What this covers
Agents built with the Strands Agents SDK, AWS’s open-source, model-driven agent SDK. Because the agentic loop runs in your code, every model invocation the agent makes is a standard SDK call that you can route through a TrustGate Gateway. This is fundamentally different from the managed AWS Bedrock Agents service, where orchestration happens inside AWS and TrustGate has to sit outside via the API surface.- Surface: Gateway on the model hop; optionally API on the deployed agent endpoint.
- Who is this for: Python apps using
strands-agentswith any upstream model the Gateway supports (Bedrock, Anthropic, OpenAI, Azure OpenAI, Google, etc.).
Architecture
OpenAIModel as the single integration shape for any upstream — Bedrock, Anthropic, OpenAI, or anything else the Gateway is configured to route to.
Step-by-step setup
The upstream model provider’s credentials (Bedrock IAM, OpenAI API key, etc.) live on a provider Integration — your agent process never sees them. The Gateway Route just references that Integration. This is the same setup flow as any Gateway guide; the difference is only on the client (Step 5), where Strands’OpenAIModel replaces a direct provider SDK.
Register the upstream model provider as an Integration
Integrations → Add Integration and pick the provider your agent’s model hops should go to:
- Bedrock — IAM role / access key / workload identity, region, models allowed.
- OpenAI — API key.
- Anthropic / Google / Azure OpenAI / Mistral / … — the provider’s native credentials.
Create a Gateway Integration
Integrations → Add Integration → Gateway. Pick Serverless or Dedicated, name it (e.g.
strands-agents-prod), save, and copy the Endpoint from Gateway → Overview.A default Route for the provider Integration from Step 2 is created automatically — it exposes /v1/chat/completions (the OpenAI Chat Completions path OpenAIModel targets) and does OpenAI↔provider translation on the wire. Add a Use Case like strands-agent or Tags on the Route for policy scoping if you want; no manual Route creation is needed.Issue a Gateway API key
On the Gateway Integration’s API Keys tab, create a key. This is
TG_API_KEY in the snippets below.Point OpenAIModel at the Gateway
Set
base_url to https://<gateway>.neuraltrust.ai/v1 and pass the TrustGate API key. model_id is whatever the upstream expects (Bedrock model ID for a Bedrock Integration, OpenAI model name for an OpenAI Integration, etc.). See the snippet below.Client code
Point Strands’OpenAIModel at the Gateway’s /v1 endpoint and authenticate with your TrustGate API key. The Gateway handles provider-specific translation and upstream auth:
GATEWAY_BASE_URLpoints at the Gateway’s/v1prefix (the OpenAI-compatible base path).model_idis whatever the upstream expects. For Bedrock upstreams, use the Bedrock model ID (anthropic.claude-sonnet-4-20250514-v1:0); for OpenAI upstreams, use the OpenAI model name (gpt-4o). The provider Integration bound to the Route decides which provider actually receives the call.api_key/X-TG-API-Key— the Gateway accepts the TrustGate key on either the standardAuthorization: Bearerheader (via OpenAI SDK’sapi_key) or theX-TG-API-Keycustom header. Passing both is safe and lets one config work across Gateway auth modes.
With tools
Wiring in tools is unchanged from standard Strands:Deploy on AWS with BedrockAgentCore
If you’re deploying on AWS, the BedrockAgentCore runtime wraps a Strands agent in a production HTTP server with one decorator. The TrustGate integration is unchanged — the Gateway is still in front of the model call:your client → BedrockAgentCore entrypoint → Strands Agent → OpenAIModel → TrustGate Gateway → upstream model. Optionally, front the BedrockAgentCore endpoint itself with a TrustGate API engine to also inspect requests coming into the agent.
Tools
Strands tools are either MCP servers or Python functions decorated with@tool. Tool execution runs in your process, so TrustGate doesn’t see it automatically. Two ways to protect tools:
- Tools that call HTTP APIs — put those APIs behind their own Gateway route or API engine. Swap the tool’s base URL to point at TrustGate.
- MCP tools — if the MCP server you register with the agent is one you host, front it with a Gateway route (enable the streaming/SSE profile on the route for MCP’s transport).
Correlate hops into one conversation
Every model hop is an independent Explorer entry. To thread them into one logical session, pass a stable conversation ID onOpenAIModel.client_args.default_headers:
Policies to apply
Because the Strands loop runs in your process and every model hop goes through the Gateway, policies fire on every iteration — the user prompt, each planner step, each tool-call request the model emits, and the final answer. Read the Policies & Enforcement page for theWhere / When / Then authoring model and precedence rules.
Scope policies with the Gateways or Routes filter so the agent’s model route can have rules distinct from other Gateway traffic.
Block prompt injection on every hop
- Where —
Gateway+ filterGateways = <your-gateway> - When —
Input·Triggers·Prompt Injection, Jailbreak - Then —
Block
Mask PII on inputs and outputs
- Where —
Gateway+ filterGateways = <your-gateway> - When —
Input or Output·Triggers·Email Address, Phone Number, Credit Card, Social Security Number - Then —
Mask
retrieve, current_time, or similar built-in tools from making it back to the user or to subsequent model hops.
Block credential leakage
- Where —
Gateway+ filterGateways = <your-gateway> - When —
Input or Output·Triggers·API Key / Secret - Then —
Block
Guard tool-call arguments
- Where —
Gateway+ filterGateways = <your-gateway> - When —
Tool Call·Triggers·Suspicious Arguments, Prompt Injection - Then —
Block
http_request tool, where the model can synthesize arbitrary URLs and payloads. The tool call is inspected before your code dispatches it.
Moderate the final response
- Where —
Gateway+ filterRoutes = <customer-facing-routes> - When —
Output·Triggers·Toxicity, Harmful Content - Then —
Block
Log mode first, review hits across multiple agent runs in Runtime → Logs, and promote to Mask / Block once the false-positive rate is acceptable. Mask / Block precedence means a narrow team policy can never weaken a broader organization-wide rule.
Limitations
- Per-hop inspection, not loop-wide — TrustGate inspects each model call independently. Correlate them with a
x-conversation-idheader if you want one logical session in Explorer. - Tool execution is local — only HTTP-based tools can be protected by adding their own Gateway/API route. Pure Python tools (
@toolfunctions with no network calls) are invisible to TrustGate by design. - Streaming — Strands streams model responses by default. Enable the streaming profile on your Gateway route so the Gateway can inspect chunks in order;
MaskandBlockare applied when the stream completes. - Multi-agent tools (
workflow,graph,swarm) — sub-agent model hops produce additional Explorer entries. Use a shared conversation ID across sub-agents to keep them grouped.
References
- Introducing Strands Agents, an Open Source AI Agents SDK — the original announcement, including production deployment topologies.
- Strands Agents on GitHub.
- Amazon Bedrock AgentCore — the AWS runtime for serving Strands agents behind an HTTP endpoint.