diff --git a/README.md b/README.md
index 210004b..9d59320 100644
--- a/README.md
+++ b/README.md
@@ -86,8 +86,11 @@ security:
   # a random string of at least 32 characters to secure cookies on the client
   # make sure to share this amongst different pods
   PAATokenSigningKey: thisisasessionkeyreplacethisjetzt
-  PAATokenEncryptionKey: thisisasessionkeyreplacethisjetzt
+  # PAATokenEncryptionKey: thisisasessionkeyreplacethisjetzt
   UserTokenEncryptionKey: thisisasessionkeyreplacethisjetzt
+  # if you want to enable token generation for the user
+  # if true the username will be set to a jwt with the username embedded into it
+  EnableUserToken: true
 ```
 ## Testing locally
 A convenience docker-compose allows you to test the RDPGW locally. It uses [Keycloak](http://www.keycloak.org) 
@@ -119,7 +122,6 @@ In this way you can integrate, for example, it with [pam-jwt](https://github.com
 * Integrate Open Policy Agent
 * Integrate GOKRB5
 * Integrate uber-go/zap
-* Integrate prometheus
 * Research: TLS defragmentation 
 * Improve Web Interface
 
diff --git a/api/web.go b/api/web.go
index 3fd34fb..97d37cb 100644
--- a/api/web.go
+++ b/api/web.go
@@ -30,6 +30,7 @@ type Config struct {
 	SessionEncryptionKey []byte
 	PAATokenGenerator    TokenGeneratorFunc
 	UserTokenGenerator   UserTokenGeneratorFunc
+	EnableUserToken      bool
 	OAuth2Config         *oauth2.Config
 	store                *sessions.CookieStore
 	OIDCTokenVerifier    *oidc.IDTokenVerifier
@@ -170,10 +171,13 @@ func (c *Config) HandleDownload(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, errors.New("unable to generate gateway credentials").Error(), http.StatusInternalServerError)
 	}
 
-	userToken, err := c.UserTokenGenerator(ctx, user)
-	if err != nil {
-		log.Printf("Cannot generate token for user %s due to %s", user, err)
-		http.Error(w, errors.New("unable to generate gateway credentials").Error(), http.StatusInternalServerError)
+	userToken := user
+	if c.EnableUserToken {
+		userToken, err = c.UserTokenGenerator(ctx, user)
+		if err != nil {
+			log.Printf("Cannot generate token for user %s due to %s", user, err)
+			http.Error(w, errors.New("unable to generate gateway credentials").Error(), http.StatusInternalServerError)
+		}
 	}
 
 	// authenticated
diff --git a/config/configuration.go b/config/configuration.go
index 59812f0..1a6c4e8 100644
--- a/config/configuration.go
+++ b/config/configuration.go
@@ -49,6 +49,7 @@ type SecurityConfig struct {
 	UserTokenEncryptionKey string
 	UserTokenSigningKey    string
 	VerifyClientIp		   bool
+	EnableUserToken        bool
 }
 
 type ClientConfig struct {
diff --git a/main.go b/main.go
index 8c415a7..226bef2 100644
--- a/main.go
+++ b/main.go
@@ -68,6 +68,7 @@ func main() {
 		OIDCTokenVerifier:    verifier,
 		PAATokenGenerator:    security.GeneratePAAToken,
 		UserTokenGenerator:   security.GenerateUserToken,
+		EnableUserToken:	  conf.Security.EnableUserToken,
 		SessionKey:           []byte(conf.Server.SessionKey),
 		SessionEncryptionKey: []byte(conf.Server.SessionEncryptionKey),
 		Hosts:                conf.Server.Hosts,