diff --git a/auth/store.go b/auth/store.go
index a18d5fa52db6..75b0ce340135 100644
--- a/auth/store.go
+++ b/auth/store.go
@@ -1269,7 +1269,7 @@ func NewTokenProvider(
 }
 
 func (as *authStore) WithRoot(ctx context.Context) context.Context {
-	if !as.IsAuthEnabled() {
+	if tt := tokenProviderType(as); tt != "simple" || !as.IsAuthEnabled() {
 		return ctx
 	}
 
diff --git a/auth/util.go b/auth/util.go
new file mode 100644
index 000000000000..0403c5ccb66a
--- /dev/null
+++ b/auth/util.go
@@ -0,0 +1,26 @@
+// Copyright 2016 The etcd Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package auth
+
+func tokenProviderType(as *authStore) string {
+	switch as.tokenProvider.(type) {
+	case *tokenSimple:
+		return "simple"
+	case *tokenJWT:
+		return "jwt"
+	default:
+		return ""
+	}
+}