diff --git a/nomad/acl_endpoint.go b/nomad/acl_endpoint.go
index c7b56bd11..1ac476ee1 100644
--- a/nomad/acl_endpoint.go
+++ b/nomad/acl_endpoint.go
@@ -622,10 +622,13 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
 	}
 	defer metrics.MeasureSince([]string{"nomad", "acl", "get_token"}, time.Now())
 
-	// Check management level permissions
-	if acl, err := a.srv.resolveToken(args.SecretID); err != nil {
+	acl, err := a.srv.resolveToken(args.SecretID)
+	if err != nil {
 		return err
-	} else if acl == nil || !acl.IsManagement() {
+	}
+
+	// Ensure ACLs are enabled and this call is made with one
+	if acl == nil {
 		return structs.ErrPermissionDenied
 	}
 
@@ -640,6 +643,19 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
 				return err
 			}
 
+			if out == nil {
+				// If the token doesn't resolve, only allow management tokens to
+				// block.
+				if !acl.IsManagement() {
+					return structs.ErrPermissionDenied
+				}
+
+				// Check management level permissions or that the secret ID matches the
+				// accessor ID
+			} else if !acl.IsManagement() && out.SecretID != args.SecretID {
+				return structs.ErrPermissionDenied
+			}
+
 			// Setup the output
 			reply.Token = out
 			if out != nil {
diff --git a/nomad/acl_endpoint_test.go b/nomad/acl_endpoint_test.go
index a0dba37a9..25528edfc 100644
--- a/nomad/acl_endpoint_test.go
+++ b/nomad/acl_endpoint_test.go
@@ -509,6 +509,16 @@ func TestACLEndpoint_GetToken(t *testing.T) {
 	}
 	assert.Equal(t, uint64(1000), resp.Index)
 	assert.Nil(t, resp.Token)
+
+	// Lookup the token by accessor id using the tokens secret ID
+	get.AccessorID = token.AccessorID
+	get.SecretID = token.SecretID
+	var resp2 structs.SingleACLTokenResponse
+	if err := msgpackrpc.CallWithCodec(codec, "ACL.GetToken", get, &resp2); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	assert.Equal(t, uint64(1000), resp2.Index)
+	assert.Equal(t, token, resp2.Token)
 }
 
 func TestACLEndpoint_GetToken_Blocking(t *testing.T) {
diff --git a/website/source/api/acl-tokens.html.md b/website/source/api/acl-tokens.html.md
index 219dc1371..e964927d6 100644
--- a/website/source/api/acl-tokens.html.md
+++ b/website/source/api/acl-tokens.html.md
@@ -241,7 +241,7 @@ The table below shows this endpoint's support for
 
 | Blocking Queries | Consistency Modes | ACL Required |
 | ---------------- | ----------------- | ------------ |
-| `YES`            | `all`             | `management` |
+| `YES`            | `all`             | `management` or a SecretID matching the AccessorID |
 
 ### Sample Request