diff --git a/CHANGELOG.md b/CHANGELOG.md
index ebcc5e7fa..e5ca62b74 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,7 +8,9 @@ policy names are not currently normalized when reading or deleting. [GH-676]
 
 IMPROVEMENTS:
 
- * api: API client now uses a 30 second timeout instead of indefinite [GH-681]
+ * api: API client now uses a 60 second timeout instead of indefinite [GH-681]
+ * api: Implement LookupSelf, RenewSelf, and RevokeSelf functions for auth
+   tokens [GH-739]
  * audit: HMAC-SHA256'd client tokens are now stored with each request entry.
    Previously they were only displayed at creation time; this allows much
    better traceability of client actions. [GH-713]
diff --git a/api/auth_token.go b/api/auth_token.go
index be8342523..1e636f22b 100644
--- a/api/auth_token.go
+++ b/api/auth_token.go
@@ -25,6 +25,18 @@ func (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error) {
 	return ParseSecret(resp.Body)
 }
 
+func (c *TokenAuth) LookupSelf() (*Secret, error) {
+	r := c.c.NewRequest("POST", "/v1/auth/token/lookup-self")
+
+	resp, err := c.c.RawRequest(r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return ParseSecret(resp.Body)
+}
+
 func (c *TokenAuth) Renew(token string, increment int) (*Secret, error) {
 	r := c.c.NewRequest("PUT", "/v1/auth/token/renew/"+token)
 
@@ -42,6 +54,23 @@ func (c *TokenAuth) Renew(token string, increment int) (*Secret, error) {
 	return ParseSecret(resp.Body)
 }
 
+func (c *TokenAuth) RenewSelf(increment int) (*Secret, error) {
+	r := c.c.NewRequest("PUT", "/v1/auth/token/renew-self")
+
+	body := map[string]interface{}{"increment": increment}
+	if err := r.SetJSONBody(body); err != nil {
+		return nil, err
+	}
+
+	resp, err := c.c.RawRequest(r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return ParseSecret(resp.Body)
+}
+
 func (c *TokenAuth) RevokeOrphan(token string) error {
 	r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-orphan/"+token)
 	resp, err := c.c.RawRequest(r)
@@ -64,6 +93,17 @@ func (c *TokenAuth) RevokePrefix(token string) error {
 	return nil
 }
 
+func (c *TokenAuth) RevokeSelf() error {
+	r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-self")
+	resp, err := c.c.RawRequest(r)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	return nil
+}
+
 func (c *TokenAuth) RevokeTree(token string) error {
 	r := c.c.NewRequest("PUT", "/v1/auth/token/revoke/"+token)
 	resp, err := c.c.RawRequest(r)
diff --git a/api/auth_token_test.go b/api/auth_token_test.go
index e99b5d9f8..2511ad201 100644
--- a/api/auth_token_test.go
+++ b/api/auth_token_test.go
@@ -79,4 +79,18 @@ func TestAuthTokenRenew(t *testing.T) {
 	if secret.Auth.Renewable != true {
 		t.Error("expected lease to be renewable")
 	}
+
+	// Do the same thing with the self variant
+	secret, err = client.Auth().Token().RenewSelf(0)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if secret.Auth.LeaseDuration != 3600 {
+		t.Errorf("expected 1h, got %q", secret.Auth.LeaseDuration)
+	}
+
+	if secret.Auth.Renewable != true {
+		t.Error("expected lease to be renewable")
+	}
 }