Guessing it reads some credentials out of environment variables. The client side example shows the server issuing a token so I guess it's only the server that has/needs the credentials.
Yeah, reading that example looks like it's basically signed URLs, and you define the permissions by deciding who can receive a signed URL on your server. Not a big deal for my use cases.