diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 23621fcfd0..aaae1c8002 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2404,6 +2404,7 @@ virIdentityGetProcessTime;
 virIdentityGetSASLUserName;
 virIdentityGetSELinuxContext;
 virIdentityGetSystem;
+virIdentityGetSystemToken;
 virIdentityGetUNIXGroupID;
 virIdentityGetUNIXUserID;
 virIdentityGetUserName;
@@ -2416,6 +2417,7 @@ virIdentitySetProcessID;
 virIdentitySetProcessTime;
 virIdentitySetSASLUserName;
 virIdentitySetSELinuxContext;
+virIdentitySetSystemToken;
 virIdentitySetUNIXGroupID;
 virIdentitySetUNIXUserID;
 virIdentitySetUserName;
diff --git a/src/util/viridentity.c b/src/util/viridentity.c
index 7edb6a171a..7da4ea12f5 100644
--- a/src/util/viridentity.c
+++ b/src/util/viridentity.c
@@ -40,6 +40,8 @@
 
 #define VIR_FROM_THIS VIR_FROM_IDENTITY
 
+#define VIR_CONNECT_IDENTITY_SYSTEM_TOKEN "system.token"
+
 VIR_LOG_INIT("util.identity");
 
 struct _virIdentity {
@@ -382,6 +384,17 @@ int virIdentityGetSELinuxContext(virIdentity *ident,
 }
 
 
+int virIdentityGetSystemToken(virIdentity *ident,
+                              const char **token)
+{
+    *token = NULL;
+    return virTypedParamsGetString(ident->params,
+                                   ident->nparams,
+                                   VIR_CONNECT_IDENTITY_SYSTEM_TOKEN,
+                                   token);
+}
+
+
 int virIdentitySetUserName(virIdentity *ident,
                            const char *username)
 {
@@ -554,6 +567,25 @@ int virIdentitySetSELinuxContext(virIdentity *ident,
 }
 
 
+int virIdentitySetSystemToken(virIdentity *ident,
+                              const char *token)
+{
+    if (virTypedParamsGet(ident->params,
+                          ident->nparams,
+                          VIR_CONNECT_IDENTITY_SYSTEM_TOKEN)) {
+        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+                       _("Identity attribute is already set"));
+        return -1;
+    }
+
+    return virTypedParamsAddString(&ident->params,
+                                   &ident->nparams,
+                                   &ident->maxparams,
+                                   VIR_CONNECT_IDENTITY_SYSTEM_TOKEN,
+                                   token);
+}
+
+
 int virIdentitySetParameters(virIdentity *ident,
                              virTypedParameterPtr params,
                              int nparams)
@@ -577,6 +609,8 @@ int virIdentitySetParameters(virIdentity *ident,
                                VIR_TYPED_PARAM_STRING,
                                VIR_CONNECT_IDENTITY_SELINUX_CONTEXT,
                                VIR_TYPED_PARAM_STRING,
+                               VIR_CONNECT_IDENTITY_SYSTEM_TOKEN,
+                               VIR_TYPED_PARAM_STRING,
                                NULL) < 0)
         return -1;
 
diff --git a/src/util/viridentity.h b/src/util/viridentity.h
index fa3f46788c..640a7ba2e4 100644
--- a/src/util/viridentity.h
+++ b/src/util/viridentity.h
@@ -52,6 +52,8 @@ int virIdentityGetX509DName(virIdentity *ident,
                             const char **dname);
 int virIdentityGetSELinuxContext(virIdentity *ident,
                                  const char **context);
+int virIdentityGetSystemToken(virIdentity *ident,
+                              const char **token);
 
 
 int virIdentitySetUserName(virIdentity *ident,
@@ -72,6 +74,8 @@ int virIdentitySetX509DName(virIdentity *ident,
                             const char *dname);
 int virIdentitySetSELinuxContext(virIdentity *ident,
                                  const char *context);
+int virIdentitySetSystemToken(virIdentity *ident,
+                              const char *token);
 
 int virIdentitySetParameters(virIdentity *ident,
                              virTypedParameterPtr params,