diff --git a/vault/token_store.go b/vault/token_store.go
index b0bc5bd55..28b3a054c 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -1307,11 +1307,6 @@ func (ts *TokenStore) handleCreateCommon(
 		renewable = false
 	}
 
-	// Create the token
-	if err := ts.create(&te); err != nil {
-		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
-	}
-
 	// Prevent internal policies from being assigned to tokens
 	for _, policy := range te.Policies {
 		if strutil.StrListContains(nonAssignablePolicies, policy) {
@@ -1319,6 +1314,11 @@ func (ts *TokenStore) handleCreateCommon(
 		}
 	}
 
+	// Create the token
+	if err := ts.create(&te); err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+
 	// Generate the response
 	resp.Auth = &logical.Auth{
 		DisplayName: te.DisplayName,