diff --git a/CHANGELOG.md b/CHANGELOG.md
index b6d89a57a..aa39ae2d7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,8 @@ IMPROVEMENTS:
  * core: Tokens can now renew themselves [GH-455]
  * core: Base64-encoded PGP keys can be used with the CLI for `init` and
    `rekey` operations [GH-653]
+ * credential/token: Display whether or not a token is an orphan in the output
+   of a lookup call [GH-766]
  * logical: Allow `.` in path-based variables in many more locations [GH-244]
  * logical: Responses now contain a "warnings" key containing a list of
    warnings returned from the server. These are conditions that did not require
diff --git a/http/logical_test.go b/http/logical_test.go
index 7d48c6c36..0edf44f19 100644
--- a/http/logical_test.go
+++ b/http/logical_test.go
@@ -121,6 +121,7 @@ func TestLogical_StandbyRedirect(t *testing.T) {
 			"path":         "auth/token/root",
 			"policies":     []interface{}{"root"},
 			"display_name": "root",
+			"orphan":       true,
 			"id":           root,
 			"ttl":          float64(0),
 		},
diff --git a/vault/token_store.go b/vault/token_store.go
index 9bbccf9d5..048203ff8 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -800,10 +800,16 @@ func (ts *TokenStore) handleLookup(
 			"meta":          out.Meta,
 			"display_name":  out.DisplayName,
 			"num_uses":      out.NumUses,
+			"orphan":        false,
 			"creation_time": int(out.CreationTime),
 			"ttl":           int(out.TTL.Seconds()),
 		},
 	}
+
+	if out.Parent == "" {
+		resp.Data["orphan"] = true
+	}
+
 	return resp, nil
 }
 
diff --git a/vault/token_store_test.go b/vault/token_store_test.go
index 9682f30e9..8a47627ad 100644
--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@@ -866,12 +866,39 @@ func TestTokenStore_HandleRequest_Lookup(t *testing.T) {
 		"path":         "auth/token/root",
 		"meta":         map[string]string(nil),
 		"display_name": "root",
+		"orphan":       true,
 		"num_uses":     0,
 		"ttl":          0,
 	}
 	delete(resp.Data, "creation_time")
 	if !reflect.DeepEqual(resp.Data, exp) {
-		t.Fatalf("bad: %#v exp: %#v", resp.Data, exp)
+		t.Fatalf("bad:\n%#v\nexp:\n%#v\n", resp.Data, exp)
+	}
+
+	testMakeToken(t, ts, root, "client", []string{"foo"})
+
+	req = logical.TestRequest(t, logical.ReadOperation, "lookup/client")
+	resp, err = ts.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v %v", err, resp)
+	}
+	if resp == nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	exp = map[string]interface{}{
+		"id":           "client",
+		"policies":     []string{"foo"},
+		"path":         "auth/token/create",
+		"meta":         map[string]string(nil),
+		"display_name": "token",
+		"orphan":       false,
+		"num_uses":     0,
+		"ttl":          2592000,
+	}
+	delete(resp.Data, "creation_time")
+	if !reflect.DeepEqual(resp.Data, exp) {
+		t.Fatalf("bad:\n%#v\nexp:\n%#v\n", resp.Data, exp)
 	}
 }
 
@@ -933,6 +960,7 @@ func TestTokenStore_HandleRequest_LookupSelf(t *testing.T) {
 		"path":         "auth/token/root",
 		"meta":         map[string]string(nil),
 		"display_name": "root",
+		"orphan":       true,
 		"num_uses":     0,
 		"ttl":          0,
 	}