diff --git a/command-snapshot.json b/command-snapshot.json
index 63d771f..3166805 100644
--- a/command-snapshot.json
+++ b/command-snapshot.json
@@ -12,7 +12,7 @@
     "command": "api:request:rest",
     "flagAliases": [],
     "flagChars": ["H", "S", "X", "b", "f", "i", "o"],
-    "flags": ["body", "file", "flags-dir", "header", "include", "method", "stream-to-file", "target-org"],
+    "flags": ["body", "file", "flags-dir", "header", "include", "method", "no-auth", "stream-to-file", "target-org"],
     "plugin": "@salesforce/plugin-api"
   }
 ]
diff --git a/messages/rest.md b/messages/rest.md
index f5c2ddf..52c31aa 100644
--- a/messages/rest.md
+++ b/messages/rest.md
@@ -81,4 +81,8 @@ HTTP header in "key:value" format.
 
 # flags.body.summary
 
-File or content for the body of the HTTP request. Specify "-" to read from standard input or "" for an empty body. If passing a file, prefix the filename with '@'. 
+File or content for the body of the HTTP request. Specify "-" to read from standard input or "" for an empty body. If passing a file, prefix the filename with '@'.
+
+# flags.no-auth.summary
+
+Don't add the "Authorization: Bearer <token>" header to the request.
diff --git a/src/commands/api/request/rest.ts b/src/commands/api/request/rest.ts
index 78a9f1f..830a0b2 100644
--- a/src/commands/api/request/rest.ts
+++ b/src/commands/api/request/rest.ts
@@ -81,6 +81,9 @@ export class Rest extends SfCommand<void> {
       helpValue: 'file',
       char: 'b',
     }),
+    'no-auth': Flags.boolean({
+      summary: messages.getMessage('flags.no-auth.summary'),
+    }),
   };
 
   public static args = {
@@ -138,20 +141,27 @@ export class Rest extends SfCommand<void> {
       headers = { ...headers, ...body.getHeaders() };
     }
 
-    // refresh access token to ensure `got` gets a valid access token.
-    // TODO: we could skip this step if we used jsforce's HTTP module instead (handles expired tokens).
-    await org.refreshAuth();
+    const skipAuth = flags['no-auth'];
+    if (!skipAuth) {
+      // refresh access token to ensure `got` gets a valid access token.
+      // TODO: we could skip this step if we used jsforce's HTTP module instead (handles expired tokens).
+      await org.refreshAuth();
+    }
 
     const options = {
       agent: { https: new ProxyAgent() },
       method,
       headers: {
         ...SFDX_HTTP_HEADERS,
-        Authorization: `Bearer ${
-          // we don't care about apiVersion here, just need to get the access token.
-          // eslint-disable-next-line sf-plugin/get-connection-with-version
-          org.getConnection().getConnectionOptions().accessToken!
-        }`,
+        ...(skipAuth
+          ? {}
+          : {
+              Authorization: `Bearer ${
+                // we don't care about apiVersion here, just need to get the access token.
+                // eslint-disable-next-line sf-plugin/get-connection-with-version
+                org.getConnection().getConnectionOptions().accessToken!
+              }`,
+            }),
         ...headers,
       },
       body,