diff --git a/CHANGES.md b/CHANGES.md
index 1cec11d..315218c 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,5 +1,9 @@
 ### Changes
 
+#### 0.4.1
+
+- Add a token provider and custom scopes example
+
 #### 0.4.0
 
 - track the version of the client
diff --git a/examples/build.gradle b/examples/build.gradle
index eb19eb0..064af6f 100644
--- a/examples/build.gradle
+++ b/examples/build.gradle
@@ -12,6 +12,7 @@ repositories {
 
 dependencies {
   compile 'net.dehora.nakadi:nakadi-java-client:0.4.0'
+  //compile 'net.dehora.nakadi:nakadi-java-zign:0.4.0' // enable when published in jcenter
   compile 'org.slf4j:slf4j-api:1.7.21'
   compile 'ch.qos.logback:logback-classic:1.1.7'
 //  compile 'net.dehora.nakadi:nakadi-java-metrics:0.0.0'
diff --git a/examples/src/main/java/nakadi/examples/oauth/MyTokenProvider.java b/examples/src/main/java/nakadi/examples/oauth/MyTokenProvider.java
new file mode 100644
index 0000000..80227dd
--- /dev/null
+++ b/examples/src/main/java/nakadi/examples/oauth/MyTokenProvider.java
@@ -0,0 +1,20 @@
+package nakadi.examples.oauth;
+
+import java.util.Optional;
+import nakadi.TokenProvider;
+
+public class MyTokenProvider implements TokenProvider {
+
+  /**
+   * @return a value suitable for use in an Authorization header, or null to suppress the
+   * Authorization header being set
+   */
+  @Override public Optional<String> authHeaderValue(String scope) {
+
+    if("gordian-blade-scope".equals(scope)) {
+      return Optional.of("code-gate-token");
+    }
+
+    return Optional.of("icebreaker-uid-token");
+  }
+}
diff --git a/examples/src/main/java/nakadi/examples/oauth/OAuthScopesMain.java b/examples/src/main/java/nakadi/examples/oauth/OAuthScopesMain.java
new file mode 100644
index 0000000..b1b86e2
--- /dev/null
+++ b/examples/src/main/java/nakadi/examples/oauth/OAuthScopesMain.java
@@ -0,0 +1,41 @@
+package nakadi.examples.oauth;
+
+import nakadi.BusinessEventMapped;
+import nakadi.EventMetadata;
+import nakadi.EventResource;
+import nakadi.NakadiClient;
+import nakadi.examples.events.PriorityRequisition;
+
+public class OAuthScopesMain {
+
+  public static void main(String[] args) {
+
+    String baseURI = "http://localhost:" + 9080;
+
+    NakadiClient client = NakadiClient.newBuilder()
+        .baseURI(baseURI)
+        /*
+        Configure the client with a token provider. All scopes are sent to this TokenProvider
+         per request to be resolved to tokens. Because it's per request, providers can refresh
+         in the background.
+         */
+        .tokenProvider(new MyTokenProvider())
+        .build();
+
+    BusinessEventMapped<PriorityRequisition> event = new BusinessEventMapped<PriorityRequisition>()
+        .metadata(new EventMetadata())
+        .data(new PriorityRequisition("22"));
+
+    EventResource events = client.resources().events();
+
+    /*
+    You can set the oauth scope on most requests using the scope() option.
+    This allows for custom or tenant level scopes to be used (in the future).
+    Otherwise the default scopes defined in the Nakadi API definition are used.
+     */
+    events
+        .scope("gordian-blade-scope")
+        .send("priority-requisition-biz", event);
+
+  }
+}