diff --git a/bin/get_token b/bin/get_token
new file mode 100755
index 00000000..175cb3bb
--- /dev/null
+++ b/bin/get_token
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+function error_handler() {
+  >&2 echo "Exited with BAD EXIT CODE '${2}' in ${0} script at line: ${1}."
+  exit "$2"
+}
+trap 'error_handler ${LINENO} $?' ERR
+set -o errtrace -o errexit -o nounset -o pipefail
+
+# originally from https://medium.com/keycloak/keycloak-jwt-token-using-curl-post-72c9e791ba8c
+
+HOSTNAME=localhost:7002
+REALM_NAME=spiffworkflow
+USERNAME=${1-ciuser1}
+PASSWORD=${2-ciuser1}
+CLIENT_ID=spiffworkflow-frontend
+SECURE=false
+
+KEYCLOAK_URL=http://$HOSTNAME/realms/$REALM_NAME/protocol/openid-connect/token
+
+echo "Using Keycloak: $KEYCLOAK_URL"
+echo "realm: $REALM_NAME"
+echo "client-id: $CLIENT_ID"
+echo "username: $USERNAME"
+echo "password: $PASSWORD"
+echo "secure: $SECURE"
+
+
+if [[ $SECURE = 'y' ]]; then
+	INSECURE=
+else
+	INSECURE=--insecure
+fi
+
+result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
+ -H "Content-Type: application/x-www-form-urlencoded" \
+ -d "username=$USERNAME" \
+ -d "password=$PASSWORD" \
+ -d 'grant_type=password' \
+ -d "client_id=$CLIENT_ID")
+
+token=$(jq -r '.access_token' <<< "$result")
+
+if [[ "$token" != 'null' ]]; then
+  echo "token: $token"
+else
+  echo "Failed auth result: $result"
+fi