diff --git a/pylxd/client.py b/pylxd/client.py
index 804f15ab..bd76aeda 100644
--- a/pylxd/client.py
+++ b/pylxd/client.py
@@ -11,6 +11,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+import base64
 import json
 import os
 import re
@@ -545,7 +546,22 @@ def authenticate(self, secret, use_token_auth=True):
             return
         cert = open(self.api.session.cert[0]).read().encode("utf-8")
 
-        if self.has_api_extension("explicit_trust_token") and use_token_auth:
+        # Quirk to handle 5.21 that supports explicit trust tokens as well as
+        # password auth. We need to ascertain if the provided secret is indeed a
+        # token before trying to use it as such.
+        secret_is_a_token = False
+        if use_token_auth and self.has_api_extension("explicit_trust_token"):
+            token = None
+            try:
+                b64 = base64.b64decode(secret)
+                token = json.loads(b64.decode("utf-8"))
+            except (TypeError, ValueError, json.JSONDecodeError, base64.binascii.Error):
+                pass
+
+            if token:
+                secret_is_a_token = "secret" in token
+
+        if secret_is_a_token:
             self.certificates.create(password="", cert_data=cert, secret=secret)
         else:
             self.certificates.create(password=secret, cert_data=cert)