diff --git a/pkg/server/plugin/upstreamauthority/vault/vault_client.go b/pkg/server/plugin/upstreamauthority/vault/vault_client.go
index 2490ee5bc1..e726960a06 100644
--- a/pkg/server/plugin/upstreamauthority/vault/vault_client.go
+++ b/pkg/server/plugin/upstreamauthority/vault/vault_client.go
@@ -162,7 +162,6 @@ func (c *ClientConfig) NewAuthenticatedClient(method AuthMethod) (client *Client
 		if sec == nil {
 			return nil, false, errors.New("lookup self response is nil")
 		}
-		client.SetToken(c.clientParams.Token)
 	case CERT:
 		path := fmt.Sprintf("auth/%v/login", c.clientParams.CertAuthMountPoint)
 		sec, err = client.Auth(path, map[string]interface{}{
@@ -306,6 +305,11 @@ func (c *Client) Auth(path string, body map[string]interface{}) (*vapi.Secret, e
 }
 
 func (c *Client) LookupSelf(token string) (*vapi.Secret, error) {
+	if token == "" {
+		return nil, errors.New("token is empty")
+	}
+	c.SetToken(token)
+
 	secret, err := c.vaultClient.Logical().Read("auth/token/lookup-self")
 	if err != nil {
 		return nil, fmt.Errorf("token lookup failed: %v", err)
diff --git a/pkg/server/plugin/upstreamauthority/vault/vault_client_test.go b/pkg/server/plugin/upstreamauthority/vault/vault_client_test.go
index 5e4edec6bd..62b65cfe1f 100644
--- a/pkg/server/plugin/upstreamauthority/vault/vault_client_test.go
+++ b/pkg/server/plugin/upstreamauthority/vault/vault_client_test.go
@@ -163,30 +163,44 @@ func (vcs *VaultClientSuite) Test_NewAuthenticatedClient_TokenAuth() {
 	vcs.fakeVaultServer.LookupSelfResponseCode = 200
 	for _, c := range []struct {
 		name      string
+		token     string
 		response  []byte
 		reusable  bool
 		namespace string
+		err       string
 	}{
 		{
 			name:     "Token Authentication success / Token never expire",
+			token:    "test-token",
 			response: []byte(testLookupSelfResponseNeverExpire),
 			reusable: true,
 		},
 		{
 			name:     "Token Authentication success / Token is renewable",
+			token:    "test-token",
 			response: []byte(testLookupSelfResponse),
 			reusable: true,
 		},
 		{
 			name:     "Token Authentication success / Token is not renewable",
+			token:    "test-token",
 			response: []byte(testLookupSelfResponseNotRenewable),
 		},
 		{
 			name:      "Token Authentication success / Token is renewable / Namespace is given",
+			token:     "test-token",
 			response:  []byte(testCertAuthResponse),
 			reusable:  true,
 			namespace: "test-ns",
 		},
+		{
+			name:      "Token Authentication error / Token is empty",
+			token:     "",
+			response:  []byte(testCertAuthResponse),
+			reusable:  true,
+			namespace: "test-ns",
+			err:       "token is empty",
+		},
 	} {
 		c := c
 		vcs.Run(c.name, func() {
@@ -202,18 +216,21 @@ func (vcs *VaultClientSuite) Test_NewAuthenticatedClient_TokenAuth() {
 				VaultAddr:  fmt.Sprintf("https://%v/", addr),
 				Namespace:  c.namespace,
 				CACertPath: testRootCert,
-				Token:      "test-token",
+				Token:      c.token,
 			}
 			cc, err := NewClientConfig(cp, hclog.Default())
 			vcs.Require().NoError(err)
 
 			client, reusable, err := cc.NewAuthenticatedClient(TOKEN)
-			vcs.Require().NoError(err)
-			vcs.Require().Equal(c.reusable, reusable)
-
-			if cp.Namespace != "" {
-				headers := client.vaultClient.Headers()
-				vcs.Require().Equal(cp.Namespace, headers.Get(consts.NamespaceHeaderName))
+			if c.err != "" {
+				vcs.Require().Equal(err.Error(), c.err)
+			} else {
+				vcs.Require().NoError(err)
+				vcs.Require().Equal(c.reusable, reusable)
+				if cp.Namespace != "" {
+					headers := client.vaultClient.Headers()
+					vcs.Require().Equal(cp.Namespace, headers.Get(consts.NamespaceHeaderName))
+				}
 			}
 		})
 	}