diff --git a/pkg/registry/authentication/tokenreview/storage.go b/pkg/registry/authentication/tokenreview/storage.go
index 0f3d73ac35f..f512907e6e5 100644
--- a/pkg/registry/authentication/tokenreview/storage.go
+++ b/pkg/registry/authentication/tokenreview/storage.go
@@ -49,6 +49,10 @@ func (r *REST) Create(ctx genericapirequest.Context, obj runtime.Object, include
 		return nil, apierrors.NewBadRequest(fmt.Sprintf("namespace is not allowed on this type: %v", namespace))
 	}
 
+	if len(tokenReview.Spec.Token) == 0 {
+		return nil, apierrors.NewBadRequest(fmt.Sprintf("token is required for TokenReview in authentication"))
+	}
+
 	if r.tokenAuthenticator == nil {
 		return tokenReview, nil
 	}