diff --git a/vault/auth.go b/vault/auth.go
new file mode 100644
index 000000000..85009d604
--- /dev/null
+++ b/vault/auth.go
@@ -0,0 +1,13 @@
+package vault
+
+// setupCredentials is invoked after we've loaded the mount table to
+// initialize the credential backends and setup the router
+func (c *Core) setupCredentials() error {
+	return nil
+}
+
+// teardownCredentials is used before we seal the vault to reset the credential
+// backends to their unloaded state. This is reversed by loadCredentials.
+func (c *Core) teardownCredentials() error {
+	return nil
+}
diff --git a/vault/core.go b/vault/core.go
index 83b6e4920..38f71c297 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -492,12 +492,18 @@ func (c *Core) postUnseal() error {
 	if err := c.setupTokenStore(); err != nil {
 		return nil
 	}
+	if err := c.setupCredentials(); err != nil {
+		return nil
+	}
 	return nil
 }
 
 // preSeal is invoked before the barrier is sealed, allowing
 // for any state teardown required.
 func (c *Core) preSeal() error {
+	if err := c.teardownCredentials(); err != nil {
+		return err
+	}
 	if err := c.teardownTokenStore(); err != nil {
 		return err
 	}