guardian · waisingyiu · Jul 15, 2025 · Jul 8, 2025 · Jul 8, 2025 · Jul 11, 2025
@@ -0,0 +1,5 @@
+---
+"@guardian/pan-domain-node": minor
+---
+
+Download public key from S3 with AWS credential
@@ -40,16 +40,27 @@ Grace period:                          [------------- 24 hours ------]
 npm install --save-dev @guardian/pan-domain-node
 ```
 
+### Setup
+The library load the public key file from a S3 object.  Consuming applications can specify the S3 object via the arugments 'region', 'bucket' and 'keyFile' to the constructor of `PanDomainAuthentication` class as shown in the Initialisation below.
+
+Therefore, the application must run with an AWS credential that has read access to the S3 object in that bucket.
+
+You may refer to [Pan Domain authentication documentation](https://github.com/guardian/pan-domain-authentication) for details on how this authentication works. 
+
 ### Initialisation
 ```typescript
 import { PanDomainAuthentication, AuthenticationStatus, User, guardianValidation } from '@guardian/pan-domain-node';
+import { fromIni } from "@aws-sdk/credential-providers";
+
+const credentialsProvider = fromIni();  // get credentials locally using the default profile
 
 const panda = new PanDomainAuthentication(
   "gutoolsAuth-assym", // cookie name
   "eu-west-1", // AWS region
   "pan-domain-auth-settings", // Settings bucket
   "local.dev-gutools.co.uk.settings.public", // Settings file
-  guardianValidation
+  guardianValidation,
+  credentialsProvider, // it can be omitted if the app runs in AWS cloud.  In this case, "fromNodeProviderChain" is used by default.
 );
 
 // alternatively customise the validation function and pass at construction