diff --git a/src/Network/VaultTool.hs b/src/Network/VaultTool.hs
--- a/src/Network/VaultTool.hs
+++ b/src/Network/VaultTool.hs
@@ -71,8 +71,10 @@
 import Data.Maybe (catMaybes)
 import Network.HTTP.Client (Manager, newManager)
 import Network.HTTP.Client.TLS (tlsManagerSettings)
+import Network.HTTP.Types.Header (Header)
 import qualified Data.HashMap.Strict as H
 import qualified Data.Text as T
+import qualified Data.Text.Encoding as T
 
 import Network.VaultTool.Internal
 import Network.VaultTool.Types
@@ -242,6 +244,9 @@
             v .: "lease_id"
     parseJSON _ = fail "Not an Object"
 
+authTokenHeader :: VaultAuthToken -> Header
+authTokenHeader (VaultAuthToken token) = ("X-Vault-Token", T.encodeUtf8 token)
+
 -- | <https://www.vaultproject.io/docs/auth/approle.html>
 vaultAppRoleLogin :: VaultAddress -> Manager -> VaultAppRoleId -> VaultAppRoleSecretId -> IO VaultAuthToken
 vaultAppRoleLogin addr manager roleId secretId = do
@@ -261,7 +266,7 @@
     pure ()
   where
   reqBody = object [ "type" .= authMethod ]
-  headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+  headers = [authTokenHeader _VaultConnection_AuthToken]
 
 -- | <https://www.vaultproject.io/api/system/policies.html#create-update-acl-policy>
 vaultPolicyCreate :: VaultConnection -> Text -> Text -> IO ()
@@ -270,7 +275,7 @@
     pure ()
     where
     reqBody = object [ "policy" .= policy ]
-    headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+    headers = [authTokenHeader _VaultConnection_AuthToken]
 
 data VaultAppRoleListResponse = VaultAppRoleListResponse
     { _VaultAppRoleListResponse_AppRoles :: [Text] }
@@ -333,7 +338,7 @@
     _ <- vaultRequest _VaultConnection_Manager "POST" (vaultUrl _VaultConnection_VaultAddress "/auth/approle/role/" ++ T.unpack appRoleName) headers (Just varp) [204]
     pure ()
     where
-    headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+    headers = [authTokenHeader _VaultConnection_AuthToken]
 
 -- | <https://www.vaultproject.io/api/auth/approle/index.html#read-approle-role-id>
 vaultAppRoleRoleIdRead :: VaultConnection -> Text -> IO VaultAppRoleId
@@ -344,7 +349,7 @@
       Left err -> throwIO $ VaultException_ParseBodyError "GET" ("/auth/approle/role/" ++ T.unpack appRoleName ++ "/role-id") (encode d) err
       Right obj -> return obj
     where
-    headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+    headers = [authTokenHeader _VaultConnection_AuthToken]
 
 data VaultAppRoleSecretIdGenerateResponse = VaultAppRoleSecretIdGenerateResponse
     { _VaultAppRoleSecretIdGenerateResponse_SecretIdAccessor :: VaultAppRoleSecretIdAccessor
@@ -368,14 +373,14 @@
       Right obj -> return obj
     where
     reqBody = object[ "metadata" .= metadata ]
-    headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+    headers = [authTokenHeader _VaultConnection_AuthToken]
 
 vaultSeal :: VaultConnection -> IO ()
 vaultSeal VaultConnection{_VaultConnection_VaultAddress, _VaultConnection_Manager, _VaultConnection_AuthToken} = do
     _ <- vaultRequest _VaultConnection_Manager "PUT" (vaultUrl _VaultConnection_VaultAddress "/sys/seal") headers (Nothing :: Maybe ()) [204]
     pure ()
     where
-    headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+    headers = [authTokenHeader _VaultConnection_AuthToken]
 
 -- | <https://www.vaultproject.io/docs/http/sys-unseal.html>
 --
@@ -469,14 +474,14 @@
         Left err -> throwIO $ VaultException_ParseBodyError "GET" reqPath (encode rspObj) err
         Right obj -> pure $ sortOn fst (H.toList obj)
     where
-    headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+    headers = [authTokenHeader _VaultConnection_AuthToken]
 
 -- | <https://www.vaultproject.io/docs/http/sys-mounts.html>
 vaultMountTune :: VaultConnection -> Text -> IO VaultMountConfigRead
 vaultMountTune VaultConnection{_VaultConnection_VaultAddress, _VaultConnection_Manager, _VaultConnection_AuthToken} mountPoint = do
     vaultRequestJSON _VaultConnection_Manager "GET" (vaultUrl _VaultConnection_VaultAddress "/sys/mounts/" ++ T.unpack mountPoint ++ "/tune") headers (Nothing :: Maybe ()) [200]
     where
-    headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+    headers = [authTokenHeader _VaultConnection_AuthToken]
 
 -- | <https://www.vaultproject.io/docs/http/sys-mounts.html>
 vaultMountSetTune :: VaultConnection -> Text -> VaultMountConfigWrite -> IO ()
@@ -485,7 +490,7 @@
     _ <- vaultRequest _VaultConnection_Manager "POST" (vaultUrl _VaultConnection_VaultAddress "/sys/mounts/" ++ T.unpack mountPoint ++ "/tune") headers (Just reqBody) [204]
     pure ()
     where
-    headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+    headers = [authTokenHeader _VaultConnection_AuthToken]
 
 -- | <https://www.vaultproject.io/docs/http/sys-mounts.html>
 vaultNewMount :: VaultConnection -> Text -> VaultMountWrite -> IO ()
@@ -494,7 +499,7 @@
     _ <- vaultRequest _VaultConnection_Manager "POST" (vaultUrl _VaultConnection_VaultAddress "/sys/mounts/" ++ T.unpack mountPoint) headers (Just reqBody) [204]
     pure ()
     where
-    headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+    headers = [authTokenHeader _VaultConnection_AuthToken]
 
 -- | <https://www.vaultproject.io/docs/http/sys-mounts.html>
 vaultUnmount :: VaultConnection -> Text -> IO ()
@@ -502,7 +507,7 @@
     _ <- vaultRequest _VaultConnection_Manager "DELETE" (vaultUrl _VaultConnection_VaultAddress "/sys/mounts/" ++ T.unpack mountPoint) headers (Nothing :: Maybe ()) [204]
     pure ()
     where
-    headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+    headers = [authTokenHeader _VaultConnection_AuthToken]
 
 data VaultSecretMetadata = VaultSecretMetadata
     { _VaultSecretMetadata_leaseDuration :: Int
@@ -528,7 +533,7 @@
     _ <- vaultRequest _VaultConnection_Manager "POST" (vaultUrl _VaultConnection_VaultAddress "/" ++ T.unpack location) headers (Just reqBody) [204]
     pure ()
     where
-    headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+    headers = [authTokenHeader _VaultConnection_AuthToken]
 
 vaultRead
     :: FromJSON a
@@ -561,7 +566,7 @@
                 Right data_ -> pure (metadata, Right data_)
 
     where
-    headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+    headers = [authTokenHeader _VaultConnection_AuthToken]
 
 -- | <https://www.vaultproject.io/docs/secrets/generic/index.html>
 vaultDelete :: VaultConnection -> VaultSecretPath -> IO ()
@@ -569,7 +574,7 @@
     _ <- vaultRequest _VaultConnection_Manager "DELETE" (vaultUrl _VaultConnection_VaultAddress "/" ++ T.unpack location) headers (Nothing :: Maybe ()) [204]
     pure ()
     where
-    headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+    headers = [authTokenHeader _VaultConnection_AuthToken]
 
 data VaultListResult = VaultListResult [Text]
 
@@ -597,7 +602,7 @@
     VaultListResult keys <- vaultRequestJSON _VaultConnection_Manager "LIST" (vaultUrl _VaultConnection_VaultAddress "/" ++ T.unpack location) headers (Nothing :: Maybe ()) [200]
     pure $ map (VaultSecretPath . (withTrailingSlash `T.append`)) keys
     where
-    headers = [("X-Vault-Token", unVaultAuthToken _VaultConnection_AuthToken)]
+    headers = [authTokenHeader _VaultConnection_AuthToken]
     withTrailingSlash
         | T.null location = "/"
         | T.last location == '/' = location
diff --git a/src/Network/VaultTool/Types.hs b/src/Network/VaultTool/Types.hs
--- a/src/Network/VaultTool/Types.hs
+++ b/src/Network/VaultTool/Types.hs
@@ -7,7 +7,6 @@
 import Data.ByteString (ByteString)
 import Data.Text (Text)
 import qualified Data.ByteString.Lazy as BL
-import qualified Data.Text.Encoding as T
 
 newtype VaultAddress = VaultAddress { unVaultAddress :: Text }
     deriving (Show, Eq, Ord)
@@ -15,13 +14,13 @@
 newtype VaultUnsealKey = VaultUnsealKey { unVaultUnsealKey :: Text }
     deriving (Show, Eq, Ord)
 
-newtype VaultAuthToken = VaultAuthToken { unVaultAuthToken :: ByteString }
+newtype VaultAuthToken = VaultAuthToken { unVaultAuthToken :: Text }
     deriving (Show, Eq, Ord)
 
 instance FromJSON VaultAuthToken where
     parseJSON j = do
         text <- parseJSON j
-        pure (VaultAuthToken (T.encodeUtf8 text))
+        pure (VaultAuthToken text)
 
 newtype VaultSecretPath = VaultSecretPath { unVaultSecretPath :: Text }
     deriving (Show, Eq, Ord)
diff --git a/vault-tool.cabal b/vault-tool.cabal
--- a/vault-tool.cabal
+++ b/vault-tool.cabal
@@ -1,5 +1,5 @@
 name:                vault-tool
-version:             0.0.0.4
+version:             0.1.0.0
 synopsis:            Client library for HashiCorp's Vault tool (via HTTP API)
 description:         Client library for HashiCorp's Vault tool (via HTTP API)
 license:             MIT
