diff --git a/README.md b/README.md
index e7878b80..7f4d1fde 100644
--- a/README.md
+++ b/README.md
@@ -111,6 +111,31 @@ You can check your version with
 ssh -V
 ```
 
+## Commands
+
+### run
+`run` will run blessclient and attempt to fetch an SSH certificate from the CA. It requires blessclient to be properly configured beforehand.
+
+### import-config
+`import-config` will import blessclient configuration from a remote location and configure your local blessclient.
+
+### token
+`token` will print, json formatted, your oauth2/oidc id_token and access_token. This command requires blessclient to be properly configured beforehand. This command is not typically part of a common workflow.
+
+The output will be written to stdout. The output is json formatted and looks like
+```json
+{
+  "version": 1,
+  "id_token": "<string>",
+  "access_token": "<string>",
+  "expiry": "2020-07-20T12:18:02-04:00"
+}
+```
+When running this command, no other output will be written to stdout.
+
+### version
+`version` will print blessclient's version.
+
 ## Other
 ### Deploying BLESS
 There are already [several](https://github.com/lyft/python-blessclient#run-a-bless-lambda-in-aws) [great](http://marcyoung.us/post/bless-part1/) [guides](https://www.tastycidr.net/a-practical-guide-to-deploying-netflixs-bless-certificate-authority/) on how to run a BLESS lambda. If you take a moment to skim through these, you'll notice that setting up a successful BLESS deployment requires thorough knowledge of AWS Lambda and IAM. Even then, you'll probably spend hours digging through CloudWatch logs (and who likes doing that).
diff --git a/cmd/token.go b/cmd/token.go
new file mode 100644
index 00000000..b6c5e85c
--- /dev/null
+++ b/cmd/token.go
@@ -0,0 +1,66 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/chanzuckerberg/blessclient/pkg/config"
+	oidc "github.com/chanzuckerberg/go-misc/oidc_cli"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	rootCmd.AddCommand(tokenCmd)
+}
+
+const (
+	stdoutTokenVersion = 1
+)
+
+type stdoutToken struct {
+	Version int `json:"version,omitempty"`
+
+	IDToken     string    `json:"id_token,omitempty"`
+	AccessToken string    `json:"access_token,omitempty"`
+	Expiry      time.Time `json:"expiry,omitempty"`
+}
+
+var tokenCmd = &cobra.Command{
+	Use:           "token",
+	Short:         "token prints the oidc tokens to stdout",
+	SilenceErrors: true,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		stdoutToken := &stdoutToken{
+			Version: stdoutTokenVersion,
+		}
+
+		config, err := config.FromFile(config.DefaultConfigFile)
+		if err != nil {
+			return err
+		}
+
+		token, err := oidc.GetToken(
+			cmd.Context(),
+			config.ClientConfig.OIDCClientID,
+			config.ClientConfig.OIDCIssuerURL,
+		)
+		if err != nil {
+			return err
+		}
+
+		stdoutToken.AccessToken = token.AccessToken
+		stdoutToken.IDToken = token.IDToken
+		stdoutToken.Expiry = token.Expiry
+
+		data, err := json.Marshal(stdoutToken)
+		if err != nil {
+			return errors.Wrap(err, "could not json marshal oidc token")
+		}
+
+		_, err = fmt.Fprintln(os.Stdout, string(data))
+		return errors.Wrap(err, "could not print token to stdout")
+	},
+}