diff --git a/nomad/acl_endpoint.go b/nomad/acl_endpoint.go
index a49c8b2eb..1ac476ee1 100644
--- a/nomad/acl_endpoint.go
+++ b/nomad/acl_endpoint.go
@@ -627,6 +627,11 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
 		return err
 	}
 
+	// Ensure ACLs are enabled and this call is made with one
+	if acl == nil {
+		return structs.ErrPermissionDenied
+	}
+
 	// Setup the blocking query
 	opts := blockingOptions{
 		queryOpts: &args.QueryOptions,
@@ -638,12 +643,17 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
 				return err
 			}
 
-			// Check management level permissions or that the secret ID matches the
-			// accessor ID
-			if acl != nil && out != nil {
-				if !acl.IsManagement() && out.SecretID != args.SecretID {
+			if out == nil {
+				// If the token doesn't resolve, only allow management tokens to
+				// block.
+				if !acl.IsManagement() {
 					return structs.ErrPermissionDenied
 				}
+
+				// Check management level permissions or that the secret ID matches the
+				// accessor ID
+			} else if !acl.IsManagement() && out.SecretID != args.SecretID {
+				return structs.ErrPermissionDenied
 			}
 
 			// Setup the output
diff --git a/website/source/api/acl-tokens.html.md b/website/source/api/acl-tokens.html.md
index 487a13c66..e964927d6 100644
--- a/website/source/api/acl-tokens.html.md
+++ b/website/source/api/acl-tokens.html.md
@@ -241,7 +241,7 @@ The table below shows this endpoint's support for
 
 | Blocking Queries | Consistency Modes | ACL Required |
 | ---------------- | ----------------- | ------------ |
-| `YES`            | `all`             | `management` for query other tokens<br>Matching SecretID to AccessorID for querying self |
+| `YES`            | `all`             | `management` or a SecretID matching the AccessorID |
 
 ### Sample Request