AWS Bedrock.

Bedrock Agents call external services via action groups. Define an action group whose Lambda invokes Agent Cert's REST API, and your agent can produce certified Decision Receipts as part of its standard flow.

1. Create the action-group Lambda

A minimal Python Lambda (Node works the same):

import os
import json
import urllib.request

API_BASE = os.environ["AGENT_CERT_API_BASE"]
API_KEY = os.environ["AGENT_CERT_API_KEY"]

def lambda_handler(event, context):
    params = {p["name"]: p["value"] for p in event.get("parameters", [])}

    body = json.dumps({
        "agent_id": params["agent_id"],
        "platform": "bedrock",
        "user_intent": params["user_intent"],
        "agent_output": params["agent_output"],
        "tools_used": json.loads(params.get("tools_used", "[]")),
        "retrieval_summary": params.get("retrieval_summary"),
        "policy_id": params.get("policy_id"),
    }).encode()

    req = urllib.request.Request(
        f"{API_BASE}/v1/receipts",
        data=body,
        headers={
            "X-API-Key": API_KEY,
            "Content-Type": "application/json",
        },
        method="POST",
    )

    with urllib.request.urlopen(req) as resp:
        result = json.loads(resp.read())

    return {
        "messageVersion": "1.0",
        "response": {
            "actionGroup": event["actionGroup"],
            "function": event["function"],
            "functionResponse": {
                "responseBody": {
                    "application/json": {"body": json.dumps(result)}
                }
            },
        },
    }

2. Define the action-group schema

In the Bedrock console, create an action group with this OpenAPI schema. Bedrock will surface certifyDecision as an available tool to the agent.

{
  "openapi": "3.0.0",
  "info": { "title": "Agent Cert", "version": "1.0.0" },
  "paths": {
    "/certify": {
      "post": {
        "operationId": "certifyDecision",
        "description": "Certify an AI decision with Agent Cert. Returns a signed, anchored receipt.",
        "parameters": [
          { "name": "agent_id", "in": "query", "required": true, "schema": { "type": "string" } },
          { "name": "user_intent", "in": "query", "required": true, "schema": { "type": "string" } },
          { "name": "agent_output", "in": "query", "required": true, "schema": { "type": "string" } },
          { "name": "tools_used", "in": "query", "schema": { "type": "string" } },
          { "name": "retrieval_summary", "in": "query", "schema": { "type": "string" } },
          { "name": "policy_id", "in": "query", "schema": { "type": "string" } }
        ],
        "responses": { "200": { "description": "Decision Receipt" } }
      }
    }
  }
}

3. Configure environment + permissions

• Lambda env vars: AGENT_CERT_API_BASE, AGENT_CERT_API_KEY
• Store the API key in AWS Secrets Manager, not directly in env
• Lambda execution role: standard AWSLambdaBasicExecutionRole plus secretsmanager:GetSecretValue for the API-key secret
• Bedrock Agent → Action groups → attach the Lambda

4. Instruct the agent to use it

In the agent instruction, add:

After producing any decision (approval, classification, recommendation), always call certifyDecision with the user's intent, your output, and the tools you used. Return the resulting verify_url to the user as proof.

Costs

• Each certifyDecision call: 3 Agent Cert credits.
• Lambda invocation: standard AWS Lambda pricing (negligible).
• API call: outbound HTTPS, single round-trip.

See also

• Full REST API reference
• Bind a policy instead of passing rules per call