diff --git a/website/content/api-docs/acl/tokens.mdx b/website/content/api-docs/acl/tokens.mdx
index b73acc50e..7afada637 100644
--- a/website/content/api-docs/acl/tokens.mdx
+++ b/website/content/api-docs/acl/tokens.mdx
@@ -188,6 +188,9 @@ The corresponding CLI command is [`consul acl token read`](/commands/acl/token/r
   the namespace will be inherited from the request's ACL token or will default
   to the `default` namespace. Added in Consul 1.7.0.
 
+- `expanded` `(bool: false)` - If this field is set, the contents of all policies and
+  roles affecting the token will also be returned.
+
 ### Sample Request
 
 ```shell-session
@@ -225,6 +228,92 @@ for reading other secrets which given even more permissions.
 }
 ```
 
+Sample response when setting the `expanded` parameter:
+
+```json
+{
+    "AccessorID": "fbd2447f-7479-4329-ad13-b021d74f86ba",
+    "SecretID": "869c6e91-4de9-4dab-b56e-87548435f9c6",
+    "Description": "test token",
+    "Policies": [
+        {
+            "ID": "beb04680-815b-4d7c-9e33-3d707c24672c",
+            "Name": "foo"
+        },
+        {
+            "ID": "18788457-584c-4812-80d3-23d403148a90",
+            "Name": "bar"
+        }
+    ],
+    "Local": false,
+    "CreateTime": "2020-05-22T18:52:31Z",
+    "Hash": "YWJjZGVmZ2g=",
+    "ExpandedPolicies": [
+        {
+            "ID": "beb04680-815b-4d7c-9e33-3d707c24672c",
+            "Name": "foo",
+            "Description": "user policy on token",
+            "Rules": "service_prefix \"\" {\n  policy = \"read\"\n}",
+            "Datacenters": null,
+            "Hash": null,
+            "CreateIndex": 0,
+            "ModifyIndex": 0
+        },
+        {
+            "ID": "18788457-584c-4812-80d3-23d403148a90",
+            "Name": "bar",
+            "Description": "other user policy on token",
+            "Rules": "operator = \"read\"",
+            "Datacenters": null,
+            "Hash": null,
+            "CreateIndex": 0,
+            "ModifyIndex": 0
+        },
+        {
+            "ID": "6204f4cd-4709-441c-ac1b-cb029e940263",
+            "Name": "admin policy",
+            "Description": "policy for admin role",
+            "Rules": "operator = \"write\"",
+            "Datacenters": null,
+            "Hash": null,
+            "CreateIndex": 0,
+            "ModifyIndex": 0
+        }
+    ],
+    "ExpandedRoles": [
+      {
+          "ID": "3b0a78fe-b9c3-40de-b8ea-7d4d6674b366",
+          "Name": "admin",
+          "Description": "admin role",
+          "Policies": [
+              {
+                  "ID": "6204f4cd-4709-441c-ac1b-cb029e940263",
+                  "Name": "admin policy"
+              }
+          ],
+          "ServiceIdentities": [
+              {
+                  "ServiceName": "web",
+                  "Datacenters": [
+                      "southwest"
+                  ]
+              }
+          ],
+          "Hash": null,
+          "CreateIndex": 0,
+          "ModifyIndex": 0
+      }
+    ],
+    "NamespaceDefaultPolicies": null,
+    "NamespaceDefaultRoles": null,
+    "AgentACLDefaultPolicy": "allow",
+    "AgentACLDownPolicy": "deny",
+    "ResolvedByAgent": "server-1",
+    "CreateIndex": 42,
+    "ModifyIndex": 100
+}
+```
+
 ## Read Self Token
 
 This endpoint returns the ACL token details that matches the secret ID
diff --git a/website/content/commands/acl/token/read.mdx b/website/content/commands/acl/token/read.mdx
index e249e1b38..85f0f6a4e 100644
--- a/website/content/commands/acl/token/read.mdx
+++ b/website/content/commands/acl/token/read.mdx
@@ -40,6 +40,9 @@ Usage: `consul acl token read [options] [args]`
 - `-self` - Indicates that the current HTTP token should be read by secret ID
   instead of expecting a -id option.
 
+- `-expanded` - Indicates that the contents of the policies and roles affecting
+  the token should also be shown.
+
 - `-format={pretty|json}` - Command output format. The default value is `pretty`.
 
 #### Enterprise Options
@@ -87,3 +90,39 @@ Local:        false
 Create Time:  0001-01-01 00:00:00 +0000 UTC
 Policies:
 ```
+
+Get token details (Expanded)
+
+```shell-session
+$ consul acl token read -expanded -id 986
+AccessorID:   986193b5-e2b5-eb26-6264-b524ea60cc6d
+SecretID:     ec15675e-2999-d789-832e-8c4794daa8d7
+Description:  Read Nodes and Services
+Local:        false
+Create Time:  2018-10-22 15:33:39.01789 -0400 EDT
+Policies:
+	Policy Name: foo
+		ID: beb04680-815b-4d7c-9e33-3d707c24672c
+		Description: user policy on token
+		Rules:
+			service_prefix "" {
+			  policy = "read"
+			}
+
+	Policy Name: bar
+		ID: 18788457-584c-4812-80d3-23d403148a90
+		Description: other user policy on token
+		Rules:
+			operator = "read"
+
+=== End of Authorizer Layer 0: Token ===
+=== Start of Authorizer Layer 2: Agent Configuration Defaults (Inherited) ===
+Description: Defined at request-time by the agent that resolves the ACL token; other agents may have different configuration defaults
+Resolved By Agent: "leader"
+
+Default Policy: allow
+	Description: Backstop rule used if no preceding layer has a matching rule (refer to default_policy option in agent configuration)
+
+Down Policy: deny
+	Description: Defines what to do if this Token's information cannot be read from the primary_datacenter (refer to down_policy option in agent configuration)
+```