diff --git a/command/ui.go b/command/ui.go
index c24b322a0..b2911133d 100644
--- a/command/ui.go
+++ b/command/ui.go
@@ -75,8 +75,11 @@ func (c *UiCommand) Synopsis() string {
 func (c *UiCommand) Name() string { return "ui" }
 
 func (c *UiCommand) Run(args []string) int {
+	var authenticate bool
+
 	flags := c.Meta.FlagSet(c.Name(), FlagSetClient)
 	flags.Usage = func() { c.Ui.Output(c.Help()) }
+	flags.BoolVar(&authenticate, "authenticate", false, "")
 
 	if err := flags.Parse(args); err != nil {
 		return 1
@@ -103,6 +106,16 @@ func (c *UiCommand) Run(args []string) int {
 		return 1
 	}
 
+	var ottSecret string
+	if authenticate {
+		ott, _, err := client.ACLTokens().UpsertOneTimeToken(nil)
+		if err != nil {
+			c.Ui.Error(fmt.Sprintf("Could not get one-time token: %s", err))
+			return 1
+		}
+		ottSecret = ott.OneTimeSecretID
+	}
+
 	// We were given an id so look it up
 	if len(args) == 1 {
 		id := args[0]
@@ -159,7 +172,12 @@ func (c *UiCommand) Run(args []string) int {
 		}
 	}
 
-	c.Ui.Output(fmt.Sprintf("Opening URL %q", url.String()))
+	if authenticate && ottSecret != "" {
+		c.Ui.Output(fmt.Sprintf("Opening URL %q with one-time token", url.String()))
+		url.RawQuery = fmt.Sprintf("ott=%s", ottSecret)
+	} else {
+		c.Ui.Output(fmt.Sprintf("Opening URL %q", url.String()))
+	}
 	if err := open.Start(url.String()); err != nil {
 		c.Ui.Error(fmt.Sprintf("Error opening URL: %s", err))
 		return 1
diff --git a/website/content/docs/commands/ui.mdx b/website/content/docs/commands/ui.mdx
index 7fb07ad65..2d29d1555 100644
--- a/website/content/docs/commands/ui.mdx
+++ b/website/content/docs/commands/ui.mdx
@@ -24,10 +24,10 @@ details for that object. Supported identifiers are jobs, allocations and nodes.
 
 If ACLs are enabled, the web UI will start in an unauthenticated state and you
 may see a 403 Unauthorized page if anonymous read access is denied. The `nomad
-ui -login` option will exchange your command line client's Nomad ACL token for
-a one-time login token to the web UI. That one-time token will be exchanged
-for your Nomad ACL token and stored in the browser's local storage for
-authentication.
+ui -authenticate` option will exchange your command line client's Nomad ACL
+token for a one-time token, which is passed to the web UI. That one-time token
+will be exchanged for your Nomad ACL token and stored in the browser's local
+storage for authentication.
 
 ## General Options
 
@@ -35,7 +35,8 @@ authentication.
 
 ## UI Options
 
-- `-login`: Exchange your Nomad ACL token for a one-time token in the web UI.
+- `-authenticate`: Exchange your Nomad ACL token for a one-time token in the
+  web UI.
 
 ## Examples
 
@@ -60,9 +61,9 @@ $ nomad ui d4005969
 Opening URL "http://127.0.0.1:4646/ui/allocations/d4005969-b16f-10eb-4fe1-a5374986083d"
 ```
 
-Open the UI and login using your ACL token:
+Open the UI and authenticate using your ACL token:
 
 ```shell-session
-$ NOMAD_ACL_TOKEN=e9674b26-763b-4637-a28f-0df95c53cdda nomad ui -login
+$ NOMAD_ACL_TOKEN=e9674b26-763b-4637-a28f-0df95c53cdda nomad ui -authenticate
 Opening URL "http://127.0.0.1:4646" with token
 ```