diff --git a/client/config.go b/client/config.go
index 4536994b7ac820265956fbdc9375b2df1493a89a..962ccd1cb948783404052679323761775fd6d7e7 100644
--- a/client/config.go
+++ b/client/config.go
@@ -16,6 +16,7 @@ type Config struct {
 	Validity               string `mapstructure:"validity"`
 	ValidateTLSCertificate bool   `mapstructure:"validate_tls_certificate"`
 	PublicFilePrefix       string `mapstructure:"key_file_prefix"`
+	Message                string `mapstructure:"message"`
 }
 
 func setDefaults() {
@@ -24,6 +25,7 @@ func setDefaults() {
 	viper.BindPFlag("key_size", pflag.Lookup("key_size"))
 	viper.BindPFlag("validity", pflag.Lookup("validity"))
 	viper.BindPFlag("key_file_prefix", pflag.Lookup("key_file_prefix"))
+	viper.BindPFlag("message", pflag.Lookup("message"))
 	viper.SetDefault("validateTLSCertificate", true)
 }
 
diff --git a/cmd/cashier/main.go b/cmd/cashier/main.go
index f0ba2f1a4c9ac36bca7b059dd2d30eb7b20111b9..3a6ecd45d6ed038cb3c16dc038de9498b6391b29 100644
--- a/cmd/cashier/main.go
+++ b/cmd/cashier/main.go
@@ -25,6 +25,7 @@ var (
 	validity         = pflag.Duration("validity", time.Hour*24, "Key lifetime. May be overridden by the CA at signing time")
 	keytype          = pflag.String("key_type", "", "Type of private key to generate - rsa, ecdsa or ed25519. (default \"rsa\")")
 	publicFilePrefix = pflag.String("key_file_prefix", "", "Prefix for filename for public key and cert (optional, no default)")
+	messageFlag      = pflag.String("message", "", "Message once the token is accepted.")
 	useGRPC          = pflag.Bool("use_grpc", false, "Use grpc (experimental)")
 )
 
@@ -53,10 +54,14 @@ func main() {
 	fmt.Scanln(&token)
 
 	var message string
-	fmt.Print("Enter message: ")
-	scanner := bufio.NewScanner(os.Stdin)
-	if scanner.Scan() {
-		message = scanner.Text()
+	if len(c.Message) == 0 {
+		fmt.Print("Enter message: ")
+		scanner := bufio.NewScanner(os.Stdin)
+		if scanner.Scan() {
+			message = scanner.Text()
+		}
+	} else {
+		message = c.Message
 	}
 
 	var cert *ssh.Certificate