diff --git a/config/context.go b/config/context.go
index b1f78504..7c74dc3c 100644
--- a/config/context.go
+++ b/config/context.go
@@ -29,6 +29,7 @@ import (
 	rbacv1 "github.com/rancher/types/apis/rbac.authorization.k8s.io/v1"
 	storagev1 "github.com/rancher/types/apis/storage.k8s.io/v1"
 	"github.com/rancher/types/config/dialer"
+	"github.com/rancher/types/config/systemtokens"
 	"github.com/rancher/types/peermanager"
 	"github.com/rancher/types/user"
 	"github.com/rancher/wrangler-api/pkg/generated/controllers/rbac"
@@ -57,6 +58,7 @@ type ScaledContext struct {
 	Schemas           *types.Schemas
 	AccessControl     types.AccessControl
 	Dialer            dialer.Factory
+	SystemTokens      systemtokens.Interface
 	UserManager       user.Manager
 	PeerManager       peermanager.PeerManager
 	CatalogManager    CatalogManager
@@ -98,6 +100,7 @@ func (c *ScaledContext) NewManagementContext() (*ManagementContext, error) {
 	}
 	mgmt.Dialer = c.Dialer
 	mgmt.UserManager = c.UserManager
+	mgmt.SystemTokens = c.SystemTokens
 	mgmt.CatalogManager = c.CatalogManager
 	c.managementContext = mgmt
 	return mgmt, nil
@@ -177,6 +180,7 @@ type ManagementContext struct {
 	Scheme            *runtime.Scheme
 	Dialer            dialer.Factory
 	UserManager       user.Manager
+	SystemTokens      systemtokens.Interface
 	CatalogManager    CatalogManager
 
 	Management managementv3.Interface
diff --git a/config/systemtokens/systemtokens.go b/config/systemtokens/systemtokens.go
new file mode 100644
index 00000000..e6038b14
--- /dev/null
+++ b/config/systemtokens/systemtokens.go
@@ -0,0 +1,6 @@
+package systemtokens
+
+type Interface interface {
+	EnsureSystemToken(name, description, kind, username string, overrideTTL *int64, randomize bool) (string, error)
+	DeleteToken(tokenName string) error
+}
diff --git a/user/manager.go b/user/manager.go
index 72f81742..aa958c59 100644
--- a/user/manager.go
+++ b/user/manager.go
@@ -9,8 +9,9 @@ import (
 type Manager interface {
 	SetPrincipalOnCurrentUser(apiContext *types.APIContext, principal v3.Principal) (*v3.User, error)
 	GetUser(apiContext *types.APIContext) string
-	EnsureToken(tokenName, description, kind, userName string) (string, error)
-	EnsureClusterToken(clusterName, tokenName, description, kind, userName string) (string, error)
+	EnsureToken(tokenName, description, kind, userName string, ttl *int64, randomize bool) (string, error)
+	EnsureClusterToken(clusterName, tokenName, description, kind, userName string, ttl *int64, randomize bool) (string, error)
+	DeleteToken(tokenName string) error
 	EnsureUser(principalName, displayName string) (*v3.User, error)
 	CheckAccess(accessMode string, allowedPrincipalIDs []string, userPrincipalID string, groups []v3.Principal) (bool, error)
 	SetPrincipalOnCurrentUserByUserID(userID string, principal v3.Principal) (*v3.User, error)