diff --git a/command/auth.go b/command/auth.go
index 4f4c429ec6..788c5725a7 100644
--- a/command/auth.go
+++ b/command/auth.go
@@ -151,6 +151,10 @@ func (c *AuthCommand) Run(args []string) int {
 			"Error validating token: %s", err))
 		return 1
 	}
+	if secret == nil {
+		c.Ui.Error(fmt.Sprintf("Error: Invalid token"))
+		return 1
+	}
 
 	// Get the policies we have
 	policiesRaw, ok := secret.Data["policies"]
diff --git a/command/auth_test.go b/command/auth_test.go
index 01a13e4027..482bd85aec 100644
--- a/command/auth_test.go
+++ b/command/auth_test.go
@@ -82,6 +82,29 @@ func TestAuth_token(t *testing.T) {
 	}
 }
 
+func TestAuth_badToken(t *testing.T) {
+	core, _, _ := vault.TestCoreUnsealed(t)
+	ln, addr := http.TestServer(t, core)
+	defer ln.Close()
+
+	testAuthInit(t)
+
+	ui := new(cli.MockUi)
+	c := &AuthCommand{
+		Meta: Meta{
+			Ui: ui,
+		},
+	}
+
+	args := []string{
+		"-address", addr,
+		"not-a-valid-token",
+	}
+	if code := c.Run(args); code != 1 {
+		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
+	}
+}
+
 func TestAuth_method(t *testing.T) {
 	core, _, token := vault.TestCoreUnsealed(t)
 	ln, addr := http.TestServer(t, core)