I think the way out for you would be to try the following:
- You have the request object being provided to your Endpoint method. Try to extract out some custom header values that you clients might populate:
String token = request.getHeader("Authorization");
and then try to do the validation.
2. You could even write a custom Authenticator to the best of my knowledge as given over here: http://stackoverflow.com/questions/25365858/google-cloud-endpoints-and-users-authentication