diff --git a/cmd/drone-server/server.go b/cmd/drone-server/server.go
index 2729e6a4..fa689212 100644
--- a/cmd/drone-server/server.go
+++ b/cmd/drone-server/server.go
@@ -179,7 +179,7 @@ var flags = []cli.Flag{
 		EnvVar: "DRONE_VAULT_AUTH_TYPE",
 		Name:   "drone-vault-auth-type",
 		Usage:  "auth backend type used for connecting to vault",
-		Value:  "token",
+		Value:  "",
 	},
 	cli.StringFlag{
 		EnvVar: "DRONE_VAULT_AUTH_MOUNT_POINT",
diff --git a/plugins/secrets/vault/opts.go b/plugins/secrets/vault/opts.go
index 08185785..7b4eaa7e 100644
--- a/plugins/secrets/vault/opts.go
+++ b/plugins/secrets/vault/opts.go
@@ -25,9 +25,17 @@ func WithRenewal(d time.Duration) Opts {
 	}
 }
 
+// WithAuth returns an options that sets the vault
+// method to use for authentication
+func WithAuth(method string) Opts {
+	return func(v *vault) {
+		v.auth = method
+	}
+}
+
 // WithKubernetes returns an options that sets
 // kubernetes-auth parameters required to retrieve
-// an initial Vault token
+// an initial vault token
 func WithKubernetesAuth(addr, role, mount string) Opts {
 	return func(v *vault) {
 		v.kubeAuth.addr = addr
diff --git a/plugins/secrets/vault/opts_test.go b/plugins/secrets/vault/opts_test.go
index 79f01160..87390715 100644
--- a/plugins/secrets/vault/opts_test.go
+++ b/plugins/secrets/vault/opts_test.go
@@ -27,6 +27,16 @@ func TestWithRenewal(t *testing.T) {
 	}
 }
 
+func TestWithAuth(t *testing.T) {
+	v := new(vault)
+	method := "kubernetes"
+	opt := WithAuth(method)
+	opt(v)
+	if got, want := v.auth, method; got != want {
+		t.Errorf("Want auth %v, got %v", want, got)
+	}
+}
+
 func TestWithKubernetesAuth(t *testing.T) {
 	v := new(vault)
 	addr := "https://address.fake"