diff --git a/auth/auth.go b/auth/auth.go
index 6264f13..6b03e0d 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -228,6 +228,13 @@ func (a *Authenticator) ValidateToken(token string) (*TokenInfo, error) {
 	return info, nil
 }
 
+// ClearCache removes all cached token validation results. This should be
+// called when the service transitions to a state where cached tokens may
+// no longer be valid (e.g., Metacrypt sealing).
+func (a *Authenticator) ClearCache() {
+	a.cache.clear()
+}
+
 // Logout revokes a token on the MCIAS server.
 func (a *Authenticator) Logout(token string) error {
 	req, err := http.NewRequestWithContext(context.Background(),
diff --git a/auth/cache.go b/auth/cache.go
index c6b19f3..1c46b88 100644
--- a/auth/cache.go
+++ b/auth/cache.go
@@ -53,6 +53,13 @@ func (c *validationCache) get(tokenHash string) (*TokenInfo, bool) {
 	return entry.info, true
 }
 
+// clear removes all entries from the cache.
+func (c *validationCache) clear() {
+	c.mu.Lock()
+	c.entries = make(map[string]cacheEntry)
+	c.mu.Unlock()
+}
+
 // put stores TokenInfo in the cache with an expiration of now + TTL.
 func (c *validationCache) put(tokenHash string, info *TokenInfo) {
 	c.mu.Lock()