API Reference

REST API

Bedrock exposes a JSON-over-HTTPS API. Authenticate with an API key, send a request, get a response. Every endpoint, parameter, and schema below is generated from the same OpenAPI spec the SDK is built from.

Base URLs

Environment	Base URL
Production	`https://api.bedrockcompliance.co.uk`
Staging	`https://api.staging.bedrockcompliance.co.uk`
Local development	`http://localhost:4000`

Authentication

Most endpoints require an API key, sent in the X-Bedrock-Key header. Keys are scoped to a single firm and are issued from the Ledger admin dashboard. See Authentication for the full story including JWT-based browser authentication.

Endpoint groups

Endpoints are grouped by tag. Pick a group below.

Firm33 endpoints

Firm self-service endpoints for API keys, webhooks, users, and settings

Ledger7 endpoints

Immutable ledger operations for records and certificates

Principal3 endpoints

Principal operations for submitting and tracking review jobs

Public1 endpoint

Public endpoints requiring no authentication

Error responses

Errors follow a single shape: a JSON body with statusCode, message, and error. See Error codes for the full list.

Rate limits

The API is rate-limited per API key. Limits are documented per endpoint where they differ from the default. Exceeding the limit returns 429 Too Many Requests with a Retry-After header.

Versioning

Bedrock follows SemVer for its public spec. Breaking changes ship under a new path prefix (e.g. /v2/); additive changes ship in place. We commit to a twelve-month deprecation window on any prefix we remove.