diff --git a/endpoints/index.py b/endpoints/index.py
index ca4b73362..cf9169064 100644
--- a/endpoints/index.py
+++ b/endpoints/index.py
@@ -54,16 +54,30 @@ def generate_headers(scope=GrantType.READ_REPOSITORY):
         if scope == GrantType.READ_REPOSITORY:
           permission = ReadRepositoryPermission(namespace, repository)
           grants.append(repository_read_grant(namespace, repository))
+
+          # TODO remove me when we we switch to signed grants
+          role = 'read'
         elif scope == GrantType.WRITE_REPOSITORY:
           permission = ModifyRepositoryPermission(namespace, repository)
           grants.append(repository_write_grant(namespace, repository))
 
+          # TODO remove me when we we switch to signed grants
+          role = 'write'
+
         if permission.can():
           # Generate a signed grant which expires here
-          user_context = get_authenticated_user() and get_authenticated_user().username
-          signature = generate_signed_token(grants, user_context)
-          response.headers['WWW-Authenticate'] = signature
-          response.headers['X-Docker-Token'] = signature
+          # user_context = get_authenticated_user() and get_authenticated_user().username
+          # signature = generate_signed_token(grants, user_context)
+          # response.headers['WWW-Authenticate'] = signature
+          # response.headers['X-Docker-Token'] = signature
+
+          # TODO remove me when we switch to signed grants
+          repo = model.get_repository(namespace, repository)
+          if repo:
+            token = model.create_access_token(repo, role, 'pushpull-token')
+            token_str = 'signature=%s' % token.code
+            response.headers['WWW-Authenticate'] = token_str
+            response.headers['X-Docker-Token'] = token_str
         else:
           logger.warning('Registry request with invalid credentials on repository: %s/%s',
                          namespace, repository)