Hi Dejan, you don't need to protect in some way the client request for the token, because, after your Metadata Adapter authenticates the client (even via sendMessage) it can treat any request on the session in a different way than before.
What counts it that the request belongs to that session.
So, for instance, if you use an item to carry the token, any subscription to that item can be refused before the authentication takes place and accepted after.
Note that you also don't need to play with the item name, because a generic name can be decorated and turned into a session-specific item by the Metadata Adapter in getItems(); then the Data Adapter will recognize the session-specific item and feed it appropriately.
In order to get a result as a consequence of a sendMessage call, an alternative way is shown in
this thread (as "solution 2").