diff --git a/github/path_config.go b/github/path_config.go
index b9529ef..4b5d3cd 100644
--- a/github/path_config.go
+++ b/github/path_config.go
@@ -65,6 +65,7 @@ func (b *backend) pathConfig() *framework.Path {
 				Description: descBaseURL,
 			},
 		},
+		ExistenceCheck: b.pathConfigExistenceCheck,
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.CreateOperation: &framework.PathOperation{
 				Callback: withFieldValidator(b.pathConfigWrite),
@@ -163,3 +164,19 @@ func (b *backend) pathConfigDelete(
 
 	return nil, nil
 }
+
+// pathConfigExistenceCheck is implemented on this path to avoid breaking user
+// backwards compatibility. The CreateOperation will likely be removed in a
+// future major version of the plugin.
+func (b *backend) pathConfigExistenceCheck(
+	ctx context.Context,
+	req *logical.Request,
+	_ *framework.FieldData,
+) (bool, error) {
+	entry, err := req.Storage.Get(ctx, pathPatternConfig)
+	if err != nil {
+		return false, fmt.Errorf("%s: %w", errConfRetrieval, err)
+	}
+
+	return entry != nil && len(entry.Value) > 0, nil
+}
diff --git a/github/path_permission_set.go b/github/path_permission_set.go
index 887d706..9aaaca1 100644
--- a/github/path_permission_set.go
+++ b/github/path_permission_set.go
@@ -139,6 +139,7 @@ func (b *backend) pathPermissionSet() *framework.Path {
 				Description: descPerms,
 			},
 		},
+		ExistenceCheck: b.pathPermissionSetExistenceCheck,
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.DeleteOperation: &framework.PathOperation{
 				Callback: b.pathPermissionSetDelete,
@@ -279,3 +280,20 @@ func (b *backend) pathPermissionSetListRead(
 
 	return logical.ListResponse(permissionsets), nil
 }
+
+// pathPermissionSetExistenceCheck is implemented on this path to avoid breaking
+// user backwards compatibility. The CreateOperation will likely be removed in a
+// future major version of the plugin.
+func (b *backend) pathPermissionSetExistenceCheck(
+	ctx context.Context, req *logical.Request, d *framework.FieldData,
+) (bool, error) {
+	nameRaw := d.Get("name")
+	name := nameRaw.(string)
+
+	ps, err := getPermissionSet(ctx, name, req.Storage)
+	if err != nil {
+		return false, err
+	}
+
+	return ps != nil, nil
+}
diff --git a/github/path_token.go b/github/path_token.go
index f90ed7f..f4957cd 100644
--- a/github/path_token.go
+++ b/github/path_token.go
@@ -83,6 +83,7 @@ func (b *backend) pathToken() *framework.Path {
 				Description: descPerms,
 			},
 		},
+		ExistenceCheck: b.pathTokenExistenceCheck,
 		Operations: map[logical.Operation]framework.OperationHandler{
 			// As per the issue request in https://git.io/JUhRk, allow Vault
 			// Reads (i.e. HTTP GET) to also write the GitHub tokens.
@@ -166,3 +167,14 @@ func (b *backend) pathTokenWrite(
 	// Perform the token request.
 	return client.Token(ctx, tokReq)
 }
+
+// pathTokenExistenceCheck always returns false to force the Create path. This
+// plugin predates the framework's 'ExistenceCheck' features and we wish to
+// avoid changing any contracts with the user at this stage. Tokens are created
+// regardless of whether the request is a CREATE, UPDATE or even READ (per a
+// user's request (https://git.io/JUhRk).
+func (b *backend) pathTokenExistenceCheck(
+	context.Context, *logical.Request, *framework.FieldData,
+) (bool, error) {
+	return false, nil
+}
diff --git a/github/path_token_permission_set.go b/github/path_token_permission_set.go
index 113c76e..598b770 100644
--- a/github/path_token_permission_set.go
+++ b/github/path_token_permission_set.go
@@ -49,6 +49,7 @@ func (b *backend) pathTokenPermissionSet() *framework.Path {
 				Description: "Required. Name of the permission set.",
 			},
 		},
+		ExistenceCheck: b.pathTokenPermissionSetExistenceCheck,
 		Operations: map[logical.Operation]framework.OperationHandler{
 			// As per the issue request in https://git.io/JUhRk, allow Vault
 			// Reads (i.e. HTTP GET) to also write the GitHub tokens.
@@ -116,3 +117,14 @@ func (b *backend) pathTokenPermissionSetWrite(
 	// Perform the token request.
 	return client.Token(ctx, opts)
 }
+
+// pathTokenPermissionSetExistenceCheck always returns false to force the Create
+// path. This plugin predates the framework's 'ExistenceCheck' features and we
+// wish to avoid changing any contracts with the user at this stage. Tokens are
+// created regardless of whether the request is a CREATE, UPDATE or even READ
+// (per a user's request (https://git.io/JUhRk).
+func (b *backend) pathTokenPermissionSetExistenceCheck(
+	context.Context, *logical.Request, *framework.FieldData,
+) (bool, error) {
+	return false, nil
+}