diff --git a/tokens/libcryptsetup-token.sym b/tokens/libcryptsetup-token.sym
index 17ec59911..6ac241aaa 100644
--- a/tokens/libcryptsetup-token.sym
+++ b/tokens/libcryptsetup-token.sym
@@ -1,9 +1,13 @@
 CRYPTSETUP_TOKEN_1.0 {
-    global: cryptsetup_token_open;
-	    cryptsetup_token_open_pin;
-	    cryptsetup_token_buffer_free;
-	    cryptsetup_token_validate;
-	    cryptsetup_token_dump;
-	    cryptsetup_token_version;
-    local: *;
+	global:
+		/* Mandatory functions */
+		cryptsetup_token_open;
+		cryptsetup_token_version;
+
+		/* Optional functions */
+		cryptsetup_token_open_pin;
+		cryptsetup_token_buffer_free;
+		cryptsetup_token_validate;
+		cryptsetup_token_dump;
+	local: *;
 };
diff --git a/tokens/ssh/libcryptsetup-token-ssh.c b/tokens/ssh/libcryptsetup-token-ssh.c
index 2accb85e1..2b9ee0b36 100644
--- a/tokens/ssh/libcryptsetup-token-ssh.c
+++ b/tokens/ssh/libcryptsetup-token-ssh.c
@@ -39,13 +39,20 @@ int cryptsetup_token_open(struct crypt_device *cd, int token,
 	char **password, size_t *password_len, void *usrptr);
 void cryptsetup_token_dump(struct crypt_device *cd, const char *json);
 int cryptsetup_token_validate(struct crypt_device *cd, const char *json);
-
+void cryptsetup_token_buffer_free(void *buffer, size_t buffer_len);
 
 const char *cryptsetup_token_version(void)
 {
 	return TOKEN_VERSION_MAJOR "." TOKEN_VERSION_MINOR;
 }
 
+void cryptsetup_token_buffer_free(void *buffer, size_t buffer_len)
+{
+	/* libcryptsetup API call */
+	crypt_safe_memzero(buffer, buffer_len);
+	free(buffer);
+}
+
 static json_object *get_token_jobj(struct crypt_device *cd, int token)
 {
 	const char *json_slot;