Skip to content

NPA-6550: docs for proxygen setup #125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ehallam wants to merge 3 commits into
base: main
Choose a base branch
from
Open

NPA-6550: docs for proxygen setup #125

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ab44534
NPA-6550: added proxygen key rotation docs
ehallam Apr 23, 2026
a54eeb7
NPA-6550: slight docs change
ehallam Apr 23, 2026
c35b1ac
NPA-6550: fix docs
ehallam Apr 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions docs/developer-guides/Rotating_proxygen_keys.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
# Setting up Proxygen
Copy link

Copilot AI Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The document title is "Setting up Proxygen" but the file is named Rotating_proxygen_keys.md. This mismatch makes the doc harder to discover and link correctly. Consider renaming the file (or adjusting the title) so the filename reflects the actual content.

Suggested change
# Setting up Proxygen
# Rotating Proxygen keys

Copilot uses AI. Check for mistakes.

## Generating a key pair

You'll need to generate a public and private key pair before raising a service now request to create the proxygen API
Copy link

Copilot AI Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"service now" should be the product name "ServiceNow" (one word, proper capitalization) and this sentence is missing terminal punctuation. Adjusting this improves clarity and searchability.

Suggested change
You'll need to generate a public and private key pair before raising a service now request to create the proxygen API
You'll need to generate a public and private key pair before raising a ServiceNow request to create the proxygen API.

Copilot uses AI. Check for mistakes.

From the [APIM slack message](https://nhsuk.slack.com/archives/C016JRWN6AY/p1773828313442569):
```
Follow the new Key ID (KID) structure:

YYYY-mm-dd-PTL-<<api-name>>
YYYY-mm-dd-Prod-<<api-name>>
This enforces a 12-month expiry for all public keys (The date should be expiry date of the Public Key)
Copy link
Copy Markdown
Contributor

@davesmallnhs davesmallnhs Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth saying YYYY-mm-dd should be the expiry date, not today's date. This confused me, from what's written

```
Comment on lines +7 to +14
Copy link

Copilot AI Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fenced code block for the Slack quote is malformed (the opening fence includes text: "Follow..."). This will render incorrectly in Markdown. Put the opening on its own line (optionally with a language like text) and move the quote content onto the next line.

Copilot uses AI. Check for mistakes.

[These docs](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-signed-jwt-authentication#step-2-generate-a-key-pair) walkthrough how to generate the key pair. Once you've created your JWKS file called YOUR_KID.json you can move onto creating the proxygen deployment
Copy link

Copilot AI Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Grammar: "walkthrough" is used as a verb here; consider "walks through" or "walk through". Also "move onto" should be "move on to". These small fixes make the instructions read more cleanly.

Suggested change
[These docs](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-signed-jwt-authentication#step-2-generate-a-key-pair) walkthrough how to generate the key pair. Once you've created your JWKS file called YOUR_KID.json you can move onto creating the proxygen deployment
[These docs](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-signed-jwt-authentication#step-2-generate-a-key-pair) walk through how to generate the key pair. Once you've created your JWKS file called YOUR_KID.json you can move on to creating the proxygen deployment

Copilot uses AI. Check for mistakes.

## Creating the proxygen deployment

Once you have this key pair, you can raise a [service now request](https://nhsdigitallive.service-now.com/csm?id=sc_cat_item&sys_id=b5e2c7ee9777a610dd80f2df9153af87&sysparm_category=63f4716697731e90dd80f2df9153affe) with the information you used to create the key pair to "Create an API on Proxygen".

Once APIM have done this, they will provide you with a client ID in the service now request, e.g. im1-pfs-auth-client which you will need to setup machine access to the API.
Copy link

Copilot AI Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"setup" is used as a verb here; in prose it should typically be "set up" (verb) vs "setup" (noun/adjective). Aligning the phrasing helps readability.

Suggested change
Once APIM have done this, they will provide you with a client ID in the service now request, e.g. im1-pfs-auth-client which you will need to setup machine access to the API.
Once APIM have done this, they will provide you with a client ID in the service now request, e.g. im1-pfs-auth-client which you will need to set up machine access to the API.

Copilot uses AI. Check for mistakes.

## Setting up machine access

### Downloading proxygen-cli

proxygen-cli can be installed using pip

```
pip install proxygen-cli
```

To verify the installation

```
proxygen --version
```

This may not work initially - if it can't find proxygen then we need to find the install location and add it to our PATH

```
find ~ -name "proxygen" 2>/dev/null
```

You're looking for one that looks like `/Users/elliot/Library/Python/3.13/bin/proxygen`

Once you have this path, you can add it to your .zshrc with `export PATH="$PATH:/Users/elliot/Library/Python/3.13/bin/"`
Comment on lines +46 to +48
Copy link

Copilot AI Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This example uses a specific developer machine path (/Users/elliot/...) and a specific Python version. That’s likely to confuse others and will go stale. Prefer using $HOME/~ and/or a more general way to locate the user-base bin directory so the instructions work across machines.

Suggested change
You're looking for one that looks like `/Users/elliot/Library/Python/3.13/bin/proxygen`
Once you have this path, you can add it to your .zshrc with `export PATH="$PATH:/Users/elliot/Library/Python/3.13/bin/"`
You're looking for one that looks like `~/Library/Python/.../bin/proxygen`
Once you have this path, add the directory containing it to your `.zshrc`, for example with `export PATH="$PATH:$(dirname "$(find ~ -name "proxygen" 2>/dev/null | head -n 1)")"`

Copilot uses AI. Check for mistakes.

Remember to `source ~/.zshrc`

Rerun the above `proxygen --version` command to verify it's working

### .proxygen config files

To fully setup machine access, you will need a credentials.yaml and settings.yaml file inside of ~/.proxygen
Copy link

Copilot AI Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same "set up" vs "setup" issue: "To fully setup machine access" reads as a verb phrase, so "set up" would be clearer.

Suggested change
To fully setup machine access, you will need a credentials.yaml and settings.yaml file inside of ~/.proxygen
To fully set up machine access, you will need a credentials.yaml and settings.yaml file inside of ~/.proxygen

Copilot uses AI. Check for mistakes.

credentials.yaml
```
base_url: https://identity.{ptl | prod}.api.platform.nhs.uk/realms/api-producers
client_id: {Client ID}
Comment on lines +60 to +61
Copy link

Copilot AI Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The base_url placeholder includes spaces and a | inside braces ({ptl | prod}), which makes it easy to accidentally copy/paste an invalid URL into credentials.yaml. Consider providing two explicit example URLs (one for PTL and one for PROD), or use a placeholder format without spaces/symbols that would break the URL.

Copilot uses AI. Check for mistakes.
key_id: {Key ID}
private_key_path: {Absolute path to private key}
```

settings.yaml
```
api: {API name}
endpoint_url: https://proxygen.{ptl | prod}.api.platform.nhs.uk
spec_output_format: yaml
Comment on lines +69 to +70
Copy link

Copilot AI Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same issue as base_url: endpoint_url uses a {ptl | prod} placeholder that will produce an invalid URL if copied verbatim. Provide explicit PTL/PROD examples or a safer placeholder format.

Copilot uses AI. Check for mistakes.
```

## Pushing up a spec from your local machine

To verify you've set everything up correctly locally, you can run
```
proxygen instance deploy {Environment name e.g. internal-dev} {API Name} {path to spec}
```

To retrieve the spec you just published, you can run
```
proxygen instance get {Environment name e.g. internal-dev} {API Name}
```

## Deploying the spec via a pipeline
Loading