NHSDigital · robbailiff2 · Jan 23, 2026 · Jan 23, 2026 · Jan 26, 2026 · Jan 27, 2026
diff --git a/.github/workflows/publish-specification.yaml b/.github/workflows/publish-specification.yaml
@@ -49,8 +49,15 @@ jobs:
           PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }}
         run: |
           mkdir -p ~/.proxygen
-          echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem
-          make setup-proxygen-credentials
+
+          if [ "${{ env.APIM_ENV }}" = "preprod" ]; then
+            ENV_PARAM="ptl"
+          else
+            ENV_PARAM="${{ env.APIM_ENV }}"
+          fi
+
+          echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api-${ENV_PARAM}.pem
+          make setup-proxygen-credentials ENV=${ENV_PARAM}
 
       - name: Generate specification
         run: |
@@ -60,7 +67,10 @@ jobs:
         run: |
           if [ "${{ env.APIM_ENV }}" = "preprod" ]; then
             proxygen spec publish build/specification/preprod/eligibility-signposting-api.yaml --uat --no-confirm
-          else
+          elif [ "${{ env.APIM_ENV }}" = "prod" ]; then
             proxygen spec publish build/specification/prod/eligibility-signposting-api.yaml --no-confirm
+          else
+            echo "Error: Environment '${{ env.APIM_ENV }}' is not supported for publishing. Only 'preprod' and 'prod' are allowed."
+            exit 1
           fi
 
diff --git a/Makefile b/Makefile
@@ -53,39 +53,51 @@ config:: # Configure development environment (main) @Configuration
 #### Proxygen ####
 ##################
 
-retrieve-proxygen-key: # Obtain the 'machine user' credentials from AWS SSM (Development environment)
-	mkdir -p ~/.proxygen && \
-	aws ssm get-parameter --name /proxygen/private_key_temp --with-decryption | jq ".Parameter.Value" --raw-output \
-	> ~/.proxygen/eligibility-signposting-api.pem
-
-setup-proxygen-credentials: # Copy Proxygen templated credentials to where it expected them
-	cd specification && cp -r .proxygen ~
+# Verify current AWS account login and retrieve the proxygen key
+# from AWS SSM for the specified environment
+retrieve-proxygen-key: guard-ENV
+	@ ./scripts/check-aws-account.sh $(ENV)
+	mkdir -p ~/.proxygen
+	aws ssm get-parameter --name /proxygen/private_key_temp --with-decryption \
+	| jq -r ".Parameter.Value" \
+	> ~/.proxygen/eligibility-signposting-api-$(ENV).pem && \
+	echo "Retrieved proxygen key for '$(ENV)' environment"
+
+# Copy proxygen credentials for the specified environment to `~/.proxygen/`
+# This location required location for local proxygen usage
+setup-proxygen-credentials: guard-ENV
+	@ cd specification && \
+	cp .proxygen/credentials-$(ENV).yaml ~/.proxygen/credentials.yaml && \
+	cp .proxygen/settings-$(ENV).yaml ~/.proxygen/settings.yaml && \
+	echo "Set up proxygen credentials for the '$(ENV)' environment"
 
 get-spec: # Get the most recent specification live in proxygen
-	$(MAKE) setup-proxygen-credentials
+	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec get
 
 get-spec-uat: # Get the most recent specification live in proxygen
-	$(MAKE) setup-proxygen-credentials
+	$(MAKE) setup-proxygen-credentials ENV=ptl
 	proxygen spec get --uat
 
 publish-spec: # Publish the specification to proxygen
-	$(MAKE) setup-proxygen-credentials
+	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec publish build/specification/prod/eligibility-signposting-api.yaml
 
 publish-spec-uat: # Publish the specification to proxygen
-	$(MAKE) setup-proxygen-credentials
+	$(MAKE) setup-proxygen-credentials ENV=ptl
 	proxygen spec publish build/specification/preprod/eligibility-signposting-api.yaml --uat
 
 delete-spec: # Delete the specification from proxygen
-	$(MAKE) setup-proxygen-credentials
+	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec delete
 
 delete-spec-uat: # Delete the specification from proxygen
-	$(MAKE) setup-proxygen-credentials
+	$(MAKE) setup-proxygen-credentials ENV=ptl
 	proxygen spec delete --uat
 
-# Specification
+#####################
+### Specification ###
+#####################
 
 guard-%:
 	@ if [ "${${*}}" = "" ]; then \

diff --git a/pyproject.toml b/pyproject.toml
@@ -10,7 +10,9 @@ requires-python = ">=3.11"
 repository = "https://github.com/NHSDigital/eligibility-signposting-api-specification"
 homepage = "https://digital.nhs.uk/developer/api-catalogue"
 keywords = ["healthcare", "uk", "nhs", "vaccination", "api"] #TODO add additional keywords
-package_mode = false
+
+[tool.poetry]
+package-mode = false
 
 [build-system]
 requires = ["poetry-core>=2.0.0,<3.0.0"]

diff --git a/scripts/check-aws-account.sh b/scripts/check-aws-account.sh
@@ -0,0 +1,39 @@
+
+#!/usr/bin/env bash
+set -e
+
+APIM_ENV_NAME="$1"
+
+# Map APIM environment names to AWS account ID and environment name
+case "$APIM_ENV_NAME" in
+  dev)
+    AWS_ENV_NAME="dev"
+    EXPECTED_ACCOUNT="448049830832"
+    ;;
+  ptl)
+    AWS_ENV_NAME="preprod" # Called 'preprod' in AWS and `ptl` in APIM
+    EXPECTED_ACCOUNT="203918864209"
+    ;;
+  prod)
+    AWS_ENV_NAME="prod"
+    EXPECTED_ACCOUNT="476114145616"
+    ;;
+  *)
+    echo "Unknown APIM environment: $APIM_ENV_NAME"
+    exit 1
+    ;;
+esac
+
+# Read the currently authenticated AWS account
+CURRENT_ACCOUNT=$(aws sts get-caller-identity --query "Account" --output text)
+
+# Compare the current account with the expected account
+if [ "$CURRENT_ACCOUNT" != "$EXPECTED_ACCOUNT" ]; then
+  echo "AWS account mismatch!"
+  echo "The expected mapping for the argument 'ENV=$APIM_ENV_NAME' is AWS '$AWS_ENV_NAME' account $EXPECTED_ACCOUNT, but the current AWS account is $CURRENT_ACCOUNT."
+  echo "Please switch to the correct AWS account and try again."
+  echo "Exiting script..."
+  exit 1
+fi
+
+echo "Active login to AWS '$AWS_ENV_NAME' account $CURRENT_ACCOUNT verified."
diff --git a/specification/.proxygen/credentials-prod.yaml b/specification/.proxygen/credentials-prod.yaml
@@ -0,0 +1,4 @@
+client_id: eligibility-signposting-api-prod-client
+#private_key_path: eligibility-signposting-api-prod.pem
+private_key_path: eligibility-signposting-api.pem
+key_id: eligibility-signposting-api-prod
diff --git a/specification/.proxygen/credentials-ptl.yaml b/specification/.proxygen/credentials-ptl.yaml
@@ -0,0 +1,4 @@
+client_id: eligibility-signposting-api-ptl-client
+#private_key_path: eligibility-signposting-api-ptl.pem
+private_key_path: eligibility-signposting-api.pem
+key_id: eligibility-signposting-api-ptl
diff --git a/specification/.proxygen/settings-prod.yaml b/specification/.proxygen/settings-prod.yaml
@@ -0,0 +1,3 @@
+api: eligibility-signposting-api
+endpoint_url: https://proxygen.prod.api.platform.nhs.uk
+spec_output_format: yaml
diff --git a/specification/.proxygen/settings-ptl.yaml b/specification/.proxygen/settings-ptl.yaml
@@ -0,0 +1,3 @@
+api: eligibility-signposting-api
+endpoint_url: https://proxygen.ptl.api.platform.nhs.uk
+spec_output_format: yaml