diff --git a/src/vault/client.clj b/src/vault/client.clj
index 6c2d833..18a92a1 100644
--- a/src/vault/client.clj
+++ b/src/vault/client.clj
@@ -18,12 +18,18 @@
     credentials. Possible arguments:
 
     - :token \"...\"
+    - :userpass {:username \"user\", :password \"hunter2\"}
     - :app-id {:app \"lambda_ci\", :user \"...\"}")
 
   (list-secrets
     [client path]
     "List the secrets located under a path.")
 
+  (write-secret!
+    [client path data]
+    "Writes secret(s) to a specific path. data should be a map.
+    Returns a boolean indicating whether the write was successful.")
+
   (read-secret
     [client path]
     "Reads a secret from a specific path."))
@@ -72,6 +78,21 @@
                  app (str/join ", " (get-in response [:body :auth :policies])))
       (reset! token-ref client-token))))
 
+(defn- authenticate-userpass!
+  "Updates the token ref by making a request to authenticate with a username
+  and password."
+  [api-url token-ref credentials]
+  (let [{:keys [username password]} credentials
+        response (http/post (str api-url "/v1/auth/userpass/login/" username)
+                   {:form-params {:password password}
+                    :content-type :json
+                    :accept :json
+                    :as :json})]
+    (when-let [client-token (get-in response [:body :auth :client_token])]
+      (log/infof "Successfully authenticated to Vault as %s for policies: %s"
+                 username (str/join ", " (get-in response [:body :auth :policies])))
+      (reset! token-ref client-token))))
+
 
 (defrecord HTTPClient
   [api-url token]
@@ -83,6 +104,7 @@
     (case auth-type
       :token (authenticate-token! token credentials)
       :app-id (authenticate-app! api-url token credentials)
+      :userpass (authenticate-userpass! api-url token credentials)
       ; TODO: support LDAP auth
 
       ; Unknown type
@@ -104,6 +126,19 @@
       (log/infof "List %s (%d results)" path (count data))
       data))
 
+  (write-secret!
+    [this path data]
+    (check-path! path)
+    (check-auth! token)
+    (let [response (http/post (str api-url "/v1/" path)
+                     {:headers {"X-Vault-Token" @token}
+                      :form-params data
+                      :content-type :json
+                      :accept :json
+                      :as :json})]
+      (log/infof "Wrote %s" path)
+      (= (:status response) 204)))
+
 
   (read-secret
     [this path]