From 13c7fc7590db68b18f2015600f8765a02d705b5d Mon Sep 17 00:00:00 2001
From: Derek Collison <derek@nats.io>
Date: Tue, 11 Dec 2018 05:16:40 -0800
Subject: [PATCH] New authentication

Signed-off-by: Derek Collison <derek@nats.io>
---
 README.md | 28 ++++++++++++++++++++++++++--
 nats.go   |  2 +-
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index f66494727..c929621d6 100644
--- a/README.md
+++ b/README.md
@@ -115,8 +115,30 @@ c.Subscribe("help", func(subj, reply string, msg string) {
 c.Close();
 ```
 
-## Nkey Authentication (server versions >= 2.0.0)
-To authenticate with nkeys, the nkey seed should be in a read only file, e.g. seed.txt
+## New Authentication (Nkeys and User Credentials)
+This requires server with version >= 2.0.0
+
+NATS servers have a new security and authentication mechanism to authenticate with user credentials and Nkeys.
+The simplest form is to use the helper method UserCredentials(credsFilepath).
+```go
+nc, err := nats.Connect(url, UserCredentials("user.creds"))
+```
+
+The helper methos creates two callback handlers to present the user JWT and sign the nonce challenge from the server.
+The core client library never has direct access to your private key and simply performs the callback for signing the server challenge.
+The helper will load and wipe and erase memory it uses for each connect or reconnect.
+
+The helper also can take two entries, one for the JWT and one for the NKey seed file.
+```go
+nc, err := nats.Connect(url, UserCredentials("user.jwt", "user.nk"))
+```
+
+You can also set the callback handlers directly and manage challenge signing directly.
+```go
+nc, err := nats.Connect(url, UserJWT(jwtCB, sigCB))
+```
+
+Bare Nkeys are also supported. The nkey seed should be in a read only file, e.g. seed.txt
 ```bash
 > cat seed.txt
 # This is my seed nkey!
@@ -131,6 +153,8 @@ You can choose to use the low level option and provide the public key and a sign
 opt, err := nats.NkeyOptionFromSeed("seed.txt")
 nc, err := nats.Connect(serverUrl, opt)
 
+// Direct
+nc, err := nats.Connect(serverUrl, Nkey(pubNkey, sigCB))
 ```
 
 ## TLS
diff --git a/nats.go b/nats.go
index 14ac9e7fc..c02fc5f36 100644
--- a/nats.go
+++ b/nats.go
@@ -48,7 +48,7 @@ const (
 	DefaultPort             = 4222
 	DefaultMaxReconnect     = 60
 	DefaultReconnectWait    = 2 * time.Second
-	DefaultTimeout          = 1 * time.Second
+	DefaultTimeout          = 2 * time.Second
 	DefaultPingInterval     = 2 * time.Minute
 	DefaultMaxPingOut       = 2
 	DefaultMaxChanLen       = 8192            // 8k