diff --git a/README.md b/README.md
index e88bc1e..c6672e9 100644
--- a/README.md
+++ b/README.md
@@ -4,23 +4,58 @@ Basic Sellsy API proxy for full client side apps.
 
 [![Deploy to now](https://deploy.now.sh/static/button.svg)](https://deploy.now.sh/?repo=https://github.com/revolunet/sellsy-proxy&env=CONSUMER_KEY&env=CONSUMER_SECRET&env=USER_TOKEN&env=USER_SECRET)
 
+Server is deployed with `consumer` oauth keys and client must give its sellsy oauth token in each request.
+
 ## Usage
 
-Start the server  with all the API credentials as environment variables
+Start the server with all the consumer API keys as environment variables
 
 ```sh
 set CONSUMER_KEY="xxx";
 set CONSUMER_SECRET="xxx";
-set USER_TOKEN="xxx";
-set USER_SECRET="xxx";
 npm start
 ```
 
-
 ## Call Sellsy API from your browser
 
 Using `GET` method, just pass `method` and `params` url query parameters, following Sellsy API docs.
 
+Also add oauth headers for the proxy :
+
+```js
+// call to the API
+const makeProxyRequest = ({ endPoint, method, params }) => {
+  // create the proxy URL
+  var urlParams = encodeURIComponent(params);
+  var url = `${endPoint}?method=${method}&params=${urlParams}`;
+  // use native fetch API and convert to JSON
+  var request = new Request(url, {
+    headers: new Headers({
+      'X-USER-TOKEN': 'aaa',
+      'X-USER-SECRET': 'bbb',
+    }),
+    mode: 'cors'
+  });
+  return fetch(request).then(r => r.json()).catch(e => {
+    console.log('e', e);
+    throw e;
+  });
+};
+
+makeProxyRequest({
+  endPoint: 'http://127.0.0.1:8282',
+  method: 'Document.getList',
+  params: {
+    doctype: 'invoice',
+    search: {
+      contains: 'test',
+    },
+  },
+}).then(data => {
+  console.log(data);
+});
+```
+
 You'll get the raw result from the Sellsy API.
 
 Demo : https://jsbin.com/qerisus
diff --git a/src/index.js b/src/index.js
index 5cf0ed8..648454b 100644
--- a/src/index.js
+++ b/src/index.js
@@ -6,7 +6,7 @@ var Sellsy = require("node-sellsy")
 app = express()
 app.use(cors())
 
-;["CONSUMER_KEY", "CONSUMER_SECRET", "USER_TOKEN", "USER_SECRET"].forEach(key => {
+;["CONSUMER_KEY", "CONSUMER_SECRET"].forEach(key => {
   if (!process.env[key]) {
     console.error(`⚠️  missing ${key} environment variable. please refer to the README.\n`)
     process.exit(1)
@@ -14,12 +14,20 @@ app.use(cors())
 })
 
 app.get("/", (req, res) => {
+  console.log("req.headers", req.headers)
+  if (!req.headers['x-user-token'] || !req.headers['x-user-secret']) {
+    res.json({
+      error: true,
+      msg: 'missing headers'
+    })
+    return;
+  }
   var sellsy = new Sellsy({
     creds: {
       consumerKey: process.env.CONSUMER_KEY,
       consumerSecret: process.env.CONSUMER_SECRET,
-      userToken: process.env.USER_TOKEN,
-      userSecret: process.env.USER_SECRET
+      userToken: req.headers['x-user-token'],
+      userSecret: req.headers['x-user-secret']
     }
   })
   console.log("req.query.params", req.query.params)