Stratoclave: a tenant-aware credit gateway for Amazon Bedrock — now with OpenAI codex support

Stratoclave, an open-source tenant-aware credit gateway for Amazon Bedrock, now supports OpenAI codex and GPT-5.x models through Bedrock's `bedrock-mantle` endpoint. The single FastAPI service running on ECS Fargate provides per-user credit tracking and RBAC controls across Anthropic Messages API and OpenAI Responses API routes, using DynamoDB for credit reservation and audit logging without requiring Postgres, Redis, or a SaaS control plane.

If you let a team share a single AWS account for Amazon Bedrock, you quickly run into questions Bedrock alone does not answer: who called which model, under whose budget, through which identity. Stratoclave is a small OSS gateway that puts those answers in front of Bedrock without dragging in Postgres, Redis, or a SaaS control plane. It was originally written for myself — I just wanted per-user credits in front of Bedrock for personal use of Claude Code. It grew into something that now also covers OpenAI codex / GPT-5.x via Bedrock's bedrock-mantle endpoint. Repo: Apache 2.0, alpha littlemex/stratoclave Stratoclave is a single FastAPI service on ECS Fargate that exposes two inference routes: | Route | Wire format | Backend | |---|---|---| POST /v1/messages | Anthropic Messages API | bedrock:Converse in us-east-1 | POST /openai/v1/responses | OpenAI Responses API | bedrock-mantle in us-east-2 / us-west-2 | Both routes share the same DynamoDB-backed credit reservation, the same messages:send / responses:send RBAC scopes, the same audit log, and the same three identity paths Cognito password, AWS SSO via Vouch-by-STS, long-lived sk-stratoclave- keys . The control plane is one AWS region us-east-1 and one Fargate task. Bedrock for OpenAI is cross-region, but no second control-plane region is deployed. The web console login screen redirects to the Cognito Hosted UI for password / SSO sign-in; CLI users instead run stratoclave auth login and then bring this tab into focus with stratoclave ui open . The reason this exists. Every inference call atomically reserves max tokens + input estimate from the caller's budget with a conditional UpdateItem , invokes the upstream, then refunds the diff from the real token counts on return. UsageLogs always records the actual spend, not the reservation. Concurrent requests cannot race past the quota — the conditional write either commits or fails. The pipeline lives in one file backend/mvp/ pipeline.py and is shared between both routes — the OpenAI Responses route applies an extra reasoning-effort multiplier 1× / 2× / 4× / 8× for low / medium / high / xhigh on the upfront reservation because reasoning traces can blow output by an order of magnitude. The minimum reservation is 8 192 tokens regardless of multiplier. Personal usage history shows per-call token counts, model names, and credit spend drawn from the same UsageLogs table. The single behaviour I am proudest of. The CLI signs an sts:GetCallerIdentity request locally with SigV4, the backend forwards the signed payload to STS verbatim, and the backend trusts only the Arn / UserId / Account STS returns. No IdP refresh token ever touches the backend. The pattern is the same one HashiCorp Vault has used for a decade https://developer.hashicorp.com/vault/docs/auth/aws in its AWS iam auth method. Anything that populates ~/.aws/credentials works the same way: aws sso login , saml2aws , Entra ID / Okta / ADFS SAML federation, even a regular IAM user with long-lived keys default DENY unless explicitly allowed per trusted account . EC2 instance profiles are rejected by default because they cannot be attributed to a single human. A full backend compromise cannot pivot into the customer's IAM Identity Center or SAML IdP. The worst-case blast radius is bounded to Stratoclave's own resources — Bedrock overspend, DynamoDB tampering, impersonation within this deployment. The trusted-accounts admin page is where AWS account IDs and allowed role patterns fnmatch are managed — this is the allowlist that gates SSO logins from outside accounts. stratoclave codex -- "..." and stratoclave claude -- "..." A wrapper subcommand that mints a 30-minute ephemeral responses:send or messages:send key, hands it to the child process via env, and revokes the key on exit: bash $ stratoclave codex -- "Write a hello-world Python function" INFO Launching codex via Stratoclave proxy model=openai.gpt-5.4, key=sk-stratoclave-... INFO Child process uses an ephemeral responses-only API key; the Cognito bearer is not exported and the user's ~/.codex/config.toml is untouched. The child gets a key scoped to exactly one route; the user's Cognito bearer never leaves the parent process. MCP servers and tool subprocesses started by codex cannot pivot back into the user's stratoclave admin endpoints because the env they inherit doesn't carry the right credentials. The same wrapper exists for Claude Code stratoclave claude . They share the env-scrub list and the revoke-on-exit lifecycle through one Rust struct ChildLauncher so a fix to one applies to both. /.well-known/stratoclave-config One unauthenticated discovery endpoint that drives the entire CLI bootstrap: bash $ stratoclave setup https://<your .cloudfront.net $ stratoclave auth sso --profile your-aws-sso-profile or auth login --email $ stratoclave codex -- "..." The endpoint returns Cognito IDs, default model names, and OpenAI base path / supported regions when CODEX ENABLED=true . Old CLI binaries hitting a new backend deserialize cleanly because every new field is Optional . Anything that speaks Anthropic Messages or OpenAI Responses with a custom base url works. The CLI is just a quality-of-life wrapper. If you prefer using the OpenAI SDK directly: python import openai client = openai.OpenAI base url="https://<your .cloudfront.net/openai/v1", api key="sk-stratoclave-xxxxxxxx...", mint via web console or CLI resp = client.responses.create model="openai.gpt-5.4", input="Hello", print resp.output text Same for Anthropic: python from anthropic import Anthropic client = Anthropic base url="https://<your .cloudfront.net", api key="sk-stratoclave-xxxxxxxx...", print client.messages.create model="claude-opus-4-7", max tokens=1024, messages= {"role": "user", "content": "Hello"} , .content 0 .text Claude Desktop's Cowork Gateway mode and Cline / Continue / Aider with ANTHROPIC BASE URL work the same way. The personal API-keys page is where you manage long-lived sk-stratoclave- keys yourself — the same key-shape the wrapper subcommands mint ephemerally and revoke on exit. The admin flow from dashboard to a provisioned tenant member, top to bottom. The dashboard summarises tenants, users, recent activity, and credit consumption. The new-user form collects email, role admin / team lead / user , tenant assignment, and an initial credit budget. The user detail view shows assigned role, tenant, remaining vs total credit, and the user's own API keys. The tenant detail view lists members, their credit balances, and the tenant-wide monthly cap. The admin usage-logs page is the audit trail. Filter by tenant id , user id , and ISO-8601 since / until — backed by a PK Query when tenant id is set, a GSI Query when user id is set, and a Scan otherwise truncated at 100 rows . bedrock-mantle calls for OpenAI are cross-region us-east-2 / us-west-2 .| Dimension | Stratoclave | LiteLLM Proxy | |---|---|---| | Providers | Amazon Bedrock Claude family + OpenAI GPT-5.x | 100+ OpenAI, Anthropic, Bedrock, Vertex, Azure, Gemini, Ollama, … | | State | DynamoDB only serverless | Postgres required, Redis recommended | | RBAC | admin / team lead / user, tenant-scoped | Proxy / Internal User / Team, global / team / user / key / model budgets | | API keys | sk-stratoclave- , scope narrowing, cap of 5 active, immediate revoke | Virtual keys with expires / max budget / rpm limit / tpm limit / models | | SSO / STS | Built-in Vouch by STS, covers aws sso , saml2aws , IAM users | Enterprise tier Okta / Entra ID / OIDC / SAML | | Deploy | AWS CDK v2, Fargate from 256 CPU / 512 MiB | Docker / Helm / ECS / EKS / Cloud Run | | License | Apache 2.0 everything OSS | Dual license MIT + Commercial ; SSO / audit are commercial | | CLI integration | stratoclave claude -- / stratoclave codex -- ephemeral wrappers | ANTHROPIC BASE URL / OPENAI BASE URL env override | You're an AWS-native team that already has IAM Identity Center / saml2aws , you only call Bedrock, and you do not want to run an RDBMS for a proxy. You want per-tenant credit, per-user override, an audit trail, and the option to mint short-lived keys for CI without touching Postgres. You're not? Pick LiteLLM. Stratoclave is opinionated and small on purpose. Deploy to your AWS account git clone https://github.com/littlemex/stratoclave.git cd stratoclave export AWS PROFILE=your-admin-profile export AWS REGION=us-east-1 CDK DEFAULT REGION=us-east-1 export CDK DEFAULT ACCOUNT=$ aws sts get-caller-identity --query Account --output text cd iac && npm install && ./scripts/deploy-all.sh Build the CLI pre-built binaries TBD cd ../cli && cargo build --release export PATH="$PWD/target/release:$PATH" Bootstrap and use stratoclave setup https://<your .cloudfront.net stratoclave auth sso --profile <your-aws-sso-profile stratoclave codex -- "Hello, who are you?" stratoclave claude -- "Summarise this repository" Alpha. Public HTTP surfaces, DynamoDB schemas, and CDK construct props may change without notice until v0.1.0 is cut. Issues and pull requests welcome. If you read this far and the tradeoffs match your situation, I would be very glad to hear how the deploy goes.