diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile/tokenfile.go b/staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile/tokenfile.go
index 43ff764de9..57bb6c596d 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile/tokenfile.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile/tokenfile.go
@@ -62,11 +62,17 @@ func NewCSV(path string) (*TokenAuthenticator, error) {
 		if len(record) < 3 {
 			return nil, fmt.Errorf("token file '%s' must have at least 3 columns (token, user name, user uid), found %d", path, len(record))
 		}
+
+		recordNum++
+		if record[0] == "" {
+			glog.Warningf("empty token has been found in token file '%s', record number '%d'", path, recordNum)
+			continue
+		}
+
 		obj := &user.DefaultInfo{
 			Name: record[1],
 			UID:  record[2],
 		}
-		recordNum++
 		if _, exist := tokens[record[0]]; exist {
 			glog.Warningf("duplicate token has been found in token file '%s', record number '%d'", path, recordNum)
 		}
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile/tokenfile_test.go b/staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile/tokenfile_test.go
index 6fd13ba2d8..c02d4f1b69 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile/tokenfile_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile/tokenfile_test.go
@@ -125,6 +125,16 @@ func TestInsufficientColumnsTokenFile(t *testing.T) {
 	}
 }
 
+func TestEmptyTokenTokenFile(t *testing.T) {
+	auth, err := newWithContents(t, ",user5,uid5\n")
+	if err != nil {
+		t.Fatalf("unexpected error %v", err)
+	}
+	if len(auth.tokens) != 0 {
+		t.Fatalf("empty token should not be recorded")
+	}
+}
+
 func newWithContents(t *testing.T, contents string) (auth *TokenAuthenticator, err error) {
 	f, err := ioutil.TempFile("", "tokenfile_test")
 	if err != nil {