diff --git a/command/auth.go b/command/auth.go
index 2af8780f6c7b..fc614a10b1cc 100644
--- a/command/auth.go
+++ b/command/auth.go
@@ -37,11 +37,12 @@ type AuthCommand struct {
 
 func (c *AuthCommand) Run(args []string) int {
 	var method, authPath string
-	var methods, methodHelp, noVerify bool
+	var methods, methodHelp, noVerify, noStore bool
 	flags := c.Meta.FlagSet("auth", meta.FlagSetDefault)
 	flags.BoolVar(&methods, "methods", false, "")
 	flags.BoolVar(&methodHelp, "method-help", false, "")
 	flags.BoolVar(&noVerify, "no-verify", false, "")
+	flags.BoolVar(&noStore, "no-store", false, "")
 	flags.StringVar(&method, "method", "", "method")
 	flags.StringVar(&authPath, "path", "", "")
 	flags.Usage = func() { c.Ui.Error(c.Help()) }
@@ -178,13 +179,15 @@ func (c *AuthCommand) Run(args []string) int {
 	}
 
 	// Store the token!
-	if err := tokenHelper.Store(token); err != nil {
-		c.Ui.Error(fmt.Sprintf(
-			"Error storing token: %s\n\n"+
-				"Authentication was not successful and did not persist.\n"+
-				"Please reauthenticate, or fix the issue above if possible.",
-			err))
-		return 1
+	if !noStore {
+		if err := tokenHelper.Store(token); err != nil {
+			c.Ui.Error(fmt.Sprintf(
+				"Error storing token: %s\n\n"+
+					"Authentication was not successful and did not persist.\n"+
+					"Please reauthenticate, or fix the issue above if possible.",
+				err))
+			return 1
+		}
 	}
 
 	if noVerify {
@@ -192,6 +195,16 @@ func (c *AuthCommand) Run(args []string) int {
 			"Authenticated - no token verification has been performed.",
 		))
 
+		if noStore {
+			if err := tokenHelper.Erase(); err != nil {
+				c.Ui.Error(fmt.Sprintf(
+					"Error removing prior token: %s\n\n"+
+						"Authentication was successful, but unable to remove the\n"+
+						"previous token.",
+					err))
+				return 1
+			}
+		}
 		return 0
 	}
 
@@ -200,15 +213,23 @@ func (c *AuthCommand) Run(args []string) int {
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf(
 			"Error initializing client to verify the token: %s", err))
-		if err := tokenHelper.Store(previousToken); err != nil {
-			c.Ui.Error(fmt.Sprintf(
-				"Error restoring the previous token: %s\n\n"+
-					"Please reauthenticate with a valid token.",
-				err))
+		if !noStore {
+			if err := tokenHelper.Store(previousToken); err != nil {
+				c.Ui.Error(fmt.Sprintf(
+					"Error restoring the previous token: %s\n\n"+
+						"Please reauthenticate with a valid token.",
+					err))
+			}
 		}
 		return 1
 	}
 
+	// If in no-store mode it won't have read the token from a token-helper (or
+	// will read an old one) so set it explicitly
+	if noStore {
+		client.SetToken(token)
+	}
+
 	// Verify the token
 	secret, err := client.Auth().Token().LookupSelf()
 	if err != nil {
@@ -222,7 +243,7 @@ func (c *AuthCommand) Run(args []string) int {
 		}
 		return 1
 	}
-	if secret == nil {
+	if secret == nil && !noStore {
 		c.Ui.Error(fmt.Sprintf("Error: Invalid token"))
 		if err := tokenHelper.Store(previousToken); err != nil {
 			c.Ui.Error(fmt.Sprintf(
@@ -233,6 +254,17 @@ func (c *AuthCommand) Run(args []string) int {
 		return 1
 	}
 
+	if noStore {
+		if err := tokenHelper.Erase(); err != nil {
+			c.Ui.Error(fmt.Sprintf(
+				"Error removing prior token: %s\n\n"+
+					"Authentication was successful, but unable to remove the\n"+
+					"previous token.",
+				err))
+			return 1
+		}
+	}
+
 	// Get the policies we have
 	policiesRaw, ok := secret.Data["policies"]
 	if !ok {
@@ -244,6 +276,9 @@ func (c *AuthCommand) Run(args []string) int {
 	}
 
 	output := "Successfully authenticated! You are now logged in."
+	if noStore {
+		output += "\nThe token has not been stored to the configured token helper."
+	}
 	if method != "" {
 		output += "\nThe token below is already saved in the session. You do not"
 		output += "\nneed to \"vault auth\" again with the token."
@@ -355,6 +390,9 @@ Auth Options:
   -no-verify        Do not verify the token after creation; avoids a use count
                     decrement.
 
+  -no-store         Do not store the token after creation; it will only be
+                    displayed in the command output.
+
   -path             The path at which the auth backend is enabled. If an auth
                     backend is mounted at multiple paths, this option can be
                     used to authenticate against specific paths.
diff --git a/command/auth_test.go b/command/auth_test.go
index 9ffd0ac1d688..6071ea470b18 100644
--- a/command/auth_test.go
+++ b/command/auth_test.go
@@ -84,6 +84,45 @@ func TestAuth_token(t *testing.T) {
 	}
 }
 
+func TestAuth_token_nostore(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := http.TestServer(t, core)
+	defer ln.Close()
+
+	testAuthInit(t)
+
+	ui := new(cli.MockUi)
+	c := &AuthCommand{
+		Meta: meta.Meta{
+			Ui:          ui,
+			TokenHelper: DefaultTokenHelper,
+		},
+	}
+
+	args := []string{
+		"-address", addr,
+		"-no-store",
+		token,
+	}
+	if code := c.Run(args); code != 0 {
+		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
+	}
+
+	helper, err := c.TokenHelper()
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	actual, err := helper.Get()
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	if actual != "" {
+		t.Fatalf("bad: %s", actual)
+	}
+}
+
 func TestAuth_stdin(t *testing.T) {
 	core, _, token := vault.TestCoreUnsealed(t)
 	ln, addr := http.TestServer(t, core)