diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index 57ffc4df6f..215bb8aeb2 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -1093,7 +1093,7 @@ public Collection<Object> createComponents(
 
         final XFFResolver xffResolver = new XFFResolver(threadPool);
         backendRegistry = new BackendRegistry(settings, adminDns, xffResolver, auditLog, threadPool);
-        tokenManager = new SecurityTokenManager(cs, threadPool, userService);
+        tokenManager = new SecurityTokenManager(cs, threadPool, userService, settings, localClient);
 
         final CompatConfig compatConfig = new CompatConfig(environment, transportPassiveAuthSetting);
 
diff --git a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
index 2ba1ebcb8c..b3a6791b99 100644
--- a/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
+++ b/src/main/java/org/opensearch/security/configuration/ConfigurationRepository.java
@@ -201,9 +201,13 @@ private void initalizeClusterConfiguration(final boolean installDefaultConfig) {
                         try (StoredContext ctx = threadContext.stashContext()) {
                             threadContext.putHeader(ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER, "true");
 
-                            createSecurityIndexIfAbsent();
+                            createSecurityIndexIfAbsent(securityIndex);
+                            if (true) {
+                                createSecurityIndexIfAbsent(ConfigConstants.OPENSEARCH_API_TOKENS_INDEX);
+                            }
                             waitForSecurityIndexToBeAtLeastYellow();
 
+
                             final int initializationDelaySeconds = settings.getAsInt(
                                 ConfigConstants.SECURITY_UNSUPPORTED_DELAY_INITIALIZATION_SECONDS,
                                 0
@@ -324,15 +328,15 @@ private void setupAuditConfigurationIfAny(final boolean auditConfigDocPresent) {
         }
     }
 
-    private boolean createSecurityIndexIfAbsent() {
+    private boolean createSecurityIndexIfAbsent(String indexName) {
         try {
             final Map<String, Object> indexSettings = ImmutableMap.of("index.number_of_shards", 1, "index.auto_expand_replicas", "0-all");
-            final CreateIndexRequest createIndexRequest = new CreateIndexRequest(securityIndex).settings(indexSettings);
+            final CreateIndexRequest createIndexRequest = new CreateIndexRequest(indexName).settings(indexSettings);
             final boolean ok = client.admin().indices().create(createIndexRequest).actionGet().isAcknowledged();
-            LOGGER.info("Index {} created?: {}", securityIndex, ok);
+            LOGGER.info("Index {} created?: {}", indexName, ok);
             return ok;
         } catch (ResourceAlreadyExistsException resourceAlreadyExistsException) {
-            LOGGER.info("Index {} already exists", securityIndex);
+            LOGGER.info("Index {} already exists", indexName);
             return false;
         }
     }
diff --git a/src/main/java/org/opensearch/security/identity/SecurityTokenManager.java b/src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
index 8a0c3e85f1..13c6493cd7 100644
--- a/src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
+++ b/src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
@@ -19,8 +19,11 @@
 import org.apache.logging.log4j.Logger;
 
 import org.opensearch.OpenSearchSecurityException;
+import org.opensearch.client.Client;
+import org.opensearch.client.Response;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.settings.Settings;
+import org.opensearch.core.action.ActionListener;
 import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.identity.Subject;
 import org.opensearch.identity.noop.NoopSubject;
@@ -32,6 +35,7 @@
 import org.opensearch.security.securityconf.ConfigModel;
 import org.opensearch.security.securityconf.DynamicConfigModel;
 import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.security.support.SecurityIndexHandler;
 import org.opensearch.security.user.User;
 import org.opensearch.security.user.UserService;
 import org.opensearch.threadpool.ThreadPool;
@@ -52,8 +56,8 @@ public class SecurityTokenManager implements TokenManager {
 
     private JwtVendor jwtVendor = null;
     private ConfigModel configModel = null;
-
-    public SecurityTokenManager(final ClusterService cs, final ThreadPool threadPool, final UserService userService) {
+    private SecurityIndexHandler securityIndexHandler;
+    public SecurityTokenManager(final ClusterService cs, final ThreadPool threadPool, final UserService userService, final Settings settings, final Client client) {
         this.cs = cs;
         this.threadPool = threadPool;
         this.userService = userService;
diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java
index f35afc6489..9e6c980bff 100644
--- a/src/main/java/org/opensearch/security/support/ConfigConstants.java
+++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java
@@ -370,6 +370,9 @@ public enum RolesMappingResolution {
     // Variable for initial admin password support
     public static final String OPENSEARCH_INITIAL_ADMIN_PASSWORD = "OPENSEARCH_INITIAL_ADMIN_PASSWORD";
 
+    // API Tokens index
+    public static final String OPENSEARCH_API_TOKENS_INDEX = ".opensearch_security_api_tokens";
+
     public static Set<String> getSettingAsSet(
         final Settings settings,
         final String key,
diff --git a/src/test/java/org/opensearch/security/identity/SecurityTokenManagerTest.java b/src/test/java/org/opensearch/security/identity/SecurityTokenManagerTest.java
index d686b145b2..65e6d827b5 100644
--- a/src/test/java/org/opensearch/security/identity/SecurityTokenManagerTest.java
+++ b/src/test/java/org/opensearch/security/identity/SecurityTokenManagerTest.java
@@ -21,6 +21,7 @@
 import org.junit.runner.RunWith;
 
 import org.opensearch.OpenSearchSecurityException;
+import org.opensearch.client.Client;
 import org.opensearch.cluster.ClusterName;
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.settings.Settings;
@@ -69,9 +70,14 @@ public class SecurityTokenManagerTest {
     @Mock
     private UserService userService;
 
+    @Mock
+    private Settings settings;
+    @Mock
+    private Client client;
+
     @Before
     public void setup() {
-        tokenManager = spy(new SecurityTokenManager(cs, threadPool, userService));
+        tokenManager = spy(new SecurityTokenManager(cs, threadPool, userService, settings, client));
     }
 
     @After