diff --git a/README.md b/README.md
index 8844686..5bc29b1 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,11 @@ An SSL certificate signed by your site’s Puppet CA
 
 The private key for that certificate
 
+### PE_TOKEN
+
+If set, PE token authentication will be used instead of certificate authentication.
+Value may be a token _or_ path to a file containing a token.
+
 Plugins
 -------
 
diff --git a/lib/puppet-ghostbuster/puppetdb.rb b/lib/puppet-ghostbuster/puppetdb.rb
index 1545632..f6fa532 100644
--- a/lib/puppet-ghostbuster/puppetdb.rb
+++ b/lib/puppet-ghostbuster/puppetdb.rb
@@ -13,14 +13,25 @@ class PuppetDB
     end
 
     def self.client
-      @@client ||= ::PuppetDB::Client.new({
-                                            server: ENV['PUPPETDB_URL'] || @@puppetdb,
-                                            pem: {
-                                              'key' => ENV['PUPPETDB_KEY_FILE'] || Puppet[:hostprivkey],
-                                              'cert' => ENV['PUPPETDB_CERT_FILE'] || Puppet[:hostcert],
-                                              'ca_file' => ENV['PUPPETDB_CACERT_FILE'] || Puppet[:localcacert],
-                                            },
-                                          }, 4)
+      @@client ||= begin
+        options = {
+          server: ENV['PUPPETDB_URL'] || @@puppetdb,
+        }
+
+        if ENV['PE_TOKEN']
+          token_file = File.expand_path(ENV['PE_TOKEN'])
+          options[:token] = File.exist?(token_file) ? File.read(token_file) : ENV.fetch('PE_TOKEN')
+          options[:cacert] = ENV['PUPPETDB_CACERT_FILE'] || Puppet[:localcacert]
+        else
+          options[:pem] = {
+            'key' => ENV['PUPPETDB_KEY_FILE'] || Puppet[:hostprivkey],
+            'cert' => ENV['PUPPETDB_CERT_FILE'] || Puppet[:hostcert],
+            'ca_file' => ENV['PUPPETDB_CACERT_FILE'] || Puppet[:localcacert],
+          }
+        end
+
+        ::PuppetDB::Client.new(options, 4)
+      end
     end
 
     def client