diff --git a/pam/auth_client.c b/pam/auth_client.c
index ff1617f00a6b569e66ec3da8da9a811be0ec9b65..dab622614d663b08085b2d21f5aa21811db369ab 100644
--- a/pam/auth_client.c
+++ b/pam/auth_client.c
@@ -192,7 +192,8 @@ int auth_client_authenticate(auth_client_t ac,
                              const char *username,
                              const char *password,
                              const char *otp_token,
-                             const char *source_ip) {
+                             const char *source_ip,
+			     const char *shard) {
   struct curl_slist *headers = NULL;
   struct cbuf form;
   struct cbuf responsebuf;
@@ -212,6 +213,9 @@ int auth_client_authenticate(auth_client_t ac,
   if (source_ip) {
     post_field_add(&form, "source_ip", source_ip);
   }
+  if (shard) {
+    post_field_add(&form, "shard", shard);
+  }
   curl_easy_setopt(ac->c, CURLOPT_POSTFIELDS, form.buf);
 
   // Set request headers.
diff --git a/pam/auth_client.h b/pam/auth_client.h
index 8228bb09bf5de453fe2a037e253a02e1ce88524b..a7bfa53754337071071685854926cff176f69635 100644
--- a/pam/auth_client.h
+++ b/pam/auth_client.h
@@ -27,6 +27,7 @@ int auth_client_authenticate(auth_client_t ac,
                              const char *username,
                              const char *password,
                              const char *otp_token,
-                             const char *source_ip);
+                             const char *source_ip,
+			     const char *shard);
 
 #endif
diff --git a/pam/auth_client_test.cc b/pam/auth_client_test.cc
index da49a473921d24c4e5c445264c8848a83577dea5..b8251e40cbe54a9123ea5321f930f6ce1da0b6f4 100644
--- a/pam/auth_client_test.cc
+++ b/pam/auth_client_test.cc
@@ -54,7 +54,7 @@ TEST_F(AuthClientTest, AuthOK) {
   result = auth_client_set_certificate(ac, ssl_ca, ssl_cert, ssl_key);
   EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
 
-  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
+  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1", NULL);
   EXPECT_EQ(AC_OK, result) << "authenticate() error: " << auth_client_strerror(result)
                            << ", server=" << server;
 }
@@ -65,7 +65,7 @@ TEST_F(AuthClientTest, AuthFail) {
   result = auth_client_set_certificate(ac, ssl_ca, ssl_cert, ssl_key);
   EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
 
-  result = auth_client_authenticate(ac, "user", "bad_password", NULL, "127.0.0.1");
+  result = auth_client_authenticate(ac, "user", "bad_password", NULL, "127.0.0.1", NULL);
   EXPECT_NE(AC_OK, result) << "authenticate() didn't fail"
                            << ", server=" << server;
 }
@@ -82,7 +82,7 @@ TEST_F(AuthClientTest, SSLFailsWithBadCertificate) {
   result = auth_client_set_certificate(ac, ssl_ca, ssl_ca, ssl_key);
   EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
 
-  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
+  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1", NULL);
   EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
 }
 
@@ -93,7 +93,7 @@ TEST_F(AuthClientTest, SSLFailsWithBadCAClientSide) {
   result = auth_client_set_certificate(ac, ssl_bad_ca, ssl_cert, ssl_key);
   EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
 
-  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
+  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1", NULL);
   EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
 }
 
@@ -104,7 +104,7 @@ TEST_F(AuthClientTest, SSLFailsWithBadCAServerSide) {
   result = auth_client_set_certificate(ac, ssl_ca, ssl_bad_cert, ssl_bad_key);
   EXPECT_EQ(AC_OK, result) << "set_certificate() error: " << auth_client_strerror(result);
 
-  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1");
+  result = auth_client_authenticate(ac, "user", "pass", NULL, "127.0.0.1", NULL);
   EXPECT_NE(AC_OK, result) << "authenticate() didn't fail, server=" << server;
 }
 
diff --git a/pam/pam_authclient.c b/pam/pam_authclient.c
index 506eb02ac949ad7b7c85f8a523417bdab3c89e39..27eca190cfa78796a0aef1daffe5f10a6fc2b5a3 100644
--- a/pam/pam_authclient.c
+++ b/pam/pam_authclient.c
@@ -55,6 +55,7 @@ struct cfg {
   char *ssl_crt;
   char *ssl_key;
   char *ca_file;
+  char *shard;
 };
 
 static void parse_cfg(int argc, const char **argv, struct cfg *cfg) {
@@ -76,6 +77,8 @@ static void parse_cfg(int argc, const char **argv, struct cfg *cfg) {
       cfg->ssl_key = (char *)(argv[i] + 8);
     } else if (!strncmp(argv[i], "ca=", 3)) {
       cfg->ca_file = (char *)(argv[i] + 3);
+    } else if (!strncmp(argv[i], "shard=", 6)) {
+      cfg->shard = (char *)(argv[i] + 6);
     }
   }
 }
@@ -155,7 +158,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
   // Allow two authentication attempts in case we receive an
   // OTP_REQUIRED response from the server.
   for (i = 0; i < 2; i++) {
-    int ac_err = auth_client_authenticate(ac, username, password, otp_token, source_ip);
+    int ac_err = auth_client_authenticate(ac, username, password, otp_token, source_ip, cfg.shard);
     if (ac_err == AC_OK) {
       retval = PAM_SUCCESS;
     } else if (ac_err == AC_ERR_OTP_REQUIRED) {