diff --git a/test/cmd/authentication.sh b/test/cmd/authentication.sh
index 4cd94483595..c5592a857d5 100644
--- a/test/cmd/authentication.sh
+++ b/test/cmd/authentication.sh
@@ -62,8 +62,6 @@ EOF
 
   ### Without provided --token, the exec credential plugin should be triggered
   # Pre-condition: Client certificate authentication enabled on the API server - already checked by positive test above
-  
-  kube_flags_without_token=('-s' "https://127.0.0.1:${SECURE_API_PORT}" '--insecure-skip-tls-verify=true')
 
   # Command
   output2=$(kubectl "${kube_flags_without_token[@]:?}" --kubeconfig="${TMPDIR:-/tmp}"/invalid_exec_plugin.yaml get namespace kube-system -o name 2>&1 || true)
diff --git a/test/cmd/legacy-script.sh b/test/cmd/legacy-script.sh
index ee6a9d97038..9f63b836b5a 100755
--- a/test/cmd/legacy-script.sh
+++ b/test/cmd/legacy-script.sh
@@ -342,11 +342,13 @@ runTests() {
     '-s' "http://127.0.0.1:${API_PORT}"
   )
 
-  # token defined in hack/testdata/auth-tokens.csv
-  kube_flags_with_token=(
-    '-s' "https://127.0.0.1:${SECURE_API_PORT}" '--token=admin-token' '--insecure-skip-tls-verify=true'
+  kube_flags_without_token=(
+    '-s' "https://127.0.0.1:${SECURE_API_PORT}" '--insecure-skip-tls-verify=true'
   )
 
+  # token defined in hack/testdata/auth-tokens.csv
+  kube_flags_with_token=( "${kube_flags_without_token[@]}" '--token=admin-token' )
+
   if [[ -z "${ALLOW_SKEW:-}" ]]; then
     kube_flags+=('--match-server-version')
     kube_flags_with_token+=('--match-server-version')