diff --git a/command/config/util.go b/command/config/util.go
index 3dd09fdec..1ac47df7e 100644
--- a/command/config/util.go
+++ b/command/config/util.go
@@ -5,6 +5,7 @@ import (
 )
 
 // DefaultTokenHelper returns the token helper that is configured for Vault.
+// This helper should only be used for non-server CLI commands.
 func DefaultTokenHelper() (token.TokenHelper, error) {
 	config, err := LoadConfig("")
 	if err != nil {
diff --git a/command/token/helper_external.go b/command/token/helper_external.go
index 917d44573..7fd25b061 100644
--- a/command/token/helper_external.go
+++ b/command/token/helper_external.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 )
 
+// ExternalTokenHelperPath should only be used in dev mode.
 // ExternalTokenHelperPath takes the configured path to a helper and expands it to
 // a full absolute path that can be executed. As of 0.5, the default token
 // helper is internal, to avoid problems running in dev mode (see GH-850 and
@@ -38,6 +39,8 @@ func ExternalTokenHelperPath(path string) (string, error) {
 
 var _ TokenHelper = (*ExternalTokenHelper)(nil)
 
+// ExternalTokenHelper should only be used in a dev mode. For all other cases,
+// InternalTokenHelper should be used.
 // ExternalTokenHelper is the struct that has all the logic for storing and retrieving
 // tokens from the token helper. The API for the helpers is simple: the
 // BinaryPath is executed within a shell with environment Env. The last argument
diff --git a/command/util.go b/command/util.go
index def0a1e05..4f9614e23 100644
--- a/command/util.go
+++ b/command/util.go
@@ -14,6 +14,7 @@ import (
 )
 
 // DefaultTokenHelper returns the token helper that is configured for Vault.
+// This helper should only be used for non-server CLI commands.
 func DefaultTokenHelper() (token.TokenHelper, error) {
 	return config.DefaultTokenHelper()
 }