diff --git a/logical/request.go b/logical/request.go
index f87a9edfd3..d3d246ca43 100644
--- a/logical/request.go
+++ b/logical/request.go
@@ -26,6 +26,11 @@ type Request struct {
 	// Secret will be non-nil only for Revoke and Renew operations
 	// to represent the secret that was returned prior.
 	Secret *Secret
+
+	// ClientToken is provided to the core so that the identity
+	// can be verified and ACLs applied. This value is not passed
+	// through to the logical backends.
+	ClientToken string
 }
 
 // Get returns a data field and guards for nil Data
diff --git a/vault/router.go b/vault/router.go
index 66f9a7c3d0..703b5a1a2c 100644
--- a/vault/router.go
+++ b/vault/router.go
@@ -109,15 +109,18 @@ func (r *Router) Route(req *logical.Request) (*logical.Response, error) {
 	}
 	me := raw.(*mountEntry)
 
-	// Adjust the path, attach the barrier view
+	// Adjust the path, attach the barrier view, clear the token
 	original := req.Path
+	clientToken := req.ClientToken
 	req.Path = strings.TrimPrefix(req.Path, mount)
 	req.Storage = me.view
+	req.ClientToken = ""
 
 	// Reset the request before returning
 	defer func() {
 		req.Path = original
 		req.Storage = nil
+		req.ClientToken = clientToken
 	}()
 
 	// Invoke the backend