diff --git a/htdecodetoken b/htdecodetoken
index 96f8adc..35fbe8f 100755
--- a/htdecodetoken
+++ b/htdecodetoken
@@ -182,8 +182,16 @@ if [ $? != 0 ]; then
     # silently exit if scitokens-verify not found
     exit
 fi
-VERIFYOUT="$($VERIFY $TOKEN)"
+# scitokens-verify from scitokens-cpp versions greater than 1.2.0
+# accepts token on stdin.  That's safer to use so try it first.
+# The echo command is a shell builtin so it won't show up even
+# temporarily in a ps list.
+VERIFYOUT="$(echo $TOKEN | $VERIFY 2>&1)"
 RET=$?
+if [ $RET != 0 ] && [[ "$VERIFYOUT" == *"Insufficient arguments"* ]]; then
+    VERIFYOUT="$($VERIFY $TOKEN)"
+    RET=$?
+fi
 if [ $RET != 0 ]; then
     if [ -n "$VERIFYOUT" ]; then
         echo "$VERIFYOUT" >&2
diff --git a/htgettoken.1 b/htgettoken.1
index be113f1..a6b4f4e 100644
--- a/htgettoken.1
+++ b/htgettoken.1
@@ -151,7 +151,7 @@ order to work.
 .TP
 .BR \-\-novaulttoken
 Disable all authentication methods that get vault tokens.
-Currently this equivalent to
+Currently this is equivalent to
 .IR \-\-nooidc\ \-\-nokerberos\ \-\-nossh .
 .BR 
 .TP
diff --git a/htgettoken.spec b/htgettoken.spec
index ee1feb4..540a961 100644
--- a/htgettoken.spec
+++ b/htgettoken.spec
@@ -74,6 +74,10 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+
+# - Have htdecodetoken take advantage of new scitokens-verify ability
+#   to read from stdin, when available.
+
 * Mon Dec  1 2025 Dave Dykstra <dwd@fnal.gov> 2.5-1
 - Add htdestroytoken -f option to force a removal of a refresh token in
   vault.