diff --git a/logical/auth.go b/logical/auth.go
new file mode 100644
index 0000000000..ccbcccc6b0
--- /dev/null
+++ b/logical/auth.go
@@ -0,0 +1,14 @@
+package logical
+
+// Auth is the resulting authentication information that is part of
+// Response for credential backends.
+type Auth struct {
+	// Policies is the list of policies that the authenticated user
+	// is associated with.
+	Policies []string
+
+	// Metadata is used to attach arbitrary string-type metadata to
+	// an authenticated user. This metadata will be outputted into the
+	// audit log.
+	Metadata map[string]string
+}
diff --git a/logical/connection.go b/logical/connection.go
new file mode 100644
index 0000000000..f14f65567a
--- /dev/null
+++ b/logical/connection.go
@@ -0,0 +1,15 @@
+package logical
+
+import (
+	"crypto/tls"
+)
+
+// Connection represents the connection information for a request. This
+// is present on the Request structure for credential backends.
+type Connection struct {
+	// RemoteAddr is the network address that sent the request.
+	RemoteAddr string
+
+	// ConnState is the TLS connection state if applicable.
+	ConnState *tls.ConnectionState
+}
diff --git a/logical/request.go b/logical/request.go
index 7ec3b863fa..d067d0d292 100644
--- a/logical/request.go
+++ b/logical/request.go
@@ -27,6 +27,11 @@ type Request struct {
 	// to represent the secret that was returned prior.
 	Secret *Secret
 
+	// Connection will be non-nil only for credential providers to
+	// inspect the connection information and potentially use it for
+	// authentication/protection.
+	Connection *Connection
+
 	// ClientToken is provided to the core so that the identity
 	// can be verified and ACLs applied. This value is not passed
 	// through to the logical backends.
diff --git a/logical/response.go b/logical/response.go
index 31e5691423..4d39d55d91 100644
--- a/logical/response.go
+++ b/logical/response.go
@@ -6,6 +6,11 @@ type Response struct {
 	// Secret, if not nil, denotes that this response represents a secret.
 	Secret *Secret
 
+	// Auth, if not nil, contains the authentication information for
+	// this response. This is only checked and means something for
+	// credential backends.
+	Auth *Auth
+
 	// Response data is an opaque map that must have string keys. For
 	// secrets, this data is sent down to the user as-is. To store internal
 	// data that you don't want the user to see, store it in