diff --git a/changelog/21100.txt b/changelog/21100.txt
new file mode 100644
index 000000000..50024c9c2
--- /dev/null
+++ b/changelog/21100.txt
@@ -0,0 +1,4 @@
+```release-note:bug
+replication (enterprise): Fix regression causing token creation against a role
+with a new entity alias to be incorrectly forwarded from perf standbys.
+```
diff --git a/vault/token_store.go b/vault/token_store.go
index cac490ebe..e0aba9b67 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -2872,10 +2872,20 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
 			MountType:     mountValidationResp.Type,
 		}
 
-		// Create or fetch entity from entity alias
+		// Create or fetch entity from entity alias. Note that we might be on a perf
+		// standby so a create would return a ReadOnly error which would cause an
+		// RPC-based redirect. That path doesn't register leases since the code that
+		// calls RegisterAuth is in the http layer... So be careful to catch and
+		// handle readonly ourselves.
 		entity, _, err := ts.core.identityStore.CreateOrFetchEntity(ctx, alias)
 		if err != nil {
-			return nil, err
+			auth := &logical.Auth{
+				Alias: alias,
+			}
+			entity, _, err = possiblyForwardAliasCreation(ctx, ts.core, err, auth, entity)
+			if err != nil {
+				return nil, err
+			}
 		}
 		if entity == nil {
 			return nil, errors.New("failed to create or fetch entity from given entity alias")
diff --git a/website/content/docs/release-notes/1.13.0.mdx b/website/content/docs/release-notes/1.13.0.mdx
index c7456f0c2..8c8736b6f 100644
--- a/website/content/docs/release-notes/1.13.0.mdx
+++ b/website/content/docs/release-notes/1.13.0.mdx
@@ -115,6 +115,8 @@ Refer to this [Knowledge Base article](https://support.hashicorp.com/hc/en-us/ar
 
 The fix for this UI issue is coming in the Vault 1.13.1 release.
 
+@include 'perf-standby-token-create-forwarding-failure.mdx'
+
 ## Feature Deprecations and EOL
 
 Please refer to the [Deprecation Plans and Notice](/vault/docs/deprecation) page
diff --git a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
index 0491b940e..7372a3c60 100644
--- a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
@@ -155,3 +155,5 @@ flag for [PKI roles](/vault/api-docs/secret/pki#createupdate-role).
 #### Impacted Versions
 
 Affects Vault 1.13.0+
+
+@include 'perf-standby-token-create-forwarding-failure.mdx'
\ No newline at end of file
diff --git a/website/content/partials/perf-standby-token-create-forwarding-failure.mdx b/website/content/partials/perf-standby-token-create-forwarding-failure.mdx
new file mode 100644
index 000000000..06846b779
--- /dev/null
+++ b/website/content/partials/perf-standby-token-create-forwarding-failure.mdx
@@ -0,0 +1,19 @@
+### Token creation with a new entity alias could silently fail
+
+A regression caused token creation requests under specific circumstances to be
+forwarded from perf standbys (Enterprise only) to the active node incorrectly.
+They would appear to succeed, however no lease was created. The token would then
+be revoked on first use causing a 403 error.
+
+This only happened when all of the following conditions were met:
+ - the token is being created against a role
+ - the request specifies an entity alias which has never been used before with
+   the same role (for example for a brand new role or a unique alias)
+ - the request happens to be made to a perf standby rather than the active node
+
+Retrying token creation after the affected token is rejected would work since
+the entity alias has already been created.
+
+#### Affected Versions
+
+Affects Vault 1.13.0 to 1.13.3. Fixed in 1.13.4.