diff --git a/defaults/main.yml b/defaults/main.yml
index 379c960d..2c958992 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -60,7 +60,7 @@ keystone_system_comment: keystone system user
 keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}"
 
 ## Drivers
-keystone_auth_methods: "password,token"
+keystone_auth_methods: "password,token,application_credential"
 keystone_identity_driver: sql
 keystone_token_provider: fernet
 keystone_token_expiration: 43200
diff --git a/releasenotes/notes/app-credentials-709e7ae0573b4955.yaml b/releasenotes/notes/app-credentials-709e7ae0573b4955.yaml
new file mode 100644
index 00000000..3e1b8a1d
--- /dev/null
+++ b/releasenotes/notes/app-credentials-709e7ae0573b4955.yaml
@@ -0,0 +1,7 @@
+---
+upgrade:
+  - |
+    Application credentials are now enabled by default as a keystone
+    authentication method. If deployments do not wish to enable
+    application credentials then the existing keystone_auth_methods variable
+    can be overidden with the required set of authentication methods.