API Reference
REST API
Bedrock exposes a JSON-over-HTTPS API. Authenticate with an API key, send a request, get a response. Every endpoint, parameter, and schema below is generated from the same OpenAPI spec the SDK is built from.
Search
Filter every endpoint by method, path, summary, or operation id.
Base URLs
| Environment | Base URL |
|---|---|
| Production | https://api.bedrockcompliance.co.uk |
| Sandbox | https://api.staging.bedrockcompliance.co.uk |
| Local development | http://localhost:4000 |
Authentication
Most endpoints require an API key, sent in the X-Bedrock-Key header. Keys are scoped to a single firm and are issued from the Ledger admin dashboard. See Authentication for the full story including JWT-based browser authentication.
Endpoint groups
Endpoints are grouped by tag. Pick a group below.
Health check, public key, and certificate verification endpoints
Firm profile, settings, API keys, webhooks, and users
Impact assessments, incidents, vulnerability, bias, models, explainability, and reports
Immutable ledger records, certificates, and chain integrity
Review job submission and tracking
Error responses
Errors follow a single shape: a JSON body with statusCode, message, and error. See Error codes for the full list.
Rate limits
The API is rate-limited per API key. Limits are documented per endpoint where they differ from the default. Exceeding the limit returns 429 Too Many Requests with a Retry-After header.
Versioning
Bedrock follows SemVer for its public spec. Breaking changes ship under a new path prefix (e.g. /v2/); additive changes ship in place. We commit to a twelve-month deprecation window on any prefix we remove.