diff --git a/manifests/controller.pp b/manifests/controller.pp
index cfb0b81..e4792e1 100644
--- a/manifests/controller.pp
+++ b/manifests/controller.pp
@@ -6,6 +6,8 @@
 # [public_interface] Public interface used to route public traffic. Required.
 # [public_address] Public address for public endpoints. Required.
 # [public_protocol] Protocol used by public endpoints. Defaults to 'http'
+# [token_format] Format keystone uses for tokens. Optional. Defaults to PKI.
+#   Supports PKI and UUID.
 # [private_interface] Interface used for vm networking connectivity. Required.
 # [internal_address] Internal address used for management. Required.
 # [mysql_root_password] Root password for mysql server.
@@ -177,6 +179,7 @@ class openstack::controller (
   $region                  = 'RegionOne',
   $public_protocol         = 'http',
   $keystone_token_driver   = 'keystone.token.backends.sql.Token',
+  $token_format            = 'PKI',
   # Glance
   $glance_registry_host    = '0.0.0.0',
   $glance_db_user          = 'glance',
@@ -344,6 +347,7 @@ class openstack::controller (
     token_driver              => $keystone_token_driver,
     public_address            => $public_address,
     public_protocol           => $public_protocol,
+    token_format              => $token_format,
     internal_address          => $internal_address_real,
     admin_address             => $admin_address_real,
     region                    => $region,
diff --git a/manifests/keystone.pp b/manifests/keystone.pp
index 56eb5b0..ef38de9 100644
--- a/manifests/keystone.pp
+++ b/manifests/keystone.pp
@@ -15,6 +15,8 @@
 # [nova_user_password] Auth password for nova user. Required.
 # [public_address] Public address where keystone can be accessed. Required.
 # [public_protocol] Public protocol over which keystone can be accessed. Defaults to 'http'
+# [token_format] Format keystone uses for tokens. Optional. Defaults to PKI.
+#   Supports PKI and UUID.
 # [db_type] Type of DB used. Currently only supports mysql. Optional. Defaults to  'mysql'
 # [db_user] Name of keystone db user. Optional. Defaults to  'keystone'
 # [db_name] Name of keystone DB. Optional. Defaults to  'keystone'
@@ -61,6 +63,7 @@ class openstack::keystone (
   $neutron_user_password,
   $public_address,
   $public_protocol          = 'http',
+  $token_format             = 'PKI',
   $db_host                  = '127.0.0.1',
   $idle_timeout             = '200',
   $swift_user_password      = false,
@@ -201,6 +204,7 @@ class openstack::keystone (
     catalog_type   => 'sql',
     admin_token    => $admin_token,
     token_driver   => $token_driver,
+    token_format   => $token_format,
     enabled        => $enabled,
     sql_connection => $sql_conn,
   }
diff --git a/spec/classes/openstack_controller_spec.rb b/spec/classes/openstack_controller_spec.rb
index 5e67c96..516532d 100644
--- a/spec/classes/openstack_controller_spec.rb
+++ b/spec/classes/openstack_controller_spec.rb
@@ -198,6 +198,7 @@ describe 'openstack::controller' do
           :enabled        => true,
           :admin_token    => 'keystone_admin_token',
           :token_driver   => 'keystone.token.backends.sql.Token',
+          :token_format   => 'PKI',
           :sql_connection => "mysql://keystone:keystone_pass@127.0.0.1/keystone"
         )
 
diff --git a/spec/classes/openstack_keystone_spec.rb b/spec/classes/openstack_keystone_spec.rb
index e99768a..6a66bf3 100644
--- a/spec/classes/openstack_keystone_spec.rb
+++ b/spec/classes/openstack_keystone_spec.rb
@@ -37,6 +37,7 @@ describe 'openstack::keystone' do
         :idle_timeout   => '200',
         :catalog_type   => 'sql',
         :admin_token    => 'token',
+        :token_format   => 'PKI',
         :enabled        => true,
         :token_driver   => 'keystone.token.backends.sql.Token',
         :sql_connection => 'mysql://keystone:pass@127.0.0.1/keystone'