NQ example: fix token usage in code & docs (#401)

anfelbar · web-flow · commit 8b2893ca8921 · 2025-07-18T13:51:32.000-05:00
Towards linear/OND-1489
diff --git a/java/com/engflow/notificationqueue/Client.java b/java/com/engflow/notificationqueue/Client.java
@@ -84,9 +84,12 @@ public static void main(String[] args) throws Exception {
     }
     try {
       final Metadata header = new Metadata();
-      Metadata.Key<String> userKey =
-          Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER);
-      header.put(userKey, "Bearer " + clientOptions.getOption("token"));
+      Metadata.Key<String> methodKey =
+          Metadata.Key.of("x-engflow-auth-method", Metadata.ASCII_STRING_MARSHALLER);
+      header.put(methodKey, "jwt-v0");
+      Metadata.Key<String> tokenKey =
+          Metadata.Key.of("x-engflow-auth-token", Metadata.ASCII_STRING_MARSHALLER);
+      header.put(tokenKey, clientOptions.getOption("token"));
       pull(channel, clientOptions.getOption("queue_name"), header, forwardChannel);
     } finally {
       if (channel != null) {
diff --git a/java/com/engflow/notificationqueue/README.md b/java/com/engflow/notificationqueue/README.md
@@ -44,30 +44,23 @@ bazel run //java/com/engflow/notificationqueue:client  -- \
 ```
 
 
-### Using tokens to run the client
+### Using JWT to run the client
 
-In the second for case authentication you should have a token issued by a
-valid authority. In this example we use cluster used by the 
-[open-source envoy-mobile](https://github.com/envoyproxy/envoy-mobile) project. 
-It uses [GitHub tokens](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) for authentication method but your server may support 
-other token provider. To execute the client against the envoy-mobile cluster add
-the argument
+In the second authentication case you should count with a valid token. On EngFlow clusters you may get a new access token by
+accessing the cluster's UI under the tab `Getting Started`. To execute the client against your cluster, add the argument
 
-1. `--token=token issued by valid authority`
+1. `--token=your-long-JWT-token`
    holds the authentication token.
    Needed for both `grpc://` and `grpcs://` connections
 
 Run the client using
 
 ```bash
 bazel run //java/com/engflow/notificationqueue:client  -- \
-      '--notification_queue_endpoint=grpcs://envoy.cluster.engflow.com' '--queue_name=eventstore/lifecycle-events' \
-      '--token=ghs_vHu2hAHwhg2EjBXrs4koOxk5PfSKVb2lzAUM'
+      '--notification_queue_endpoint=grpcs://$CLUSTER.cluster.engflow.com' '--queue_name=eventstore/lifecycle-events' \
+      '--token=DKiJ3eic9l150dDmzdMsaiu0K5boBle0UlkCefbgwzBE7G7FItgi2AOFpz6pkcMUFV3SkpAGikMckcaQhTTKUmGeZKpLh9gT6vTsi0v'
 ```
 
-Note: The token provided in the example is not valid. You should count with a 
-valid envoy-mobile token to use envoy-cluster. Change your target cluster and
-acquire a valid token for executing the client.
 
 ### Forwarding data to external server
 
