diff --git a/awx/main/models/credential/__init__.py b/awx/main/models/credential/__init__.py
index 85800b4029..6ba5df45b5 100644
--- a/awx/main/models/credential/__init__.py
+++ b/awx/main/models/credential/__init__.py
@@ -1103,26 +1103,36 @@ ManagedCredentialType(
         }, {
             'id': 'username',
             'label': ugettext_noop('Username'),
-            'type': 'string'
+            'type': 'string',
+            'help_text': ugettext_noop('The Ansible Tower user to authenticate as.'
+                                       'This should not be set if an OAuth token is being used.')
         }, {
             'id': 'password',
             'label': ugettext_noop('Password'),
             'type': 'string',
             'secret': True,
+        }, {
+            'id': 'oauth_token',
+            'label': ugettext_noop('OAuth Token'),
+            'type': 'string',
+            'secret': True,
+            'help_text': ugettext_noop('An OAuth token to use to authenticate to Tower with.'
+                                       'This should not be set if username/password are being used.')
         }, {
             'id': 'verify_ssl',
             'label': ugettext_noop('Verify SSL'),
             'type': 'boolean',
             'secret': False
         }],
-        'required': ['host', 'username', 'password'],
+        'required': ['host'],
     },
     injectors={
         'env': {
             'TOWER_HOST': '{{host}}',
             'TOWER_USERNAME': '{{username}}',
             'TOWER_PASSWORD': '{{password}}',
-            'TOWER_VERIFY_SSL': '{{verify_ssl}}'
+            'TOWER_VERIFY_SSL': '{{verify_ssl}}',
+            'TOWER_OAUTH_TOKEN': '{{oauth_token}}'
         }
     },
 )
diff --git a/awx/main/tests/data/inventory/plugins/tower/env.json b/awx/main/tests/data/inventory/plugins/tower/env.json
index abdfef7e8d..9ce3d90f95 100644
--- a/awx/main/tests/data/inventory/plugins/tower/env.json
+++ b/awx/main/tests/data/inventory/plugins/tower/env.json
@@ -3,5 +3,6 @@
     "TOWER_HOST": "https://foo.invalid",
     "TOWER_PASSWORD": "fooo",
     "TOWER_USERNAME": "fooo",
+    "TOWER_OAUTH_TOKEN": "",
     "TOWER_VERIFY_SSL": "False"
 }
\ No newline at end of file
diff --git a/awx/main/tests/functional/test_inventory_source_injectors.py b/awx/main/tests/functional/test_inventory_source_injectors.py
index 7e35f9a51b..392abf8535 100644
--- a/awx/main/tests/functional/test_inventory_source_injectors.py
+++ b/awx/main/tests/functional/test_inventory_source_injectors.py
@@ -124,6 +124,9 @@ def fake_credential_factory():
         for var in var_specs.keys():
             inputs[var] = generate_fake_var(var_specs[var])
 
+        if source == 'tower':
+            inputs.pop('oauth_token')  # mutually exclusive with user/pass
+
         return Credential.objects.create(
             credential_type=ct,
             inputs=inputs