diff --git a/internal/apiserver/apiserver.go b/internal/apiserver/apiserver.go
index 8d96de532..bf411d620 100644
--- a/internal/apiserver/apiserver.go
+++ b/internal/apiserver/apiserver.go
@@ -57,7 +57,7 @@ type Config struct {
 }
 
 type ExtraConfig struct {
-	Webhook                       authenticator.Token
+	TokenAuthenticator            authenticator.Token
 	Issuer                        credentialrequest.CertIssuer
 	StartControllersPostStartHook func(ctx context.Context)
 }
@@ -111,7 +111,7 @@ func (c completedConfig) New() (*PinnipedServer, error) {
 		NegotiatedSerializer:         Codecs,
 	}
 
-	credentialRequestStorage := credentialrequest.NewREST(c.ExtraConfig.Webhook, c.ExtraConfig.Issuer)
+	credentialRequestStorage := credentialrequest.NewREST(c.ExtraConfig.TokenAuthenticator, c.ExtraConfig.Issuer)
 
 	v1alpha1Storage, ok := apiGroupInfo.VersionedResourcesStorageMap[gvr.Version]
 	if !ok {
diff --git a/internal/registry/credentialrequest/rest.go b/internal/registry/credentialrequest/rest.go
index 6c12a6bfd..626f39482 100644
--- a/internal/registry/credentialrequest/rest.go
+++ b/internal/registry/credentialrequest/rest.go
@@ -37,16 +37,16 @@ type CertIssuer interface {
 	IssuePEM(subject pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error)
 }
 
-func NewREST(webhook authenticator.Token, issuer CertIssuer) *REST {
+func NewREST(tokenAuthenticator authenticator.Token, issuer CertIssuer) *REST {
 	return &REST{
-		webhook: webhook,
-		issuer:  issuer,
+		tokenAuthenticator: tokenAuthenticator,
+		issuer:             issuer,
 	}
 }
 
 type REST struct {
-	webhook authenticator.Token
-	issuer  CertIssuer
+	tokenAuthenticator authenticator.Token
+	issuer             CertIssuer
 }
 
 func (r *REST) New() runtime.Object {
@@ -78,7 +78,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
 		}
 	}()
 
-	authResponse, authenticated, err := r.webhook.AuthenticateToken(cancelCtx, credentialRequest.Spec.Token.Value)
+	authResponse, authenticated, err := r.tokenAuthenticator.AuthenticateToken(cancelCtx, credentialRequest.Spec.Token.Value)
 	if err != nil {
 		traceFailureWithError(t, "webhook authentication", err)
 		return failureResponse(), nil
diff --git a/internal/server/server.go b/internal/server/server.go
index 1dcdb8083..774c9e4ea 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -14,9 +14,9 @@ import (
 
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
-	"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
 	"k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
@@ -241,7 +241,7 @@ func getClusterCASigner(ctx context.Context, serverInstallationNamespace string)
 // Create a configuration for the aggregated API server.
 func getAggregatedAPIServerConfig(
 	dynamicCertProvider provider.DynamicTLSServingCertProvider,
-	webhookTokenAuthenticator *webhook.WebhookTokenAuthenticator,
+	tokenAuthenticator authenticator.Token,
 	ca credentialrequest.CertIssuer,
 	startControllersPostStartHook func(context.Context),
 ) (*apiserver.Config, error) {
@@ -270,7 +270,7 @@ func getAggregatedAPIServerConfig(
 	apiServerConfig := &apiserver.Config{
 		GenericConfig: serverConfig,
 		ExtraConfig: apiserver.ExtraConfig{
-			Webhook:                       webhookTokenAuthenticator,
+			TokenAuthenticator:            tokenAuthenticator,
 			Issuer:                        ca,
 			StartControllersPostStartHook: startControllersPostStartHook,
 		},