diff --git a/bin/get_token b/bin/get_token
index 3c23db62..59849cd2 100755
--- a/bin/get_token
+++ b/bin/get_token
@@ -12,6 +12,12 @@ set -o errtrace -o errexit -o nounset -o pipefail
 
 # originally from https://medium.com/keycloak/keycloak-jwt-token-using-curl-post-72c9e791ba8c
 # btw, meta config endpoint: http://localhost:7002/realms/spiffworkflow/.well-known/openid-configuration
+# token exchange described at https://github.com/keycloak/keycloak-documentation/blob/main/securing_apps/topics/token-exchange/token-exchange.adoc
+# some UMA stuff at https://github.com/keycloak/keycloak-documentation/blob/main/authorization_services/topics/service-authorization-obtaining-permission.adoc,
+# though resource_set docs are elsewhere.
+
+# ./bin/get_token # uses ciuser1 ciuser1
+# ./bin/get_token ciadmin1 ciadmin1
 
 HOSTNAME=localhost:7002
 REALM_NAME=spiffworkflow
@@ -23,7 +29,7 @@ BACKEND_CLIENT_ID=spiffworkflow-backend
 BACKEND_CLIENT_SECRET="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"  # noqa: S105
 SECURE=false
 
-BACKEND_BASIC_AUTH=$(echo -n "${BACKEND_CLIENT_ID}:${BACKEND_CLIENT_SECRET}" | base64 -w0)
+BACKEND_BASIC_AUTH=$(echo -n "${BACKEND_CLIENT_ID}:${BACKEND_CLIENT_SECRET}" | base64)
 KEYCLOAK_URL=http://$HOSTNAME/realms/$REALM_NAME/protocol/openid-connect/token
 
 echo "Using Keycloak: $KEYCLOAK_URL"