diff --git a/docker/pypi/wmagent/bin/manage b/docker/pypi/wmagent/bin/manage
index 0307cc9c9..c3181367f 100755
--- a/docker/pypi/wmagent/bin/manage
+++ b/docker/pypi/wmagent/bin/manage
@@ -150,7 +150,8 @@ init_wmagent(){
                        --rucio_account=$RUCIO_ACCOUNT \
                        --rucio_host=$RUCIO_HOST \
                        --rucio_auth=$RUCIO_AUTH \
-                       --mspileup_url=$MSPILEUP_URL
+                       --mspileup_url=$MSPILEUP_URL \
+                       --oauth_cms_token_name=$OAUTH_CMS_TOKEN_NAME
 
     let errVal+=$?
 
diff --git a/docker/pypi/wmagent/bin/manage-common.sh b/docker/pypi/wmagent/bin/manage-common.sh
index 683eb0b12..4c0f68b08 100644
--- a/docker/pypi/wmagent/bin/manage-common.sh
+++ b/docker/pypi/wmagent/bin/manage-common.sh
@@ -446,6 +446,9 @@ _load_wmasecrets(){
     if [[  -z $GRAFANA_TOKEN ]]; then
         echo "$FUNCNAME: ERROR: Secrets file doesnt contain GRAFANA_TOKEN"; let errVal+=1
     fi
+    if [[  -z $OAUTH_CMS_TOKEN_NAME ]]; then
+        echo "$FUNCNAME: WARNING: Secrets file doesnt contain OAUTH_CMS_TOKEN_NAME, disabling tokens in remote jobs."; 
+    fi
 
     # CouchDB settings
     # if couch ssl certificate not specified check X509_USER_CERT and X509_USER_PROXY
diff --git a/docker/pypi/wmagent/wmagent-docker-run.sh b/docker/pypi/wmagent/wmagent-docker-run.sh
index d53a2fb95..6bdbe1e58 100755
--- a/docker/pypi/wmagent/wmagent-docker-run.sh
+++ b/docker/pypi/wmagent/wmagent-docker-run.sh
@@ -48,6 +48,35 @@ while getopts ":t:hp" opt; do
     esac
 done
 
+## if the VM does not have a valid token from bastion, do not initialize the
+## WMAgent.
+## If a valid token is present, then the expected output is 
+# cmst1@vocms0262:dmapelli $ condor_store_cred query-oauth -u cmst1@cms
+# Account: cmst1@cms
+# CredType: oauth
+# A credential was stored and is valid.
+# Credential info:
+# cms_wmagent.top = 1756459330
+# cms_wmagent.use = 1756469269
+# fully_qualified_user = "cmst1@cms"
+# cmst1@vocms0262:dmapelli $ echo $?
+# 0
+## If there is no valid token, then the output is
+# cmst1@vocms0193:dmapelli $ condor_store_cred query-oauth -u cmst1@cms
+# Account: cmst1@cms
+# CredType: oauth
+# Operation failed.
+#     Make sure your ALLOW_WRITE setting includes this host.
+# cmst1@vocms0193:dmapelli $ echo $?
+# 1
+if condor_store_cred query-oauth -u cmst1@cms; then
+  echo "condor_store_cred found a valid token. WMAgent can be initialized"
+else
+  echo "WARNING! condor_store_cred did NOT find a valid token. The WMAgent can not be initialized"
+  exit 1
+fi 
+
+
 # Parsing the WMA_TAG in parts step by step
 WMA_VER_MINOR=${WMA_TAG#*.*.}
 WMA_VER_MAJOR=${WMA_TAG%.$WMA_VER_MINOR}