diff --git a/cli/commands.go b/cli/commands.go
index 0ec91ff414..497b1697ea 100644
--- a/cli/commands.go
+++ b/cli/commands.go
@@ -35,7 +35,9 @@ import (
 // parameter lets you set meta options for all commands.
 func Commands(metaPtr *meta.Meta) map[string]cli.CommandFactory {
 	if metaPtr == nil {
-		metaPtr = new(meta.Meta)
+		metaPtr = &meta.Meta{
+			TokenHelper: command.DefaultTokenHelper,
+		}
 	}
 
 	if metaPtr.Ui == nil {
diff --git a/command/auth.go b/command/auth.go
index 4bc3061e33..1f451cc6f3 100644
--- a/command/auth.go
+++ b/command/auth.go
@@ -52,7 +52,7 @@ func (c *AuthCommand) Run(args []string) int {
 
 	args = flags.Args()
 
-	tokenHelper, err := c.TokenHelper()
+	tokenHelper, err := c.TokenHelper(&c.Meta)
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf(
 			"Error initializing token helper: %s\n\n"+
diff --git a/command/auth_test.go b/command/auth_test.go
index 1c7958e6ea..fddafbfa0b 100644
--- a/command/auth_test.go
+++ b/command/auth_test.go
@@ -28,6 +28,7 @@ func TestAuth_methods(t *testing.T) {
 		Meta: meta.Meta{
 			ClientToken: token,
 			Ui:          ui,
+			TokenHelper: DefaultTokenHelper,
 		},
 	}
 
@@ -55,7 +56,8 @@ func TestAuth_token(t *testing.T) {
 	ui := new(cli.MockUi)
 	c := &AuthCommand{
 		Meta: meta.Meta{
-			Ui: ui,
+			Ui:          ui,
+			TokenHelper: DefaultTokenHelper,
 		},
 	}
 
@@ -67,7 +69,7 @@ func TestAuth_token(t *testing.T) {
 		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
 	}
 
-	helper, err := c.TokenHelper()
+	helper, err := c.TokenHelper(&c.Meta)
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -93,7 +95,8 @@ func TestAuth_stdin(t *testing.T) {
 	ui := new(cli.MockUi)
 	c := &AuthCommand{
 		Meta: meta.Meta{
-			Ui: ui,
+			Ui:          ui,
+			TokenHelper: DefaultTokenHelper,
 		},
 		testStdin: stdinR,
 	}
@@ -122,7 +125,8 @@ func TestAuth_badToken(t *testing.T) {
 	ui := new(cli.MockUi)
 	c := &AuthCommand{
 		Meta: meta.Meta{
-			Ui: ui,
+			Ui:          ui,
+			TokenHelper: DefaultTokenHelper,
 		},
 	}
 
@@ -148,7 +152,8 @@ func TestAuth_method(t *testing.T) {
 			"test": &testAuthHandler{},
 		},
 		Meta: meta.Meta{
-			Ui: ui,
+			Ui:          ui,
+			TokenHelper: DefaultTokenHelper,
 		},
 	}
 
@@ -161,7 +166,7 @@ func TestAuth_method(t *testing.T) {
 		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
 	}
 
-	helper, err := c.TokenHelper()
+	helper, err := c.TokenHelper(&c.Meta)
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
diff --git a/command/server.go b/command/server.go
index acca899cab..ee67f8f011 100644
--- a/command/server.go
+++ b/command/server.go
@@ -424,7 +424,7 @@ func (c *ServerCommand) enableDev(core *vault.Core, rootTokenID string) (*vault.
 	}
 
 	// Set the token
-	tokenHelper, err := c.TokenHelper()
+	tokenHelper, err := c.TokenHelper(&c.Meta)
 	if err != nil {
 		return nil, err
 	}
diff --git a/command/util.go b/command/util.go
new file mode 100644
index 0000000000..0717f1f1db
--- /dev/null
+++ b/command/util.go
@@ -0,0 +1,25 @@
+package command
+
+import (
+	"github.com/hashicorp/vault/command/token"
+	"github.com/hashicorp/vault/meta"
+)
+
+// DefaultTokenHelper returns the token helper that is configured for Vault.
+func DefaultTokenHelper(m *meta.Meta) (token.TokenHelper, error) {
+	config, err := m.Config()
+	if err != nil {
+		return nil, err
+	}
+
+	path := config.TokenHelper
+	if path == "" {
+		return &token.InternalTokenHelper{}, nil
+	}
+
+	path, err = token.ExternalTokenHelperPath(path)
+	if err != nil {
+		return nil, err
+	}
+	return &token.ExternalTokenHelper{BinaryPath: path}, nil
+}
diff --git a/meta/meta.go b/meta/meta.go
index 7e3d25c062..0af5789d0c 100644
--- a/meta/meta.go
+++ b/meta/meta.go
@@ -24,6 +24,8 @@ import (
 // default FlagSet returned by Meta.FlagSet.
 type FlagSetFlags uint
 
+type TokenHelperFunc func(*Meta) (token.TokenHelper, error)
+
 const (
 	FlagSetNone    FlagSetFlags = 0
 	FlagSetServer  FlagSetFlags = 1 << iota
@@ -51,6 +53,9 @@ type Meta struct {
 	// These are internal and shouldn't be modified or access by anyone
 	// except Meta.
 	config *Config
+
+	// Queried if no token can be found
+	TokenHelper TokenHelperFunc
 }
 
 // Client returns the API client to a Vault server given the configured
@@ -120,14 +125,16 @@ func (m *Meta) Client() (*api.Client, error) {
 
 	// If we don't have a token, check the token helper
 	if token == "" {
-		// If we have a token, then set that
-		tokenHelper, err := m.TokenHelper()
-		if err != nil {
-			return nil, err
-		}
-		token, err = tokenHelper.Get()
-		if err != nil {
-			return nil, err
+		if m.TokenHelper != nil {
+			// If we have a token, then set that
+			tokenHelper, err := m.TokenHelper(m)
+			if err != nil {
+				return nil, err
+			}
+			token, err = tokenHelper.Get()
+			if err != nil {
+				return nil, err
+			}
 		}
 	}
 
@@ -193,25 +200,6 @@ func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet {
 	return f
 }
 
-// TokenHelper returns the token helper that is configured for Vault.
-func (m *Meta) TokenHelper() (token.TokenHelper, error) {
-	config, err := m.Config()
-	if err != nil {
-		return nil, err
-	}
-
-	path := config.TokenHelper
-	if path == "" {
-		return &token.InternalTokenHelper{}, nil
-	}
-
-	path, err = token.ExternalTokenHelperPath(path)
-	if err != nil {
-		return nil, err
-	}
-	return &token.ExternalTokenHelper{BinaryPath: path}, nil
-}
-
 func (m *Meta) loadCACert(path string) (*x509.CertPool, error) {
 	certs, err := m.loadCertFromPEM(path)
 	if err != nil {