diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..3b41682
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,2 @@
+/mvnw text eol=lf
+*.cmd text eol=crlf
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ad76eaf
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,39 @@
+HELP.md
+target/
+.mvn/wrapper/maven-wrapper.jar
+!**/src/main/**/target/
+!**/src/test/**/target/
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+build/
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### VS Code ###
+.vscode/
+
+### Secrets ###
+service_account.json
+*.pem
+
+**/.DS_Store
\ No newline at end of file
diff --git a/.mvn/wrapper/maven-wrapper.properties b/.mvn/wrapper/maven-wrapper.properties
new file mode 100644
index 0000000..5291372
--- /dev/null
+++ b/.mvn/wrapper/maven-wrapper.properties
@@ -0,0 +1,3 @@
+wrapperVersion=3.3.4
+distributionType=only-script
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.15/apache-maven-3.9.15-bin.zip
diff --git a/mvnw b/mvnw
new file mode 100755
index 0000000..bd8896b
--- /dev/null
+++ b/mvnw
@@ -0,0 +1,295 @@
+#!/bin/sh
+# ----------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# ----------------------------------------------------------------------------
+
+# ----------------------------------------------------------------------------
+# Apache Maven Wrapper startup batch script, version 3.3.4
+#
+# Optional ENV vars
+# -----------------
+#   JAVA_HOME - location of a JDK home dir, required when download maven via java source
+#   MVNW_REPOURL - repo url base for downloading maven distribution
+#   MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven
+#   MVNW_VERBOSE - true: enable verbose log; debug: trace the mvnw script; others: silence the output
+# ----------------------------------------------------------------------------
+
+set -euf
+[ "${MVNW_VERBOSE-}" != debug ] || set -x
+
+# OS specific support.
+native_path() { printf %s\\n "$1"; }
+case "$(uname)" in
+CYGWIN* | MINGW*)
+  [ -z "${JAVA_HOME-}" ] || JAVA_HOME="$(cygpath --unix "$JAVA_HOME")"
+  native_path() { cygpath --path --windows "$1"; }
+  ;;
+esac
+
+# set JAVACMD and JAVACCMD
+set_java_home() {
+  # For Cygwin and MinGW, ensure paths are in Unix format before anything is touched
+  if [ -n "${JAVA_HOME-}" ]; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ]; then
+      # IBM's JDK on AIX uses strange locations for the executables
+      JAVACMD="$JAVA_HOME/jre/sh/java"
+      JAVACCMD="$JAVA_HOME/jre/sh/javac"
+    else
+      JAVACMD="$JAVA_HOME/bin/java"
+      JAVACCMD="$JAVA_HOME/bin/javac"
+
+      if [ ! -x "$JAVACMD" ] || [ ! -x "$JAVACCMD" ]; then
+        echo "The JAVA_HOME environment variable is not defined correctly, so mvnw cannot run." >&2
+        echo "JAVA_HOME is set to \"$JAVA_HOME\", but \"\$JAVA_HOME/bin/java\" or \"\$JAVA_HOME/bin/javac\" does not exist." >&2
+        return 1
+      fi
+    fi
+  else
+    JAVACMD="$(
+      'set' +e
+      'unset' -f command 2>/dev/null
+      'command' -v java
+    )" || :
+    JAVACCMD="$(
+      'set' +e
+      'unset' -f command 2>/dev/null
+      'command' -v javac
+    )" || :
+
+    if [ ! -x "${JAVACMD-}" ] || [ ! -x "${JAVACCMD-}" ]; then
+      echo "The java/javac command does not exist in PATH nor is JAVA_HOME set, so mvnw cannot run." >&2
+      return 1
+    fi
+  fi
+}
+
+# hash string like Java String::hashCode
+hash_string() {
+  str="${1:-}" h=0
+  while [ -n "$str" ]; do
+    char="${str%"${str#?}"}"
+    h=$(((h * 31 + $(LC_CTYPE=C printf %d "'$char")) % 4294967296))
+    str="${str#?}"
+  done
+  printf %x\\n $h
+}
+
+verbose() { :; }
+[ "${MVNW_VERBOSE-}" != true ] || verbose() { printf %s\\n "${1-}"; }
+
+die() {
+  printf %s\\n "$1" >&2
+  exit 1
+}
+
+trim() {
+  # MWRAPPER-139:
+  #   Trims trailing and leading whitespace, carriage returns, tabs, and linefeeds.
+  #   Needed for removing poorly interpreted newline sequences when running in more
+  #   exotic environments such as mingw bash on Windows.
+  printf "%s" "${1}" | tr -d '[:space:]'
+}
+
+scriptDir="$(dirname "$0")"
+scriptName="$(basename "$0")"
+
+# parse distributionUrl and optional distributionSha256Sum, requires .mvn/wrapper/maven-wrapper.properties
+while IFS="=" read -r key value; do
+  case "${key-}" in
+  distributionUrl) distributionUrl=$(trim "${value-}") ;;
+  distributionSha256Sum) distributionSha256Sum=$(trim "${value-}") ;;
+  esac
+done <"$scriptDir/.mvn/wrapper/maven-wrapper.properties"
+[ -n "${distributionUrl-}" ] || die "cannot read distributionUrl property in $scriptDir/.mvn/wrapper/maven-wrapper.properties"
+
+case "${distributionUrl##*/}" in
+maven-mvnd-*bin.*)
+  MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/
+  case "${PROCESSOR_ARCHITECTURE-}${PROCESSOR_ARCHITEW6432-}:$(uname -a)" in
+  *AMD64:CYGWIN* | *AMD64:MINGW*) distributionPlatform=windows-amd64 ;;
+  :Darwin*x86_64) distributionPlatform=darwin-amd64 ;;
+  :Darwin*arm64) distributionPlatform=darwin-aarch64 ;;
+  :Linux*x86_64*) distributionPlatform=linux-amd64 ;;
+  *)
+    echo "Cannot detect native platform for mvnd on $(uname)-$(uname -m), use pure java version" >&2
+    distributionPlatform=linux-amd64
+    ;;
+  esac
+  distributionUrl="${distributionUrl%-bin.*}-$distributionPlatform.zip"
+  ;;
+maven-mvnd-*) MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ ;;
+*) MVN_CMD="mvn${scriptName#mvnw}" _MVNW_REPO_PATTERN=/org/apache/maven/ ;;
+esac
+
+# apply MVNW_REPOURL and calculate MAVEN_HOME
+# maven home pattern: ~/.m2/wrapper/dists/{apache-maven-<version>,maven-mvnd-<version>-<platform>}/<hash>
+[ -z "${MVNW_REPOURL-}" ] || distributionUrl="$MVNW_REPOURL$_MVNW_REPO_PATTERN${distributionUrl#*"$_MVNW_REPO_PATTERN"}"
+distributionUrlName="${distributionUrl##*/}"
+distributionUrlNameMain="${distributionUrlName%.*}"
+distributionUrlNameMain="${distributionUrlNameMain%-bin}"
+MAVEN_USER_HOME="${MAVEN_USER_HOME:-${HOME}/.m2}"
+MAVEN_HOME="${MAVEN_USER_HOME}/wrapper/dists/${distributionUrlNameMain-}/$(hash_string "$distributionUrl")"
+
+exec_maven() {
+  unset MVNW_VERBOSE MVNW_USERNAME MVNW_PASSWORD MVNW_REPOURL || :
+  exec "$MAVEN_HOME/bin/$MVN_CMD" "$@" || die "cannot exec $MAVEN_HOME/bin/$MVN_CMD"
+}
+
+if [ -d "$MAVEN_HOME" ]; then
+  verbose "found existing MAVEN_HOME at $MAVEN_HOME"
+  exec_maven "$@"
+fi
+
+case "${distributionUrl-}" in
+*?-bin.zip | *?maven-mvnd-?*-?*.zip) ;;
+*) die "distributionUrl is not valid, must match *-bin.zip or maven-mvnd-*.zip, but found '${distributionUrl-}'" ;;
+esac
+
+# prepare tmp dir
+if TMP_DOWNLOAD_DIR="$(mktemp -d)" && [ -d "$TMP_DOWNLOAD_DIR" ]; then
+  clean() { rm -rf -- "$TMP_DOWNLOAD_DIR"; }
+  trap clean HUP INT TERM EXIT
+else
+  die "cannot create temp dir"
+fi
+
+mkdir -p -- "${MAVEN_HOME%/*}"
+
+# Download and Install Apache Maven
+verbose "Couldn't find MAVEN_HOME, downloading and installing it ..."
+verbose "Downloading from: $distributionUrl"
+verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName"
+
+# select .zip or .tar.gz
+if ! command -v unzip >/dev/null; then
+  distributionUrl="${distributionUrl%.zip}.tar.gz"
+  distributionUrlName="${distributionUrl##*/}"
+fi
+
+# verbose opt
+__MVNW_QUIET_WGET=--quiet __MVNW_QUIET_CURL=--silent __MVNW_QUIET_UNZIP=-q __MVNW_QUIET_TAR=''
+[ "${MVNW_VERBOSE-}" != true ] || __MVNW_QUIET_WGET='' __MVNW_QUIET_CURL='' __MVNW_QUIET_UNZIP='' __MVNW_QUIET_TAR=v
+
+# normalize http auth
+case "${MVNW_PASSWORD:+has-password}" in
+'') MVNW_USERNAME='' MVNW_PASSWORD='' ;;
+has-password) [ -n "${MVNW_USERNAME-}" ] || MVNW_USERNAME='' MVNW_PASSWORD='' ;;
+esac
+
+if [ -z "${MVNW_USERNAME-}" ] && command -v wget >/dev/null; then
+  verbose "Found wget ... using wget"
+  wget ${__MVNW_QUIET_WGET:+"$__MVNW_QUIET_WGET"} "$distributionUrl" -O "$TMP_DOWNLOAD_DIR/$distributionUrlName" || die "wget: Failed to fetch $distributionUrl"
+elif [ -z "${MVNW_USERNAME-}" ] && command -v curl >/dev/null; then
+  verbose "Found curl ... using curl"
+  curl ${__MVNW_QUIET_CURL:+"$__MVNW_QUIET_CURL"} -f -L -o "$TMP_DOWNLOAD_DIR/$distributionUrlName" "$distributionUrl" || die "curl: Failed to fetch $distributionUrl"
+elif set_java_home; then
+  verbose "Falling back to use Java to download"
+  javaSource="$TMP_DOWNLOAD_DIR/Downloader.java"
+  targetZip="$TMP_DOWNLOAD_DIR/$distributionUrlName"
+  cat >"$javaSource" <<-END
+	public class Downloader extends java.net.Authenticator
+	{
+	  protected java.net.PasswordAuthentication getPasswordAuthentication()
+	  {
+	    return new java.net.PasswordAuthentication( System.getenv( "MVNW_USERNAME" ), System.getenv( "MVNW_PASSWORD" ).toCharArray() );
+	  }
+	  public static void main( String[] args ) throws Exception
+	  {
+	    setDefault( new Downloader() );
+	    java.nio.file.Files.copy( java.net.URI.create( args[0] ).toURL().openStream(), java.nio.file.Paths.get( args[1] ).toAbsolutePath().normalize() );
+	  }
+	}
+	END
+  # For Cygwin/MinGW, switch paths to Windows format before running javac and java
+  verbose " - Compiling Downloader.java ..."
+  "$(native_path "$JAVACCMD")" "$(native_path "$javaSource")" || die "Failed to compile Downloader.java"
+  verbose " - Running Downloader.java ..."
+  "$(native_path "$JAVACMD")" -cp "$(native_path "$TMP_DOWNLOAD_DIR")" Downloader "$distributionUrl" "$(native_path "$targetZip")"
+fi
+
+# If specified, validate the SHA-256 sum of the Maven distribution zip file
+if [ -n "${distributionSha256Sum-}" ]; then
+  distributionSha256Result=false
+  if [ "$MVN_CMD" = mvnd.sh ]; then
+    echo "Checksum validation is not supported for maven-mvnd." >&2
+    echo "Please disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2
+    exit 1
+  elif command -v sha256sum >/dev/null; then
+    if echo "$distributionSha256Sum  $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha256sum -c - >/dev/null 2>&1; then
+      distributionSha256Result=true
+    fi
+  elif command -v shasum >/dev/null; then
+    if echo "$distributionSha256Sum  $TMP_DOWNLOAD_DIR/$distributionUrlName" | shasum -a 256 -c >/dev/null 2>&1; then
+      distributionSha256Result=true
+    fi
+  else
+    echo "Checksum validation was requested but neither 'sha256sum' or 'shasum' are available." >&2
+    echo "Please install either command, or disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2
+    exit 1
+  fi
+  if [ $distributionSha256Result = false ]; then
+    echo "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised." >&2
+    echo "If you updated your Maven version, you need to update the specified distributionSha256Sum property." >&2
+    exit 1
+  fi
+fi
+
+# unzip and move
+if command -v unzip >/dev/null; then
+  unzip ${__MVNW_QUIET_UNZIP:+"$__MVNW_QUIET_UNZIP"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -d "$TMP_DOWNLOAD_DIR" || die "failed to unzip"
+else
+  tar xzf${__MVNW_QUIET_TAR:+"$__MVNW_QUIET_TAR"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -C "$TMP_DOWNLOAD_DIR" || die "failed to untar"
+fi
+
+# Find the actual extracted directory name (handles snapshots where filename != directory name)
+actualDistributionDir=""
+
+# First try the expected directory name (for regular distributions)
+if [ -d "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain" ]; then
+  if [ -f "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain/bin/$MVN_CMD" ]; then
+    actualDistributionDir="$distributionUrlNameMain"
+  fi
+fi
+
+# If not found, search for any directory with the Maven executable (for snapshots)
+if [ -z "$actualDistributionDir" ]; then
+  # enable globbing to iterate over items
+  set +f
+  for dir in "$TMP_DOWNLOAD_DIR"/*; do
+    if [ -d "$dir" ]; then
+      if [ -f "$dir/bin/$MVN_CMD" ]; then
+        actualDistributionDir="$(basename "$dir")"
+        break
+      fi
+    fi
+  done
+  set -f
+fi
+
+if [ -z "$actualDistributionDir" ]; then
+  verbose "Contents of $TMP_DOWNLOAD_DIR:"
+  verbose "$(ls -la "$TMP_DOWNLOAD_DIR")"
+  die "Could not find Maven distribution directory in extracted archive"
+fi
+
+verbose "Found extracted Maven distribution directory: $actualDistributionDir"
+printf %s\\n "$distributionUrl" >"$TMP_DOWNLOAD_DIR/$actualDistributionDir/mvnw.url"
+mv -- "$TMP_DOWNLOAD_DIR/$actualDistributionDir" "$MAVEN_HOME" || [ -d "$MAVEN_HOME" ] || die "fail to move MAVEN_HOME"
+
+clean || :
+exec_maven "$@"
diff --git a/mvnw.cmd b/mvnw.cmd
new file mode 100644
index 0000000..92450f9
--- /dev/null
+++ b/mvnw.cmd
@@ -0,0 +1,189 @@
+<# : batch portion
+@REM ----------------------------------------------------------------------------
+@REM Licensed to the Apache Software Foundation (ASF) under one
+@REM or more contributor license agreements.  See the NOTICE file
+@REM distributed with this work for additional information
+@REM regarding copyright ownership.  The ASF licenses this file
+@REM to you under the Apache License, Version 2.0 (the
+@REM "License"); you may not use this file except in compliance
+@REM with the License.  You may obtain a copy of the License at
+@REM
+@REM    http://www.apache.org/licenses/LICENSE-2.0
+@REM
+@REM Unless required by applicable law or agreed to in writing,
+@REM software distributed under the License is distributed on an
+@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+@REM KIND, either express or implied.  See the License for the
+@REM specific language governing permissions and limitations
+@REM under the License.
+@REM ----------------------------------------------------------------------------
+
+@REM ----------------------------------------------------------------------------
+@REM Apache Maven Wrapper startup batch script, version 3.3.4
+@REM
+@REM Optional ENV vars
+@REM   MVNW_REPOURL - repo url base for downloading maven distribution
+@REM   MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven
+@REM   MVNW_VERBOSE - true: enable verbose log; others: silence the output
+@REM ----------------------------------------------------------------------------
+
+@IF "%__MVNW_ARG0_NAME__%"=="" (SET __MVNW_ARG0_NAME__=%~nx0)
+@SET __MVNW_CMD__=
+@SET __MVNW_ERROR__=
+@SET __MVNW_PSMODULEP_SAVE=%PSModulePath%
+@SET PSModulePath=
+@FOR /F "usebackq tokens=1* delims==" %%A IN (`powershell -noprofile "& {$scriptDir='%~dp0'; $script='%__MVNW_ARG0_NAME__%'; icm -ScriptBlock ([Scriptblock]::Create((Get-Content -Raw '%~f0'))) -NoNewScope}"`) DO @(
+  IF "%%A"=="MVN_CMD" (set __MVNW_CMD__=%%B) ELSE IF "%%B"=="" (echo %%A) ELSE (echo %%A=%%B)
+)
+@SET PSModulePath=%__MVNW_PSMODULEP_SAVE%
+@SET __MVNW_PSMODULEP_SAVE=
+@SET __MVNW_ARG0_NAME__=
+@SET MVNW_USERNAME=
+@SET MVNW_PASSWORD=
+@IF NOT "%__MVNW_CMD__%"=="" ("%__MVNW_CMD__%" %*)
+@echo Cannot start maven from wrapper >&2 && exit /b 1
+@GOTO :EOF
+: end batch / begin powershell #>
+
+$ErrorActionPreference = "Stop"
+if ($env:MVNW_VERBOSE -eq "true") {
+  $VerbosePreference = "Continue"
+}
+
+# calculate distributionUrl, requires .mvn/wrapper/maven-wrapper.properties
+$distributionUrl = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionUrl
+if (!$distributionUrl) {
+  Write-Error "cannot read distributionUrl property in $scriptDir/.mvn/wrapper/maven-wrapper.properties"
+}
+
+switch -wildcard -casesensitive ( $($distributionUrl -replace '^.*/','') ) {
+  "maven-mvnd-*" {
+    $USE_MVND = $true
+    $distributionUrl = $distributionUrl -replace '-bin\.[^.]*$',"-windows-amd64.zip"
+    $MVN_CMD = "mvnd.cmd"
+    break
+  }
+  default {
+    $USE_MVND = $false
+    $MVN_CMD = $script -replace '^mvnw','mvn'
+    break
+  }
+}
+
+# apply MVNW_REPOURL and calculate MAVEN_HOME
+# maven home pattern: ~/.m2/wrapper/dists/{apache-maven-<version>,maven-mvnd-<version>-<platform>}/<hash>
+if ($env:MVNW_REPOURL) {
+  $MVNW_REPO_PATTERN = if ($USE_MVND -eq $False) { "/org/apache/maven/" } else { "/maven/mvnd/" }
+  $distributionUrl = "$env:MVNW_REPOURL$MVNW_REPO_PATTERN$($distributionUrl -replace "^.*$MVNW_REPO_PATTERN",'')"
+}
+$distributionUrlName = $distributionUrl -replace '^.*/',''
+$distributionUrlNameMain = $distributionUrlName -replace '\.[^.]*$','' -replace '-bin$',''
+
+$MAVEN_M2_PATH = "$HOME/.m2"
+if ($env:MAVEN_USER_HOME) {
+  $MAVEN_M2_PATH = "$env:MAVEN_USER_HOME"
+}
+
+if (-not (Test-Path -Path $MAVEN_M2_PATH)) {
+    New-Item -Path $MAVEN_M2_PATH -ItemType Directory | Out-Null
+}
+
+$MAVEN_WRAPPER_DISTS = $null
+if ((Get-Item $MAVEN_M2_PATH).Target[0] -eq $null) {
+  $MAVEN_WRAPPER_DISTS = "$MAVEN_M2_PATH/wrapper/dists"
+} else {
+  $MAVEN_WRAPPER_DISTS = (Get-Item $MAVEN_M2_PATH).Target[0] + "/wrapper/dists"
+}
+
+$MAVEN_HOME_PARENT = "$MAVEN_WRAPPER_DISTS/$distributionUrlNameMain"
+$MAVEN_HOME_NAME = ([System.Security.Cryptography.SHA256]::Create().ComputeHash([byte[]][char[]]$distributionUrl) | ForEach-Object {$_.ToString("x2")}) -join ''
+$MAVEN_HOME = "$MAVEN_HOME_PARENT/$MAVEN_HOME_NAME"
+
+if (Test-Path -Path "$MAVEN_HOME" -PathType Container) {
+  Write-Verbose "found existing MAVEN_HOME at $MAVEN_HOME"
+  Write-Output "MVN_CMD=$MAVEN_HOME/bin/$MVN_CMD"
+  exit $?
+}
+
+if (! $distributionUrlNameMain -or ($distributionUrlName -eq $distributionUrlNameMain)) {
+  Write-Error "distributionUrl is not valid, must end with *-bin.zip, but found $distributionUrl"
+}
+
+# prepare tmp dir
+$TMP_DOWNLOAD_DIR_HOLDER = New-TemporaryFile
+$TMP_DOWNLOAD_DIR = New-Item -Itemtype Directory -Path "$TMP_DOWNLOAD_DIR_HOLDER.dir"
+$TMP_DOWNLOAD_DIR_HOLDER.Delete() | Out-Null
+trap {
+  if ($TMP_DOWNLOAD_DIR.Exists) {
+    try { Remove-Item $TMP_DOWNLOAD_DIR -Recurse -Force | Out-Null }
+    catch { Write-Warning "Cannot remove $TMP_DOWNLOAD_DIR" }
+  }
+}
+
+New-Item -Itemtype Directory -Path "$MAVEN_HOME_PARENT" -Force | Out-Null
+
+# Download and Install Apache Maven
+Write-Verbose "Couldn't find MAVEN_HOME, downloading and installing it ..."
+Write-Verbose "Downloading from: $distributionUrl"
+Write-Verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName"
+
+$webclient = New-Object System.Net.WebClient
+if ($env:MVNW_USERNAME -and $env:MVNW_PASSWORD) {
+  $webclient.Credentials = New-Object System.Net.NetworkCredential($env:MVNW_USERNAME, $env:MVNW_PASSWORD)
+}
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+$webclient.DownloadFile($distributionUrl, "$TMP_DOWNLOAD_DIR/$distributionUrlName") | Out-Null
+
+# If specified, validate the SHA-256 sum of the Maven distribution zip file
+$distributionSha256Sum = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionSha256Sum
+if ($distributionSha256Sum) {
+  if ($USE_MVND) {
+    Write-Error "Checksum validation is not supported for maven-mvnd. `nPlease disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties."
+  }
+  Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash
+  if ((Get-FileHash "$TMP_DOWNLOAD_DIR/$distributionUrlName" -Algorithm SHA256).Hash.ToLower() -ne $distributionSha256Sum) {
+    Write-Error "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised. If you updated your Maven version, you need to update the specified distributionSha256Sum property."
+  }
+}
+
+# unzip and move
+Expand-Archive "$TMP_DOWNLOAD_DIR/$distributionUrlName" -DestinationPath "$TMP_DOWNLOAD_DIR" | Out-Null
+
+# Find the actual extracted directory name (handles snapshots where filename != directory name)
+$actualDistributionDir = ""
+
+# First try the expected directory name (for regular distributions)
+$expectedPath = Join-Path "$TMP_DOWNLOAD_DIR" "$distributionUrlNameMain"
+$expectedMvnPath = Join-Path "$expectedPath" "bin/$MVN_CMD"
+if ((Test-Path -Path $expectedPath -PathType Container) -and (Test-Path -Path $expectedMvnPath -PathType Leaf)) {
+  $actualDistributionDir = $distributionUrlNameMain
+}
+
+# If not found, search for any directory with the Maven executable (for snapshots)
+if (!$actualDistributionDir) {
+  Get-ChildItem -Path "$TMP_DOWNLOAD_DIR" -Directory | ForEach-Object {
+    $testPath = Join-Path $_.FullName "bin/$MVN_CMD"
+    if (Test-Path -Path $testPath -PathType Leaf) {
+      $actualDistributionDir = $_.Name
+    }
+  }
+}
+
+if (!$actualDistributionDir) {
+  Write-Error "Could not find Maven distribution directory in extracted archive"
+}
+
+Write-Verbose "Found extracted Maven distribution directory: $actualDistributionDir"
+Rename-Item -Path "$TMP_DOWNLOAD_DIR/$actualDistributionDir" -NewName $MAVEN_HOME_NAME | Out-Null
+try {
+  Move-Item -Path "$TMP_DOWNLOAD_DIR/$MAVEN_HOME_NAME" -Destination $MAVEN_HOME_PARENT | Out-Null
+} catch {
+  if (! (Test-Path -Path "$MAVEN_HOME" -PathType Container)) {
+    Write-Error "fail to move MAVEN_HOME"
+  }
+} finally {
+  try { Remove-Item $TMP_DOWNLOAD_DIR -Recurse -Force | Out-Null }
+  catch { Write-Warning "Cannot remove $TMP_DOWNLOAD_DIR" }
+}
+
+Write-Output "MVN_CMD=$MAVEN_HOME/bin/$MVN_CMD"
diff --git a/pom.xml b/pom.xml
new file mode 100644
index 0000000..42c8b14
--- /dev/null
+++ b/pom.xml
@@ -0,0 +1,178 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>4.0.6</version>
+		<relativePath/>
+	</parent>
+	<groupId>com.example</groupId>
+	<artifactId>demo</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<properties>
+		<java.version>25</java.version>
+		<zitadel.tag>v4.15.0</zitadel.tag>
+		<zitadel.version>4.15.0</zitadel.version>
+		<grpc.version>1.69.0</grpc.version>
+		<protobuf.version>3.25.5</protobuf.version>
+		<googleapis.commit>master</googleapis.commit>
+		<protoc-gen-validate.version>v1.0.4</protoc-gen-validate.version>
+		<grpc-gateway.version>v2.20.0</grpc-gateway.version>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-databind</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.auth0</groupId>
+			<artifactId>java-jwt</artifactId>
+			<version>4.4.0</version>
+		</dependency>
+
+		<dependency>
+			<groupId>io.grpc</groupId>
+			<artifactId>grpc-netty-shaded</artifactId>
+			<version>${grpc.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>io.grpc</groupId>
+			<artifactId>grpc-protobuf</artifactId>
+			<version>${grpc.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>io.grpc</groupId>
+			<artifactId>grpc-stub</artifactId>
+			<version>${grpc.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>com.google.protobuf</groupId>
+			<artifactId>protobuf-java</artifactId>
+			<version>${protobuf.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>com.google.protobuf</groupId>
+			<artifactId>protobuf-java-util</artifactId>
+			<version>${protobuf.version}</version>
+		</dependency>
+		<!-- gRPC's generated code references javax.annotation.Generated -->
+		<dependency>
+			<groupId>org.apache.tomcat</groupId>
+			<artifactId>annotations-api</artifactId>
+			<version>6.0.53</version>
+			<scope>provided</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<extensions>
+			<extension>
+				<groupId>kr.motd.maven</groupId>
+				<artifactId>os-maven-plugin</artifactId>
+				<version>1.7.1</version>
+			</extension>
+		</extensions>
+		<plugins>
+			<!-- 1. Fetch Zitadel + 3rd-party proto sources into target/proto -->
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-antrun-plugin</artifactId>
+				<version>3.1.0</version>
+				<executions>
+					<execution>
+						<id>fetch-protos</id>
+						<phase>generate-sources</phase>
+						<goals><goal>run</goal></goals>
+						<configuration>
+							<target xmlns:unless="ant:unless">
+								<property name="proto.root" value="${project.build.directory}/proto"/>
+								<property name="proto.deps" value="${project.build.directory}/proto"/>
+								<property name="proto.work" value="${project.build.directory}/proto-work"/>
+
+								<!-- Zitadel: download + extract proto/zitadel only if not already present -->
+								<condition property="zitadel.fetched">
+									<available file="${proto.root}/zitadel/user/v2/user_service.proto"/>
+								</condition>
+								<sequential unless:true="zitadel.fetched">
+									<mkdir dir="${proto.work}"/>
+									<get src="https://github.com/zitadel/zitadel/archive/refs/tags/${zitadel.tag}.tar.gz"
+									     dest="${proto.work}/zitadel.tar.gz"
+									     skipexisting="true"/>
+									<untar src="${proto.work}/zitadel.tar.gz" dest="${proto.work}" compression="gzip"/>
+									<mkdir dir="${proto.root}/zitadel"/>
+									<copy todir="${proto.root}/zitadel">
+										<fileset dir="${proto.work}/zitadel-${zitadel.version}/proto/zitadel"/>
+									</copy>
+								</sequential>
+
+								<!-- googleapis (we only need a few files) -->
+								<mkdir dir="${proto.deps}/google/api"/>
+								<get src="https://raw.githubusercontent.com/googleapis/googleapis/${googleapis.commit}/google/api/annotations.proto" dest="${proto.deps}/google/api/annotations.proto" skipexisting="true"/>
+								<get src="https://raw.githubusercontent.com/googleapis/googleapis/${googleapis.commit}/google/api/http.proto" dest="${proto.deps}/google/api/http.proto" skipexisting="true"/>
+								<get src="https://raw.githubusercontent.com/googleapis/googleapis/${googleapis.commit}/google/api/field_behavior.proto" dest="${proto.deps}/google/api/field_behavior.proto" skipexisting="true"/>
+
+								<!-- protoc-gen-validate -->
+								<mkdir dir="${proto.deps}/validate"/>
+								<get src="https://raw.githubusercontent.com/bufbuild/protoc-gen-validate/${protoc-gen-validate.version}/validate/validate.proto" dest="${proto.deps}/validate/validate.proto" skipexisting="true"/>
+
+								<!-- grpc-gateway openapiv2 options -->
+								<mkdir dir="${proto.deps}/protoc-gen-openapiv2/options"/>
+								<get src="https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/${grpc-gateway.version}/protoc-gen-openapiv2/options/annotations.proto" dest="${proto.deps}/protoc-gen-openapiv2/options/annotations.proto" skipexisting="true"/>
+								<get src="https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/${grpc-gateway.version}/protoc-gen-openapiv2/options/openapiv2.proto" dest="${proto.deps}/protoc-gen-openapiv2/options/openapiv2.proto" skipexisting="true"/>
+							</target>
+						</configuration>
+					</execution>
+				</executions>
+			</plugin>
+
+			<!-- 2. Compile zitadel/user/v2 (and transitively required) protos to Java + gRPC stubs -->
+			<plugin>
+				<groupId>org.xolstice.maven.plugins</groupId>
+				<artifactId>protobuf-maven-plugin</artifactId>
+				<version>0.6.1</version>
+				<configuration>
+					<protocArtifact>com.google.protobuf:protoc:${protobuf.version}:exe:${os.detected.classifier}</protocArtifact>
+					<pluginId>grpc-java</pluginId>
+					<pluginArtifact>io.grpc:protoc-gen-grpc-java:${grpc.version}:exe:${os.detected.classifier}</pluginArtifact>
+					<protoSourceRoot>${project.build.directory}/proto</protoSourceRoot>
+					<includes>
+						<include>zitadel/user/v2/*.proto</include>
+						<include>zitadel/object/v2/*.proto</include>
+						<include>zitadel/filter/v2/*.proto</include>
+						<include>zitadel/metadata/v2/*.proto</include>
+						<include>zitadel/protoc_gen_zitadel/v2/*.proto</include>
+						<include>validate/validate.proto</include>
+						<include>protoc-gen-openapiv2/options/*.proto</include>
+					</includes>
+				</configuration>
+				<executions>
+					<execution>
+						<goals>
+							<goal>compile</goal>
+							<goal>compile-custom</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+
+</project>
diff --git a/src/main/java/com/example/demo/DemoApplication.java b/src/main/java/com/example/demo/DemoApplication.java
new file mode 100644
index 0000000..64b538a
--- /dev/null
+++ b/src/main/java/com/example/demo/DemoApplication.java
@@ -0,0 +1,13 @@
+package com.example.demo;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class DemoApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(DemoApplication.class, args);
+	}
+
+}
diff --git a/src/main/java/com/example/demo/zitadel/BearerTokenInterceptor.java b/src/main/java/com/example/demo/zitadel/BearerTokenInterceptor.java
new file mode 100644
index 0000000..397f05d
--- /dev/null
+++ b/src/main/java/com/example/demo/zitadel/BearerTokenInterceptor.java
@@ -0,0 +1,33 @@
+package com.example.demo.zitadel;
+
+import io.grpc.CallCredentials;
+import io.grpc.Metadata;
+import io.grpc.Status;
+
+import java.util.concurrent.Callable;
+import java.util.concurrent.Executor;
+
+class BearerTokenInterceptor extends CallCredentials {
+
+	private static final Metadata.Key<String> AUTHORIZATION =
+		Metadata.Key.of("authorization", Metadata.ASCII_STRING_MARSHALLER);
+
+	private final Callable<String> tokenSource;
+
+	BearerTokenInterceptor(Callable<String> tokenSource) {
+		this.tokenSource = tokenSource;
+	}
+
+	@Override
+	public void applyRequestMetadata(RequestInfo requestInfo, Executor appExecutor, MetadataApplier applier) {
+		appExecutor.execute(() -> {
+			try {
+				Metadata headers = new Metadata();
+				headers.put(AUTHORIZATION, "Bearer " + tokenSource.call());
+				applier.apply(headers);
+			} catch (Exception e) {
+				applier.fail(Status.UNAUTHENTICATED.withDescription("token fetch failed").withCause(e));
+			}
+		});
+	}
+}
diff --git a/src/main/java/com/example/demo/zitadel/ListUsersRunner.java b/src/main/java/com/example/demo/zitadel/ListUsersRunner.java
new file mode 100644
index 0000000..62db359
--- /dev/null
+++ b/src/main/java/com/example/demo/zitadel/ListUsersRunner.java
@@ -0,0 +1,39 @@
+package com.example.demo.zitadel;
+
+import io.grpc.StatusRuntimeException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.boot.CommandLineRunner;
+import org.springframework.stereotype.Component;
+import zitadel.user.v2.UserServiceGrpc.UserServiceBlockingStub;
+import zitadel.user.v2.UserServiceOuterClass.ListUsersRequest;
+import zitadel.user.v2.UserServiceOuterClass.ListUsersResponse;
+import zitadel.user.v2.UserOuterClass.User;
+
+@Component
+class ListUsersRunner implements CommandLineRunner {
+
+	private static final Logger log = LoggerFactory.getLogger(ListUsersRunner.class);
+
+	private final UserServiceBlockingStub userService;
+
+	ListUsersRunner(UserServiceBlockingStub userService) {
+		this.userService = userService;
+	}
+
+	@Override
+	public void run(String... args) {
+		try {
+
+			ListUsersResponse response = userService.listUsers(ListUsersRequest.newBuilder().build());
+			log.info("Zitadel returned {} users (total {}):",
+					response.getResultCount(), response.getDetails().getTotalResult());
+			for (User user : response.getResultList()) {
+				log.info("  - {} ({})", user.getUserId(), user.getPreferredLoginName());
+			}
+		} catch (StatusRuntimeException e) {
+			log.error("ListUsers failed: status={} description={}",
+					e.getStatus().getCode(), e.getStatus().getDescription());
+		}
+	}
+}
diff --git a/src/main/java/com/example/demo/zitadel/ZitadelGrpcConfig.java b/src/main/java/com/example/demo/zitadel/ZitadelGrpcConfig.java
new file mode 100644
index 0000000..9a096c0
--- /dev/null
+++ b/src/main/java/com/example/demo/zitadel/ZitadelGrpcConfig.java
@@ -0,0 +1,47 @@
+package com.example.demo.zitadel;
+
+import io.grpc.ManagedChannel;
+import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder;
+import jakarta.annotation.PreDestroy;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import zitadel.user.v2.UserServiceGrpc;
+import zitadel.user.v2.UserServiceGrpc.UserServiceBlockingStub;
+
+import java.util.concurrent.TimeUnit;
+
+@Configuration
+@EnableConfigurationProperties(ZitadelProperties.class)
+public class ZitadelGrpcConfig {
+
+	private ManagedChannel channel;
+
+	@Bean
+	ManagedChannel zitadelChannel(ZitadelProperties props) {
+		// Strip the port from :authority — Zitadel's instance lookup matches on hostname,
+		// and forAddress() sets :authority to "host:port" which doesn't match ExternalDomain.
+		NettyChannelBuilder builder = NettyChannelBuilder.forAddress(props.getHost(), props.getPort())
+			.overrideAuthority(props.getHost());
+		if (props.isPlaintext()) {
+			builder.usePlaintext();
+		} else {
+			builder.useTransportSecurity();
+		}
+		this.channel = builder.build();
+		return this.channel;
+	}
+
+	@Bean
+	UserServiceBlockingStub userServiceStub(ManagedChannel channel, ZitadelTokenSource tokens) {
+		return UserServiceGrpc.newBlockingStub(channel)
+			.withCallCredentials(new BearerTokenInterceptor(tokens::currentToken));
+	}
+
+	@PreDestroy
+	void shutdown() throws InterruptedException {
+		if (channel != null) {
+			channel.shutdown().awaitTermination(5, TimeUnit.SECONDS);
+		}
+	}
+}
diff --git a/src/main/java/com/example/demo/zitadel/ZitadelProperties.java b/src/main/java/com/example/demo/zitadel/ZitadelProperties.java
new file mode 100644
index 0000000..baf5fc0
--- /dev/null
+++ b/src/main/java/com/example/demo/zitadel/ZitadelProperties.java
@@ -0,0 +1,32 @@
+package com.example.demo.zitadel;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+@ConfigurationProperties(prefix = "zitadel")
+public class ZitadelProperties {
+
+	private String host;
+	private int port = 443;
+	private boolean plaintext = false;
+	/** Path to the Zitadel-generated machine-user JSON key (type/keyId/userId/key). */
+	private String keyPath;
+	/** OIDC audience / issuer. Defaults to https://{host}. */
+	private String audience;
+
+	public String getHost() { return host; }
+	public void setHost(String host) { this.host = host; }
+
+	public int getPort() { return port; }
+	public void setPort(int port) { this.port = port; }
+
+	public boolean isPlaintext() { return plaintext; }
+	public void setPlaintext(boolean plaintext) { this.plaintext = plaintext; }
+
+	public String getKeyPath() { return keyPath; }
+	public void setKeyPath(String keyPath) { this.keyPath = keyPath; }
+
+	public String getAudience() {
+		return audience != null ? audience : "https://" + host;
+	}
+	public void setAudience(String audience) { this.audience = audience; }
+}
diff --git a/src/main/java/com/example/demo/zitadel/ZitadelTokenSource.java b/src/main/java/com/example/demo/zitadel/ZitadelTokenSource.java
new file mode 100644
index 0000000..8683dee
--- /dev/null
+++ b/src/main/java/com/example/demo/zitadel/ZitadelTokenSource.java
@@ -0,0 +1,132 @@
+package com.example.demo.zitadel;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.springframework.stereotype.Component;
+
+import java.net.URI;
+import java.net.URLEncoder;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.KeyFactory;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.time.Instant;
+import java.util.Base64;
+import java.util.Date;
+
+@Component
+class ZitadelTokenSource {
+
+	/** Required to make the token usable against the Zitadel API. */
+	private static final String ZITADEL_API_SCOPE = "openid urn:zitadel:iam:org:project:id:zitadel:aud";
+	private static final String JWT_BEARER_GRANT = "urn:ietf:params:oauth:grant-type:jwt-bearer";
+
+	private final ZitadelProperties props;
+	private final HttpClient http = HttpClient.newHttpClient();
+	private final ObjectMapper mapper = new ObjectMapper();
+
+	private final String userId;
+	private final String keyId;
+	private final RSAPrivateKey privateKey;
+	private final URI tokenEndpoint;
+
+	private volatile String cachedToken;
+	private volatile Instant cachedExpiry = Instant.EPOCH;
+
+	ZitadelTokenSource(ZitadelProperties props) throws Exception {
+		this.props = props;
+		JsonNode key = mapper.readTree(Files.readAllBytes(Path.of(props.getKeyPath())));
+		this.userId = key.get("userId").asText();
+		this.keyId = key.get("keyId").asText();
+		this.privateKey = parsePrivateKey(key.get("key").asText());
+		this.tokenEndpoint = URI.create(props.getAudience() + "/oauth/v2/token");
+	}
+
+	synchronized String currentToken() throws Exception {
+		if (cachedToken != null && Instant.now().isBefore(cachedExpiry.minusSeconds(30))) {
+			return cachedToken;
+		}
+		String assertion = buildAssertion();
+		String body = "grant_type=" + URLEncoder.encode(JWT_BEARER_GRANT, StandardCharsets.UTF_8)
+			+ "&assertion=" + URLEncoder.encode(assertion, StandardCharsets.UTF_8)
+			+ "&scope=" + URLEncoder.encode(ZITADEL_API_SCOPE, StandardCharsets.UTF_8);
+		HttpResponse<String> resp = http.send(
+			HttpRequest.newBuilder(tokenEndpoint)
+				.header("Content-Type", "application/x-www-form-urlencoded")
+				.POST(HttpRequest.BodyPublishers.ofString(body))
+				.build(),
+			HttpResponse.BodyHandlers.ofString());
+		if (resp.statusCode() != 200) {
+			throw new IllegalStateException("Zitadel token endpoint returned " + resp.statusCode() + ": " + resp.body());
+		}
+		JsonNode json = mapper.readTree(resp.body());
+		this.cachedToken = json.get("access_token").asText();
+		this.cachedExpiry = Instant.now().plusSeconds(json.get("expires_in").asLong());
+		return cachedToken;
+	}
+
+	private String buildAssertion() {
+		Instant now = Instant.now();
+		return JWT.create()
+			.withKeyId(keyId)
+			.withIssuer(userId)
+			.withSubject(userId)
+			.withAudience(props.getAudience())
+			.withIssuedAt(Date.from(now))
+			.withExpiresAt(Date.from(now.plusSeconds(60 * 60)))
+			.sign(Algorithm.RSA256(null, privateKey));
+	}
+
+	private static RSAPrivateKey parsePrivateKey(String pem) throws Exception {
+		boolean pkcs1 = pem.contains("BEGIN RSA PRIVATE KEY");
+		String stripped = pem
+			.replaceAll("-----BEGIN [A-Z ]+-----", "")
+			.replaceAll("-----END [A-Z ]+-----", "")
+			.replaceAll("\\s+", "");
+		byte[] der = Base64.getDecoder().decode(stripped);
+		if (pkcs1) {
+			der = wrapPkcs1AsPkcs8(der);
+		}
+		return (RSAPrivateKey) KeyFactory.getInstance("RSA")
+			.generatePrivate(new PKCS8EncodedKeySpec(der));
+	}
+
+	/** PKCS#8 = SEQUENCE { version=0, AlgorithmIdentifier rsaEncryption, OCTET STRING { pkcs1 } }. */
+	private static byte[] wrapPkcs1AsPkcs8(byte[] pkcs1) {
+		byte[] version = { 0x02, 0x01, 0x00 };
+		byte[] algId = {
+			0x30, 0x0D,
+			0x06, 0x09, 0x2A, (byte) 0x86, 0x48, (byte) 0x86, (byte) 0xF7, 0x0D, 0x01, 0x01, 0x01,
+			0x05, 0x00
+		};
+		byte[] octet = concat(new byte[]{0x04}, encodeLen(pkcs1.length), pkcs1);
+		byte[] inner = concat(version, algId, octet);
+		return concat(new byte[]{0x30}, encodeLen(inner.length), inner);
+	}
+
+	private static byte[] encodeLen(int len) {
+		if (len < 0x80) return new byte[]{ (byte) len };
+		if (len < 0x100) return new byte[]{ (byte) 0x81, (byte) len };
+		if (len < 0x10000) return new byte[]{ (byte) 0x82, (byte) (len >> 8), (byte) len };
+		return new byte[]{ (byte) 0x83, (byte) (len >> 16), (byte) (len >> 8), (byte) len };
+	}
+
+	private static byte[] concat(byte[]... parts) {
+		int total = 0;
+		for (byte[] p : parts) total += p.length;
+		byte[] out = new byte[total];
+		int pos = 0;
+		for (byte[] p : parts) {
+			System.arraycopy(p, 0, out, pos, p.length);
+			pos += p.length;
+		}
+		return out;
+	}
+}
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
new file mode 100644
index 0000000..ea8491b
--- /dev/null
+++ b/src/main/resources/application.properties
@@ -0,0 +1,14 @@
+spring.application.name=demo
+
+# Zitadel Cloud instance host (no scheme, no port)
+zitadel.host=${ZITADEL_HOST:auth.octoflow.unom.io}
+# 443 + TLS for Zitadel Cloud
+zitadel.port=443
+zitadel.plaintext=false
+# Path to the Zitadel-generated machine-user JSON key
+zitadel.key-path=${ZITADEL_KEY_PATH:./service_account.json}
+# Optional: OIDC audience override. Defaults to https://${zitadel.host}
+# zitadel.audience=https://auth.octoflow.unom.io
+
+# Don't start the embedded web server — this is a client-only app
+spring.main.web-application-type=none
diff --git a/src/test/java/com/example/demo/DemoApplicationTests.java b/src/test/java/com/example/demo/DemoApplicationTests.java
new file mode 100644
index 0000000..2778a6a
--- /dev/null
+++ b/src/test/java/com/example/demo/DemoApplicationTests.java
@@ -0,0 +1,13 @@
+package com.example.demo;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+
+@SpringBootTest
+class DemoApplicationTests {
+
+	@Test
+	void contextLoads() {
+	}
+
+}