How do I create tokens for users for object store for download only?

I am looking at the Object storage as a possible alternate option for use, but am not sure if this will work or not for my use case. Currently we provide various file sets that our partners and clients use. It would seem that object storage would be a natural fit for this, a partner can view the bucket and download what file they are interested in. Currently we have a download server and the partner provides a token for authority and the file downloads by hitting a target endpoint. Object storage seems more resilient, so no outage on a download server impacts anyone, and size is not so much of a concern.

I can set up different buckets for different types, but how do I generate a token pair that would restrict a partner to a certain bucket? I can't seem to find a way to provide any restriction or automate that process easily. I'm new to this, but it seems like there should be a way that I can generate a key pair, provide it to the partner for access, they only have access to one bucket. But how do I do automate this process of granting and revoking access for a third party to download a file via the URL from a bucket and not make the bucket public? Does object storage support this?