diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go
index eed76b39496..cea16bb5dcf 100644
--- a/cmd/cosign/cli/fulcio/fulcio.go
+++ b/cmd/cosign/cli/fulcio/fulcio.go
@@ -138,6 +138,9 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) {
 
 	var flow string
 	switch {
+	case ko.FulcioAuthFlow != "":
+		// Caller manually set flow option.
+		flow = ko.FulcioAuthFlow
 	case idToken != "":
 		flow = FlowToken
 	case !term.IsTerminal(0):
diff --git a/cmd/cosign/cli/options/key.go b/cmd/cosign/cli/options/key.go
index db36e9235b7..77957137c8f 100644
--- a/cmd/cosign/cli/options/key.go
+++ b/cmd/cosign/cli/options/key.go
@@ -30,6 +30,10 @@ type KeyOpts struct {
 	OIDCClientSecret string
 	OIDCRedirectURL  string
 	BundlePath       string
+	// FulcioAuthFlow is the auth flow to use when authenticating against
+	// Fulcio. See https://pkg.go.dev/github.com/sigstore/cosign/cmd/cosign/cli/fulcio#pkg-constants
+	// for valid values.
+	FulcioAuthFlow string
 
 	// Modeled after InsecureSkipVerify in tls.Config, this disables
 	// verifying the SCT.