diff --git a/server/nkey.go b/server/nkey.go
index 87b20a4f..61eac1af 100644
--- a/server/nkey.go
+++ b/server/nkey.go
@@ -33,7 +33,7 @@ func (s *Server) NonceRequired() bool {
 // nonceRequired tells us if we should send a nonce.
 // Lock should be held on entry.
 func (s *Server) nonceRequired() bool {
-	return len(s.nkeys) > 0 || s.trustedKeys != nil
+	return s.opts.AlwaysEnableNonce || len(s.nkeys) > 0 || s.trustedKeys != nil
 }
 
 // Generate a nonce for INFO challenge.
diff --git a/server/nkey_test.go b/server/nkey_test.go
index b11954a0..2a5a7cc1 100644
--- a/server/nkey_test.go
+++ b/server/nkey_test.go
@@ -54,6 +54,28 @@ func mixedSetup() (*Server, *testAsyncClient, *bufio.Reader, string) {
 	return rawSetup(opts)
 }
 
+func TestServerInfoNonceAlwaysEnabled(t *testing.T) {
+	opts := defaultServerOptions
+	opts.AlwaysEnableNonce = true
+	s, c, _, l := rawSetup(opts)
+	defer s.WaitForShutdown()
+	defer s.Shutdown()
+	defer c.close()
+
+	if !strings.HasPrefix(l, "INFO ") {
+		t.Fatalf("INFO response incorrect: %s\n", l)
+	}
+
+	var info nonceInfo
+	err := json.Unmarshal([]byte(l[5:]), &info)
+	if err != nil {
+		t.Fatalf("Could not parse INFO json: %v\n", err)
+	}
+	if info.Nonce == "" {
+		t.Fatalf("Expected a non-empty nonce with AlwaysEnableNonce set")
+	}
+}
+
 func TestServerInfoNonce(t *testing.T) {
 	c, l := setUpClientWithResponse()
 	defer c.close()
diff --git a/server/opts.go b/server/opts.go
index 6a3e37a8..0d82f14d 100644
--- a/server/opts.go
+++ b/server/opts.go
@@ -262,6 +262,11 @@ type Options struct {
 	AccountResolver          AccountResolver       `json:"-"`
 	AccountResolverTLSConfig *tls.Config           `json:"-"`
 
+	// AlwaysEnableNonce will always present a nonce to new connections
+	// typically used by custom Authentication implementations who embeds
+	// the server and so not presented as a configuration option
+	AlwaysEnableNonce bool
+
 	CustomClientAuthentication Authentication `json:"-"`
 	CustomRouterAuthentication Authentication `json:"-"`