diff --git a/builtin/credential/approle/path_role.go b/builtin/credential/approle/path_role.go
index eaffcdaa45..7a9de99af7 100644
--- a/builtin/credential/approle/path_role.go
+++ b/builtin/credential/approle/path_role.go
@@ -227,52 +227,6 @@ can only be set during role creation and once set, it can't be reset later.`,
 								Required:    true,
 								Description: "If true, the secret identifiers generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later",
 							},
-							"token_bound_cidrs": {
-								Type:        framework.TypeCommaStringSlice,
-								Required:    true,
-								Description: `Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.`,
-							},
-							"token_explicit_max_ttl": {
-								Type:        framework.TypeInt64,
-								Required:    true,
-								Description: "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.",
-							},
-							"token_max_ttl": {
-								Type:        framework.TypeInt64,
-								Required:    true,
-								Description: "The maximum lifetime of the generated token",
-							},
-							"token_no_default_policy": {
-								Type:        framework.TypeBool,
-								Required:    true,
-								Description: "If true, the 'default' policy will not automatically be added to generated tokens",
-							},
-							"token_period": {
-								Type:        framework.TypeInt64,
-								Required:    true,
-								Description: "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value.",
-							},
-							"token_policies": {
-								Type:        framework.TypeCommaStringSlice,
-								Required:    true,
-								Description: "Comma-separated list of policies",
-							},
-							"token_type": {
-								Type:        framework.TypeString,
-								Required:    true,
-								Default:     "default-service",
-								Description: "The type of token to generate, service or batch",
-							},
-							"token_ttl": {
-								Type:        framework.TypeInt64,
-								Required:    true,
-								Description: "The initial ttl of the token to generate",
-							},
-							"token_num_uses": {
-								Type:        framework.TypeInt,
-								Required:    true,
-								Description: "The maximum number of times a token may be used, a value of zero means unlimited",
-							},
 							"period": {
 								Type:        framework.TypeInt64,
 								Required:    false,
@@ -299,6 +253,12 @@ can only be set during role creation and once set, it can't be reset later.`,
 	}
 
 	tokenutil.AddTokenFields(p.Fields)
+	{
+		// AppRole is coded differently from other Auth methods, it is the only one that
+		// populates the `Fields` field of the response
+		readOperation := p.Operations[logical.ReadOperation].(*framework.PathOperation)
+		tokenutil.AddTokenFields(readOperation.Responses[http.StatusOK][0].Fields)
+	}
 
 	return []*framework.Path{
 		p,
diff --git a/builtin/credential/aws/path_role_test.go b/builtin/credential/aws/path_role_test.go
index 3d3fbc3c6f..7797b14854 100644
--- a/builtin/credential/aws/path_role_test.go
+++ b/builtin/credential/aws/path_role_test.go
@@ -14,6 +14,7 @@ import (
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-secure-stdlib/awsutil"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/vault/helper/constants"
 	vlttesting "github.com/hashicorp/vault/helper/testhelpers/logical"
 	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/sdk/helper/policyutil"
@@ -634,8 +635,12 @@ func TestAwsEc2_RoleCrud(t *testing.T) {
 		"token_type":                     "default",
 	}
 
+	if constants.IsEnterprise {
+		expected["token_auth_metadata"] = map[string]string{}
+	}
+
 	if resp.Data["role_id"] == nil {
-		t.Fatal("role_id not found in repsonse")
+		t.Fatal("role_id not found in response")
 	}
 	expected["role_id"] = resp.Data["role_id"]
 	if diff := deep.Equal(expected, resp.Data); diff != nil {
diff --git a/builtin/credential/ldap/backend_test.go b/builtin/credential/ldap/backend_test.go
index ec1d363798..dd78d1da74 100644
--- a/builtin/credential/ldap/backend_test.go
+++ b/builtin/credential/ldap/backend_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/go-test/deep"
 	hclog "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/vault/helper/constants"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/helper/testhelpers/ldap"
 	logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
@@ -1494,6 +1495,9 @@ func TestLdapAuthBackend_ConfigUpgrade(t *testing.T) {
 			MaximumPageSize:          1000,
 		},
 	}
+	if constants.IsEnterprise {
+		exp.TokenParams.TokenAuthMetadata = make(map[string]string)
+	}
 
 	configEntry, err := b.Config(ctx, configReq)
 	if err != nil {
diff --git a/helper/testhelpers/pluginhelpers/pluginhelpers.go b/helper/testhelpers/pluginhelpers/pluginhelpers.go
index cb097cb94b..8808793556 100644
--- a/helper/testhelpers/pluginhelpers/pluginhelpers.go
+++ b/helper/testhelpers/pluginhelpers/pluginhelpers.go
@@ -16,6 +16,7 @@ import (
 	"sync"
 	"testing"
 
+	"github.com/hashicorp/vault/helper/constants"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 )
 
@@ -110,6 +111,12 @@ func CompilePlugin(t testing.TB, typ consts.PluginType, pluginVersion string, pl
 		if pluginVersion != "" {
 			line = append(line, "-ldflags", fmt.Sprintf("-X %s=%s", pluginVersionLocation, pluginVersion))
 		}
+		if constants.IsEnterprise {
+			// Under VAULT-38008, tokenutil.go got stubs, which means we now need to
+			// set the enterprise tag to avoid compiling both the _ent.go and the _stubs_oss.go
+			// files.
+			line = append(line, "-tags", "enterprise")
+		}
 		line = append(line, "-o", pluginPath, pluginMain)
 		cmd := exec.Command("go", line...)
 		cmd.Env = append(os.Environ(), "CGO_ENABLED=0")
diff --git a/sdk/helper/tokenutil/tokenutil.go b/sdk/helper/tokenutil/tokenutil.go
index 4319bd1823..b4ede5fcc6 100644
--- a/sdk/helper/tokenutil/tokenutil.go
+++ b/sdk/helper/tokenutil/tokenutil.go
@@ -47,6 +47,9 @@ type TokenParams struct {
 
 	// The TTL to user for the token
 	TokenTTL time.Duration `json:"token_ttl" mapstructure:"token_ttl"`
+
+	// The metadata to attach to the authentication information.
+	TokenAuthMetadata map[string]string `json:"token_auth_metadata" mapstructure:"token_auth_metadata"`
 }
 
 // AddTokenFields adds fields to an existing role. It panics if it would
@@ -73,7 +76,7 @@ func AddTokenFieldsWithAllowList(m map[string]*framework.FieldSchema, allowed []
 
 // TokenFields provides a set of field schemas for the parameters
 func TokenFields() map[string]*framework.FieldSchema {
-	return map[string]*framework.FieldSchema{
+	return entTokenFields(map[string]*framework.FieldSchema{
 		"token_bound_cidrs": {
 			Type:        framework.TypeCommaStringSlice,
 			Description: `Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.`,
@@ -157,7 +160,7 @@ func TokenFields() map[string]*framework.FieldSchema {
 				Group: "Tokens",
 			},
 		},
-	}
+	})
 }
 
 // ParseTokenFields provides common field parsing functionality into a TokenFields struct
@@ -238,6 +241,8 @@ func (t *TokenParams) ParseTokenFields(req *logical.Request, d *framework.FieldD
 		return errors.New("'token_ttl' cannot be greater than 'token_max_ttl'")
 	}
 
+	t.entParseTokenFields(d)
+
 	return nil
 }
 
@@ -260,6 +265,8 @@ func (t *TokenParams) PopulateTokenData(m map[string]interface{}) {
 	if len(t.TokenBoundCIDRs) == 0 {
 		m["token_bound_cidrs"] = []string{}
 	}
+
+	t.entPopulateTokenData(m)
 }
 
 // PopulateTokenAuth populates Auth with parameters
@@ -274,6 +281,8 @@ func (t *TokenParams) PopulateTokenAuth(auth *logical.Auth) {
 	auth.TokenType = t.TokenType
 	auth.TTL = t.TokenTTL
 	auth.NumUses = t.TokenNumUses
+
+	t.entPopulateTokenAuth(auth)
 }
 
 func DeprecationText(param string) string {
diff --git a/sdk/helper/tokenutil/tokenutil_stubs_oss.go b/sdk/helper/tokenutil/tokenutil_stubs_oss.go
new file mode 100644
index 0000000000..f6750dc69f
--- /dev/null
+++ b/sdk/helper/tokenutil/tokenutil_stubs_oss.go
@@ -0,0 +1,21 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build !enterprise
+
+package tokenutil
+
+import (
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+func entTokenFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	return fields
+}
+
+func (t *TokenParams) entParseTokenFields(d *framework.FieldData) {}
+
+func (t *TokenParams) entPopulateTokenData(m map[string]any) {}
+
+func (t *TokenParams) entPopulateTokenAuth(auth *logical.Auth) {}