Proxy Invariants

These five invariants hold for every proxy request. They are the contract the proxy Lambda is built and tested against.

1. Tenant binding is always verified

The bearer JWT’s tenant_id claim — or the API key’s stored tenant_id — must equal the tenant resolved from the Host header. A mismatch is always a 403, never a 401.

2. SSE bytes are never buffered or modified

The proxy streams Bedrock’s response bytes unchanged. Token counts are extracted from the final message_stop chunk after streaming completes — never by parsing or rewriting the stream mid-flight.

3. EMF metrics are always emitted

Metrics are emitted on every request, even on error or client disconnect.

4. DynamoDB tenant cache TTL is 60 seconds

A cold Lambda always reads DynamoDB; a warm Lambda may use the in-memory cache. Cache invalidation is not supported — config changes propagate in ≤60 seconds.

5. JWKS cache TTL is 1 hour

Cognito rotates keys rarely, so a one-hour cache is safe. On a JWKS fetch failure, the proxy fails over to the DynamoDB key path — it does not serve unauthenticated requests.