">.</span><span class="nx">temperature</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">top_p</span> <span class="o">!=</span> <span class="kc">null</span><span class="p">)</span> <span class="nx">inferenceConfig</span><span class="p">.</span><span class="nx">topP</span> <span class="o">=</span> <span class="nx">body</span><span class="p">.</span><span class="nx">top_p</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">stop</span> <span class="o">!=</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nx">inferenceConfig</span><span class="p">.</span><span class="nx">stopSequences</span> <span class="o">=</span> <span class="nb">Array</span><span class="p">.</span><span class="nf">isArray</span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">stop</span><span class="p">)</span> <span class="p">?</span> <span class="nx">body</span><span class="p">.</span><span class="nx">stop</span> <span class="p">:</span> <span class="p">[</span><span class="nx">body</span><span class="p">.</span><span class="nx">stop</span><span class="p">];</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">modelId</span><span class="p">,</span> <span class="p">...(</span><span class="nx">system</span><span class="p">.</span><span class="nx">length</span> <span class="p">?</span> <span class="p">{</span> <span class="nx">system</span> <span class="p">}</span> <span class="p">:</span> <span class="p">{}),</span> <span class="nx">messages</span><span class="p">,</span> <span class="p">...(</span><span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">inferenceConfig</span><span class="p">).</span><span class="nx">length</span> <span class="p">?</span> <span class="p">{</span> <span class="nx">inferenceConfig</span> <span class="p">}</span> <span class="p">:</span> <span class="p">{}),</span> <span class="p">};</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">ModelNotFound</span> <span class="kd">extends</span> <span class="nc">Error</span> <span class="p">{}</span> <span class="kd">const</span> <span class="nx">FINISH</span> <span class="o">=</span> <span class="p">{</span> <span class="na">end_turn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">stop</span><span class="dl">"</span><span class="p">,</span> <span class="na">stop_sequence</span><span class="p">:</span> <span class="dl">"</span><span class="s2">stop</span><span class="dl">"</span><span class="p">,</span> <span class="na">max_tokens</span><span class="p">:</span> <span class="dl">"</span><span class="s2">length</span><span class="dl">"</span><span class="p">,</span> <span class="na">tool_use</span><span class="p">:</span> <span class="dl">"</span><span class="s2">tool_calls</span><span class="dl">"</span><span class="p">,</span> <span class="na">content_filtered</span><span class="p">:</span> <span class="dl">"</span><span class="s2">content_filter</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">finishReason</span><span class="p">(</span><span class="nx">stopReason</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">FINISH</span><span class="p">[</span><span class="nx">stopReason</span><span class="p">]</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">stop</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">converse</span><span class="p">(</span><span class="nx">args</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">client</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="k">new</span> <span class="nc">ConverseCommand</span><span class="p">(</span><span class="nx">args</span><span class="p">));</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">converseStream</span><span class="p">(</span><span class="nx">args</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">client</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="k">new</span> <span class="nc">ConverseStreamCommand</span><span class="p">(</span><span class="nx">args</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <h2> Step 6: Cost calculation </h2> <p>Bedrock bills per token, at a rate that depends on the model. Keep a price table and compute cost from the usage Bedrock hands back. Prices change, so I keep this in one file and treat it as config, not as numbers buried in the request path.</p> <p><code>pricing.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// USD per 1M tokens. Confirm against current Bedrock pricing before trusting it.</span> <span class="kd">const</span> <span class="nx">PRICES</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">claude-3-5-sonnet</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="na">input</span><span class="p">:</span> <span class="mf">3.0</span><span class="p">,</span> <span class="na">output</span><span class="p">:</span> <span class="mf">15.0</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">claude-3-5-haiku</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="na">input</span><span class="p">:</span> <span class="mf">0.8</span><span class="p">,</span> <span class="na">output</span><span class="p">:</span> <span class="mf">4.0</span> <span class="p">},</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">costUsd</span><span class="p">(</span><span class="nx">model</span><span class="p">,</span> <span class="nx">inputTokens</span><span class="p">,</span> <span class="nx">outputTokens</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">p</span> <span class="o">=</span> <span class="nx">PRICES</span><span class="p">[</span><span class="nx">model</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">p</span><span class="p">)</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="k">return </span><span class="p">(</span><span class="nx">inputTokens</span> <span class="o">/</span> <span class="mi">1</span><span class="nx">e6</span><span class="p">)</span> <span class="o">*</span> <span class="nx">p</span><span class="p">.</span><span class="nx">input</span> <span class="o">+</span> <span class="p">(</span><span class="nx">outputTokens</span> <span class="o">/</span> <span class="mi">1</span><span class="nx">e6</span><span class="p">)</span> <span class="o">*</span> <span class="nx">p</span><span class="p">.</span><span class="nx">output</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Step 7: Wiring it together </h2> <p>Now the server pulls it all in: auth, a per-developer rate limiter, the two routes, and the audit-and-cost write that fires on every request.</p> <p><code>server.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">node:crypto</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">rateLimit</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express-rate-limit</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./db.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">authenticate</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./auth.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">toBedrock</span><span class="p">,</span> <span class="nx">converse</span><span class="p">,</span> <span class="nx">converseStream</span><span class="p">,</span> <span class="nx">finishReason</span><span class="p">,</span> <span class="nx">MODELS</span><span class="p">,</span> <span class="nx">ModelNotFound</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./bedrock.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">costUsd</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./pricing.js</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">limit</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2mb</span><span class="dl">"</span> <span class="p">}));</span> <span class="kd">const</span> <span class="nx">recordUsage</span> <span class="o">=</span> <span class="nx">db</span><span class="p">.</span><span class="nf">prepare</span><span class="p">(</span><span class="s2">` INSERT INTO usage (developer_id, model, input_tokens, output_tokens, cost_usd, latency_ms, streamed, status) VALUES (?, ?, ?, ?, ?, ?, ?, ?) `</span><span class="p">);</span> <span class="c1">// One audit + cost write per request. Lives in a finally block so it runs</span> <span class="c1">// even when a streaming client hangs up mid-response.</span> <span class="kd">function</span> <span class="nf">audit</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="p">{</span> <span class="nx">model</span><span class="p">,</span> <span class="nx">usage</span><span class="p">,</span> <span class="nx">latencyMs</span><span class="p">,</span> <span class="nx">streamed</span><span class="p">,</span> <span class="nx">status</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">input</span> <span class="o">=</span> <span class="nx">usage</span><span class="p">?.</span><span class="nx">inputTokens</span> <span class="o">??</span> <span class="mi">0</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">output</span> <span class="o">=</span> <span class="nx">usage</span><span class="p">?.</span><span class="nx">outputTokens</span> <span class="o">??</span> <span class="mi">0</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">cost</span> <span class="o">=</span> <span class="nf">costUsd</span><span class="p">(</span><span class="nx">model</span><span class="p">,</span> <span class="nx">input</span><span class="p">,</span> <span class="nx">output</span><span class="p">);</span> <span class="nx">recordUsage</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="nx">req</span><span class="p">.</span><span class="nx">developer</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">model</span><span class="p">,</span> <span class="nx">input</span><span class="p">,</span> <span class="nx">output</span><span class="p">,</span> <span class="nx">cost</span><span class="p">,</span> <span class="nx">latencyMs</span><span class="p">,</span> <span class="nx">streamed</span> <span class="p">?</span> <span class="mi">1</span> <span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="nx">status</span> <span class="p">);</span> <span class="c1">// Structured line for log shipping. Metadata only — no prompt or</span> <span class="c1">// completion text. Logging content is a privacy/compliance call you</span> <span class="c1">// make on purpose, not a default you back into.</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">evt</span><span class="p">:</span> <span class="dl">"</span><span class="s2">llm_request</span><span class="dl">"</span><span class="p">,</span> <span class="na">developer</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">developer</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">developer_id</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">developer</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">model</span><span class="p">,</span> <span class="na">input_tokens</span><span class="p">:</span> <span class="nx">input</span><span class="p">,</span> <span class="na">output_tokens</span><span class="p">:</span> <span class="nx">output</span><span class="p">,</span> <span class="na">cost_usd</span><span class="p">:</span> <span class="nc">Number</span><span class="p">(</span><span class="nx">cost</span><span class="p">.</span><span class="nf">toFixed</span><span class="p">(</span><span class="mi">6</span><span class="p">)),</span> <span class="na">latency_ms</span><span class="p">:</span> <span class="nx">latencyMs</span><span class="p">,</span> <span class="nx">streamed</span><span class="p">,</span> <span class="nx">status</span><span class="p">,</span> <span class="p">}));</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">/v1</span><span class="dl">"</span><span class="p">,</span> <span class="nx">authenticate</span><span class="p">);</span> <span class="c1">// Per-developer rate limit. The keyGenerator is the whole trick — it makes</span> <span class="c1">// the limit per-person instead of per-IP. Run more than one instance and</span> <span class="c1">// you'll want a shared store (rate-limit-redis), or each instance counts</span> <span class="c1">// its own window and the real limit is N times what you set.</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">/v1</span><span class="dl">"</span><span class="p">,</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">60</span><span class="nx">_000</span><span class="p">,</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="na">keyGenerator</span><span class="p">:</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">developer</span><span class="p">?.</span><span class="nx">id</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span><span class="p">,</span> <span class="na">standardHeaders</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">legacyHeaders</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">429</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Rate limit exceeded</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">rate_limit_error</span><span class="dl">"</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/v1/models</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">object</span><span class="p">:</span> <span class="dl">"</span><span class="s2">list</span><span class="dl">"</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">MODELS</span><span class="p">).</span><span class="nf">map</span><span class="p">((</span><span class="nx">id</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="nx">id</span><span class="p">,</span> <span class="na">object</span><span class="p">:</span> <span class="dl">"</span><span class="s2">model</span><span class="dl">"</span><span class="p">,</span> <span class="na">owned_by</span><span class="p">:</span> <span class="dl">"</span><span class="s2">bedrock-gateway</span><span class="dl">"</span><span class="p">,</span> <span class="p">})),</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/v1/chat/completions</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">started</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">model</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">model</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">streamed</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">stream</span> <span class="o">===</span> <span class="kc">true</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">usage</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">status</span> <span class="o">=</span> <span class="mi">200</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">args</span> <span class="o">=</span> <span class="nf">toBedrock</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">streamed</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">out</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">converse</span><span class="p">(</span><span class="nx">args</span><span class="p">);</span> <span class="nx">usage</span> <span class="o">=</span> <span class="nx">out</span><span class="p">.</span><span class="nx">usage</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nf">toCompletion</span><span class="p">(</span><span class="nx">model</span><span class="p">,</span> <span class="nx">out</span><span class="p">));</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">usage</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">streamCompletion</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="nx">model</span><span class="p">,</span> <span class="nx">args</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">status</span> <span class="o">=</span> <span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">ModelNotFound</span> <span class="p">?</span> <span class="mi">400</span> <span class="p">:</span> <span class="mi">502</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">ModelNotFound</span> <span class="p">?</span> <span class="s2">`Unknown model: </span><span class="p">${</span><span class="nx">model</span><span class="p">}</span><span class="s2">`</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">Upstream model error</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">ModelNotFound</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">invalid_request_error</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">api_error</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> <span class="k">if </span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">headersSent</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">();</span> <span class="k">else</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">status</span><span class="p">).</span><span class="nf">json</span><span class="p">(</span><span class="nx">payload</span><span class="p">);</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nf">audit</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="p">{</span> <span class="nx">model</span><span class="p">,</span> <span class="nx">usage</span><span class="p">,</span> <span class="na">latencyMs</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">started</span><span class="p">,</span> <span class="nx">streamed</span><span class="p">,</span> <span class="nx">status</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">function</span> <span class="nf">toCompletion</span><span class="p">(</span><span class="nx">model</span><span class="p">,</span> <span class="nx">out</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">chatcmpl-</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">12</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">),</span> <span class="na">object</span><span class="p">:</span> <span class="dl">"</span><span class="s2">chat.completion</span><span class="dl">"</span><span class="p">,</span> <span class="na">created</span><span class="p">:</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">),</span> <span class="nx">model</span><span class="p">,</span> <span class="na">choices</span><span class="p">:</span> <span class="p">[{</span> <span class="na">index</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">assistant</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">out</span><span class="p">.</span><span class="nx">output</span><span class="p">.</span><span class="nx">message</span><span class="p">.</span><span class="nx">content</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">b</span><span class="p">.</span><span class="nx">text</span> <span class="o">||</span> <span class="dl">""</span><span class="p">).</span><span class="nf">join</span><span class="p">(</span><span class="dl">""</span><span class="p">),</span> <span class="p">},</span> <span class="na">finish_reason</span><span class="p">:</span> <span class="nf">finishReason</span><span class="p">(</span><span class="nx">out</span><span class="p">.</span><span class="nx">stopReason</span><span class="p">),</span> <span class="p">}],</span> <span class="na">usage</span><span class="p">:</span> <span class="p">{</span> <span class="na">prompt_tokens</span><span class="p">:</span> <span class="nx">out</span><span class="p">.</span><span class="nx">usage</span><span class="p">.</span><span class="nx">inputTokens</span><span class="p">,</span> <span class="na">completion_tokens</span><span class="p">:</span> <span class="nx">out</span><span class="p">.</span><span class="nx">usage</span><span class="p">.</span><span class="nx">outputTokens</span><span class="p">,</span> <span class="na">total_tokens</span><span class="p">:</span> <span class="nx">out</span><span class="p">.</span><span class="nx">usage</span><span class="p">.</span><span class="nx">totalTokens</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> <span class="p">}</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Gateway listening on :3000</span><span class="dl">"</span><span class="p">));</span> </code></pre> </div> <h2> Step 8: Streaming </h2> <p>Streaming is where gateways tend to get sloppy, and it's also where two of the four concerns get tested at once. Bedrock's <code>ConverseStream</code> gives you an async iterable of events; you translate each text delta into an OpenAI SSE chunk and flush it right away. The catch that got me the first time: token counts only show up in the final <code>metadata</code> event. If you care about cost tracking — and the entire point here is that you do — you have to let the stream finish, or at least catch that event, even when the client has already walked away.</p> <p>Add this to <code>server.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">streamCompletion</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="nx">model</span><span class="p">,</span> <span class="nx">args</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text/event-stream</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Cache-Control</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">no-cache</span><span class="dl">"</span><span class="p">,</span> <span class="na">Connection</span><span class="p">:</span> <span class="dl">"</span><span class="s2">keep-alive</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">chatcmpl-</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">12</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">created</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">send</span> <span class="o">=</span> <span class="p">(</span><span class="nx">delta</span><span class="p">,</span> <span class="nx">finish</span> <span class="o">=</span> <span class="kc">null</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">chunk</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">id</span><span class="p">,</span> <span class="na">object</span><span class="p">:</span> <span class="dl">"</span><span class="s2">chat.completion.chunk</span><span class="dl">"</span><span class="p">,</span> <span class="nx">created</span><span class="p">,</span> <span class="nx">model</span><span class="p">,</span> <span class="na">choices</span><span class="p">:</span> <span class="p">[{</span> <span class="na">index</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="nx">delta</span><span class="p">,</span> <span class="na">finish_reason</span><span class="p">:</span> <span class="nx">finish</span> <span class="p">}],</span> <span class="p">};</span> <span class="nx">res</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="s2">`data: </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">chunk</span><span class="p">)}</span><span class="s2">\n\n`</span><span class="p">);</span> <span class="p">};</span> <span class="kd">let</span> <span class="nx">usage</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">out</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">converseStream</span><span class="p">(</span><span class="nx">args</span><span class="p">);</span> <span class="nf">send</span><span class="p">({</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">assistant</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// first chunk carries the role, no content</span> <span class="k">for</span> <span class="k">await </span><span class="p">(</span><span class="kd">const</span> <span class="nx">event</span> <span class="k">of</span> <span class="nx">out</span><span class="p">.</span><span class="nx">stream</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">contentBlockDelta</span><span class="p">?.</span><span class="nx">delta</span><span class="p">?.</span><span class="nx">text</span><span class="p">)</span> <span class="p">{</span> <span class="nf">send</span><span class="p">({</span> <span class="na">content</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">contentBlockDelta</span><span class="p">.</span><span class="nx">delta</span><span class="p">.</span><span class="nx">text</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">messageStop</span><span class="p">)</span> <span class="p">{</span> <span class="nf">send</span><span class="p">({},</span> <span class="nf">finishReason</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">messageStop</span><span class="p">.</span><span class="nx">stopReason</span><span class="p">));</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">metadata</span><span class="p">?.</span><span class="nx">usage</span><span class="p">)</span> <span class="p">{</span> <span class="nx">usage</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">metadata</span><span class="p">.</span><span class="nx">usage</span><span class="p">;</span> <span class="c1">// this is the part you can't skip</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="dl">"</span><span class="s2">data: [DONE]</span><span class="se">\n\n</span><span class="dl">"</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">();</span> <span class="k">return</span> <span class="nx">usage</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Two details that matter. The first chunk announces <code>{ role: "assistant" }</code> with no content — clients expect the role up front, once. And the terminating <code>data: [DONE]</code> line is part of the OpenAI contract; tools wait for it to know the stream closed cleanly, and they'll hang if it never comes.</p> <p>The reason the usage capture lives where it does: that function returns <code>usage</code>, and the route's <code>finally</code> block writes it. So a developer who cancels a long generation halfway through still gets billed for the tokens Bedrock actually produced. That's the difference between cost numbers that tie out at the end of the month and cost numbers that quietly run low and make you look like you don't know what your platform costs.</p> <h2> Testing it </h2> <p>Plain <code>curl</code>, no streaming:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost:3000/v1/chat/completions <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer sk-YOUR-KEY"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "model": "claude-3-5-sonnet", "messages": [{"role": "user", "content": "Say hello in five words."}] }'</span> </code></pre> </div> <p>Streaming — note the <code>-N</code> so curl doesn't buffer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-N</span> http://localhost:3000/v1/chat/completions <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer sk-YOUR-KEY"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"model":"claude-3-5-haiku","stream":true, "messages":[{"role":"user","content":"Count to five."}]}'</span> </code></pre> </div> <p>And the test that actually matters — pointing a real editor at it. In Continue.dev, the gateway is just an "openai" provider with a custom base URL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"models"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bedrock Gateway"</span><span class="p">,</span><span class="w"> </span><span class="nl">"provider"</span><span class="p">:</span><span class="w"> </span><span class="s2">"openai"</span><span class="p">,</span><span class="w"> </span><span class="nl">"model"</span><span class="p">:</span><span class="w"> </span><span class="s2">"claude-3-5-sonnet"</span><span class="p">,</span><span class="w"> </span><span class="nl">"apiBase"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://your-gateway-host:3000/v1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"apiKey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sk-YOUR-KEY"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The developer never has to know Bedrock is back there. They get chat and autocomplete in their editor. You get a key you can revoke, a limit you can tune, and a usage row for every single call.</p> <h2> Checking the books </h2> <p>Cost tracking is only worth anything if you can read it back. The reason every usage row carries a developer id is so questions like "who's driving the bill this month" are one query and not an afternoon:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">k</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">requests</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="n">u</span><span class="p">.</span><span class="n">input_tokens</span><span class="p">)</span> <span class="k">AS</span> <span class="n">input_tokens</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="n">u</span><span class="p">.</span><span class="n">output_tokens</span><span class="p">)</span> <span class="k">AS</span> <span class="n">output_tokens</span><span class="p">,</span> <span class="n">ROUND</span><span class="p">(</span><span class="k">SUM</span><span class="p">(</span><span class="n">u</span><span class="p">.</span><span class="n">cost_usd</span><span class="p">),</span> <span class="mi">2</span><span class="p">)</span> <span class="k">AS</span> <span class="n">cost_usd</span> <span class="k">FROM</span> <span class="k">usage</span> <span class="n">u</span> <span class="k">JOIN</span> <span class="n">api_keys</span> <span class="n">k</span> <span class="k">ON</span> <span class="n">k</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">u</span><span class="p">.</span><span class="n">developer_id</span> <span class="k">WHERE</span> <span class="n">u</span><span class="p">.</span><span class="n">ts</span> <span class="o">&gt;=</span> <span class="nb">datetime</span><span class="p">(</span><span class="s1">'now'</span><span class="p">,</span> <span class="s1">'-30 days'</span><span class="p">)</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">u</span><span class="p">.</span><span class="n">developer_id</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">cost_usd</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <p>I wire this into a dashboard and a monthly summary, but even the raw query does the job — it catches a runaway script the day it starts instead of the day the invoice lands.</p> <h2> What I'd add before calling it done </h2> <p>The build above is honest about what it is: a clean core, not a hardened production deployment. A few things I'd want in place before I trusted it with a real team:</p> <ul> <li> <strong>Shared rate-limit state.</strong> The in-memory limiter resets per process. Two instances behind a load balancer means a developer's real limit is double what you configured. Move the window into Redis with <code>rate-limit-redis</code>.</li> <li> <strong>A real database.</strong> SQLite is great for the tutorial and fine for one small instance. For anything multi-instance, point <code>db.js</code> at managed Postgres or MySQL. The schema is identical; it's a driver swap.</li> <li> <strong>Content logging is a decision.</strong> This gateway logs metadata only. The moment you start logging prompts and completions, you've created a store of possibly-sensitive text with its own retention, access, and compliance questions hanging off it. Choose that deliberately, write down why, and tell your developers either way.</li> <li> <strong>Budget guardrails.</strong> Usage rows let you <em>see</em> spend. A hard stop is a separate thing — add a per-developer monthly cap checked in the auth path, and set an account-level AWS budget alert as a backstop. When the app's number and AWS's number disagree, something in your accounting is wrong, and you want to find out from a graph, not a finance meeting.</li> <li> <strong>Key lifecycle.</strong> You've already got <code>active = 0</code> for revocation. Add rotation and an expiry column so contractor keys age out on their own instead of living forever.</li> <li> <strong>Health and timeouts.</strong> A <code>/healthz</code> route for your load balancer, and a request timeout so one stuck upstream call doesn't pin a connection open indefinitely.</li> </ul> <h2> Wrapping up </h2> <p>The whole thing is around 200 lines, and it converts "every developer holds AWS credentials and spend is a mystery" into "every developer holds a key I issued, every request is attributed to a person, and I can throttle or cut off anyone from one place." The translation layer — OpenAI in, Converse out — is small and it stays put. The four behaviors in the title aren't bolt-ons; they're the reason the service exists. Auth is one middleware. Rate limiting is one more. Audit and cost are a single write per request. You get all of it precisely <em>because</em> every call funnels through one service you control.</p> <p>If your requirements are generic, save yourself the upkeep and try LiteLLM or the AWS sample first. But if you want to own these four things end to end, it's a weekend of work — and the first time something goes sideways in production, knowing exactly why each piece is there pays for itself.</p> aws bedrock ai devops