diff --git a/.changelog/15121.txt b/.changelog/15121.txt
new file mode 100644
index 000000000..a321c7b64
--- /dev/null
+++ b/.changelog/15121.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+wi: Fixed a bug where clients running pre-1.4.0 allocations would erase the token used to query service registrations after upgrade
+```
diff --git a/client/allocrunner/taskrunner/identity_hook.go b/client/allocrunner/taskrunner/identity_hook.go
index f318b89b2..cbbfa6ffd 100644
--- a/client/allocrunner/taskrunner/identity_hook.go
+++ b/client/allocrunner/taskrunner/identity_hook.go
@@ -36,7 +36,9 @@ func (h *identityHook) Prestart(ctx context.Context, req *interfaces.TaskPrestar
 	defer h.lock.Unlock()
 
 	token := h.tr.alloc.SignedIdentities[h.taskName]
-	h.tr.setNomadToken(token)
+	if token != "" {
+		h.tr.setNomadToken(token)
+	}
 	return nil
 }
 
@@ -45,6 +47,8 @@ func (h *identityHook) Update(_ context.Context, req *interfaces.TaskUpdateReque
 	defer h.lock.Unlock()
 
 	token := h.tr.alloc.SignedIdentities[h.taskName]
-	h.tr.setNomadToken(token)
+	if token != "" {
+		h.tr.setNomadToken(token)
+	}
 	return nil
 }
diff --git a/client/allocrunner/taskrunner/task_runner.go b/client/allocrunner/taskrunner/task_runner.go
index 6f8e45c04..12f1abf26 100644
--- a/client/allocrunner/taskrunner/task_runner.go
+++ b/client/allocrunner/taskrunner/task_runner.go
@@ -424,6 +424,10 @@ func NewTaskRunner(config *Config) (*TaskRunner, error) {
 		return nil, err
 	}
 
+	// Use the client secret only as the initial value; the identity hook will
+	// update this with a workload identity if one is available
+	tr.setNomadToken(config.ClientConfig.Node.SecretID)
+
 	// Initialize the runners hooks. Must come after initDriver so hooks
 	// can use tr.driverCapabilities
 	tr.initHooks()