diff --git a/api/sys_mounts.go b/api/sys_mounts.go
index 42bcbf1333..b9f4f8f6f8 100644
--- a/api/sys_mounts.go
+++ b/api/sys_mounts.go
@@ -272,7 +272,7 @@ type MountConfigInput struct {
 	PluginVersion             string                  `json:"plugin_version,omitempty"`
 	UserLockoutConfig         *UserLockoutConfigInput `json:"user_lockout_config,omitempty"`
 	DelegatedAuthAccessors    []string                `json:"delegated_auth_accessors,omitempty" mapstructure:"delegated_auth_accessors"`
-	IdentityTokenKey          string                  `json:"identity_token_key,omitempty"`
+	IdentityTokenKey          string                  `json:"identity_token_key,omitempty" mapstructure:"identity_token_key"`
 
 	// Deprecated: This field will always be blank for newer server responses.
 	PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
@@ -307,7 +307,7 @@ type MountConfigOutput struct {
 	AllowedManagedKeys        []string                 `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
 	UserLockoutConfig         *UserLockoutConfigOutput `json:"user_lockout_config,omitempty"`
 	DelegatedAuthAccessors    []string                 `json:"delegated_auth_accessors,omitempty" mapstructure:"delegated_auth_accessors"`
-	IdentityTokenKey          string                   `json:"identity_token_key,omitempty"`
+	IdentityTokenKey          string                   `json:"identity_token_key,omitempty" mapstructure:"identity_token_key"`
 
 	// Deprecated: This field will always be blank for newer server responses.
 	PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
diff --git a/changelog/24980.txt b/changelog/24980.txt
new file mode 100644
index 0000000000..536bdb32c6
--- /dev/null
+++ b/changelog/24980.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+cli: adds plugin identity token to enable and tune commands for secret engines and auth methods
+```
\ No newline at end of file
diff --git a/command/auth_enable.go b/command/auth_enable.go
index 912f410e82..dcea5141fc 100644
--- a/command/auth_enable.go
+++ b/command/auth_enable.go
@@ -40,6 +40,7 @@ type AuthEnableCommand struct {
 	flagTokenType                 string
 	flagVersion                   int
 	flagPluginVersion             string
+	flagIdentityTokenKey          string
 }
 
 func (c *AuthEnableCommand) Synopsis() string {
@@ -209,6 +210,13 @@ func (c *AuthEnableCommand) Flags() *FlagSets {
 		Usage:   "Select the semantic version of the plugin to enable.",
 	})
 
+	f.StringVar(&StringVar{
+		Name:    flagNameIdentityTokenKey,
+		Target:  &c.flagIdentityTokenKey,
+		Default: "default",
+		Usage:   "Select the key used to sign plugin identity tokens.",
+	})
+
 	return set
 }
 
@@ -312,6 +320,10 @@ func (c *AuthEnableCommand) Run(args []string) int {
 		if fl.Name == flagNamePluginVersion {
 			authOpts.Config.PluginVersion = c.flagPluginVersion
 		}
+
+		if fl.Name == flagNameIdentityTokenKey {
+			authOpts.Config.IdentityTokenKey = c.flagIdentityTokenKey
+		}
 	})
 
 	if err := client.Sys().EnableAuthWithOptions(authPath, authOpts); err != nil {
diff --git a/command/auth_enable_test.go b/command/auth_enable_test.go
index 0cdaf0fc79..3467c9b006 100644
--- a/command/auth_enable_test.go
+++ b/command/auth_enable_test.go
@@ -99,6 +99,7 @@ func TestAuthEnableCommand_Run(t *testing.T) {
 			"-passthrough-request-headers", "www-authentication",
 			"-allowed-response-headers", "authorization",
 			"-listing-visibility", "unauth",
+			"-identity-token-key", "default",
 			"userpass",
 		})
 		if exp := 0; code != exp {
@@ -138,6 +139,9 @@ func TestAuthEnableCommand_Run(t *testing.T) {
 		if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
 			t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
 		}
+		if diff := deep.Equal("default", authInfo.Config.IdentityTokenKey); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff)
+		}
 	})
 
 	t.Run("communication_failure", func(t *testing.T) {
diff --git a/command/auth_tune.go b/command/auth_tune.go
index 10e7f9fe41..56c2d25fae 100644
--- a/command/auth_tune.go
+++ b/command/auth_tune.go
@@ -39,6 +39,7 @@ type AuthTuneCommand struct {
 	flagUserLockoutDuration             time.Duration
 	flagUserLockoutCounterResetDuration time.Duration
 	flagUserLockoutDisable              bool
+	flagIdentityTokenKey                string
 }
 
 func (c *AuthTuneCommand) Synopsis() string {
@@ -195,6 +196,13 @@ func (c *AuthTuneCommand) Flags() *FlagSets {
 			"the plugin catalog, and will not start running until the plugin is reloaded.",
 	})
 
+	f.StringVar(&StringVar{
+		Name:    flagNameIdentityTokenKey,
+		Target:  &c.flagIdentityTokenKey,
+		Default: "default",
+		Usage:   "Select the key used to sign plugin identity tokens.",
+	})
+
 	return set
 }
 
@@ -294,6 +302,10 @@ func (c *AuthTuneCommand) Run(args []string) int {
 		if fl.Name == flagNamePluginVersion {
 			mountConfigInput.PluginVersion = c.flagPluginVersion
 		}
+
+		if fl.Name == flagNameIdentityTokenKey {
+			mountConfigInput.IdentityTokenKey = c.flagIdentityTokenKey
+		}
 	})
 
 	// Append /auth (since that's where auths live) and a trailing slash to
diff --git a/command/auth_tune_test.go b/command/auth_tune_test.go
index a06f0d291b..c9b7923d83 100644
--- a/command/auth_tune_test.go
+++ b/command/auth_tune_test.go
@@ -119,6 +119,7 @@ func TestAuthTuneCommand_Run(t *testing.T) {
 				"-allowed-response-headers", "authorization,www-authentication",
 				"-listing-visibility", "unauth",
 				"-plugin-version", version,
+				"-identity-token-key", "default",
 				"my-auth/",
 			})
 			if exp := 0; code != exp {
@@ -167,6 +168,9 @@ func TestAuthTuneCommand_Run(t *testing.T) {
 			if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
 				t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
 			}
+			if diff := deep.Equal("default", mountInfo.Config.IdentityTokenKey); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff)
+			}
 		})
 
 		t.Run("flags_description", func(t *testing.T) {
diff --git a/command/commands.go b/command/commands.go
index 643c9f55c4..1e4b6731d8 100644
--- a/command/commands.go
+++ b/command/commands.go
@@ -137,6 +137,8 @@ const (
 	flagNameAllowedManagedKeys = "allowed-managed-keys"
 	// flagNamePluginVersion selects what version of a plugin should be used.
 	flagNamePluginVersion = "plugin-version"
+	// flagNameIdentityTokenKey selects the key used to sign plugin identity tokens
+	flagNameIdentityTokenKey = "identity-token-key"
 	// flagNameUserLockoutThreshold is the flag name used for tuning the auth mount lockout threshold parameter
 	flagNameUserLockoutThreshold = "user-lockout-threshold"
 	// flagNameUserLockoutDuration is the flag name used for tuning the auth mount lockout duration parameter
diff --git a/command/secrets_enable.go b/command/secrets_enable.go
index 9e06392b2d..d02bd69d45 100644
--- a/command/secrets_enable.go
+++ b/command/secrets_enable.go
@@ -41,6 +41,7 @@ type SecretsEnableCommand struct {
 	flagExternalEntropyAccess     bool
 	flagVersion                   int
 	flagAllowedManagedKeys        []string
+	flagIdentityTokenKey          string
 }
 
 func (c *SecretsEnableCommand) Synopsis() string {
@@ -228,6 +229,13 @@ func (c *SecretsEnableCommand) Flags() *FlagSets {
 			"each time with 1 key.",
 	})
 
+	f.StringVar(&StringVar{
+		Name:    flagNameIdentityTokenKey,
+		Target:  &c.flagIdentityTokenKey,
+		Default: "default",
+		Usage:   "Select the key used to sign plugin identity tokens.",
+	})
+
 	return set
 }
 
@@ -334,6 +342,10 @@ func (c *SecretsEnableCommand) Run(args []string) int {
 		if fl.Name == flagNamePluginVersion {
 			mountInput.Config.PluginVersion = c.flagPluginVersion
 		}
+
+		if fl.Name == flagNameIdentityTokenKey {
+			mountInput.Config.IdentityTokenKey = c.flagIdentityTokenKey
+		}
 	})
 
 	if err := client.Sys().Mount(mountPath, mountInput); err != nil {
diff --git a/command/secrets_enable_test.go b/command/secrets_enable_test.go
index 10fd0c5c9c..3d6766b53e 100644
--- a/command/secrets_enable_test.go
+++ b/command/secrets_enable_test.go
@@ -118,6 +118,7 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
 			"-passthrough-request-headers", "www-authentication",
 			"-allowed-response-headers", "authorization",
 			"-allowed-managed-keys", "key1,key2",
+			"-identity-token-key", "default",
 			"-force-no-cache",
 			"pki",
 		})
@@ -170,6 +171,9 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
 		if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
 			t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
 		}
+		if diff := deep.Equal("default", mountInfo.Config.IdentityTokenKey); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff)
+		}
 	})
 
 	t.Run("communication_failure", func(t *testing.T) {
diff --git a/command/secrets_tune.go b/command/secrets_tune.go
index 7dcf3feb92..b853aec271 100644
--- a/command/secrets_tune.go
+++ b/command/secrets_tune.go
@@ -36,6 +36,7 @@ type SecretsTuneCommand struct {
 	flagPluginVersion             string
 	flagAllowedManagedKeys        []string
 	flagDelegatedAuthAccessors    []string
+	flagIdentityTokenKey          string
 }
 
 func (c *SecretsTuneCommand) Synopsis() string {
@@ -167,6 +168,13 @@ func (c *SecretsTuneCommand) Flags() *FlagSets {
 			"each time with 1 accessor.",
 	})
 
+	f.StringVar(&StringVar{
+		Name:    flagNameIdentityTokenKey,
+		Target:  &c.flagIdentityTokenKey,
+		Default: "default",
+		Usage:   "Select the key used to sign plugin identity tokens.",
+	})
+
 	return set
 }
 
@@ -255,6 +263,10 @@ func (c *SecretsTuneCommand) Run(args []string) int {
 		if fl.Name == flagNameDelegatedAuthAccessors {
 			mountConfigInput.DelegatedAuthAccessors = c.flagDelegatedAuthAccessors
 		}
+
+		if fl.Name == flagNameIdentityTokenKey {
+			mountConfigInput.IdentityTokenKey = c.flagIdentityTokenKey
+		}
 	})
 
 	if err := client.Sys().TuneMount(mountPath, mountConfigInput); err != nil {
diff --git a/command/secrets_tune_test.go b/command/secrets_tune_test.go
index 8b7965ff29..5bd70a0f0d 100644
--- a/command/secrets_tune_test.go
+++ b/command/secrets_tune_test.go
@@ -192,6 +192,7 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
 				"-passthrough-request-headers", "www-authentication",
 				"-allowed-response-headers", "authorization,www-authentication",
 				"-allowed-managed-keys", "key1,key2",
+				"-identity-token-key", "default",
 				"-listing-visibility", "unauth",
 				"-plugin-version", version,
 				"mount_tune_integration/",
@@ -245,6 +246,9 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
 			if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
 				t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
 			}
+			if diff := deep.Equal("default", mountInfo.Config.IdentityTokenKey); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff)
+			}
 		})
 
 		t.Run("flags_description", func(t *testing.T) {