diff --git a/lib/defaults/defaults.go b/lib/defaults/defaults.go
index 93a69bb37fb6b..ce566d1549ace 100644
--- a/lib/defaults/defaults.go
+++ b/lib/defaults/defaults.go
@@ -261,6 +261,9 @@ const (
 	// InactivityFlushPeriod is a period of inactivity
 	// that triggers upload of the data - flush.
 	InactivityFlushPeriod = 5 * time.Minute
+
+	// NodeJoinTokenTTL is when a token for nodes expires.
+	NodeJoinTokenTTL = 4 * time.Hour
 )
 
 var (
diff --git a/lib/web/ui/usercontext.go b/lib/web/ui/usercontext.go
index d75a73ff60fbd..bee7c0fba0c41 100644
--- a/lib/web/ui/usercontext.go
+++ b/lib/web/ui/usercontext.go
@@ -43,6 +43,8 @@ type userACL struct {
 	TrustedClusters access `json:"trustedClusters"`
 	// Events defines access to audit logs
 	Events access `json:"events"`
+	// Tokens defines access to creating tokens ie: node join token.
+	Tokens access `json:"nodeToken"`
 	// SSH defines access to servers
 	SSHLogins []string `json:"sshLogins"`
 }
@@ -118,6 +120,7 @@ func NewUserContext(user services.User, userRoles services.RoleSet) (*UserContex
 	trustedClusterAccess := newAccess(userRoles, ctx, services.KindTrustedCluster)
 	eventAccess := newAccess(userRoles, ctx, services.KindEvent)
 	userAccess := newAccess(userRoles, ctx, services.KindUser)
+	tokenAccess := newAccess(userRoles, ctx, services.KindToken)
 	logins := getLogins(userRoles)
 
 	acl := userACL{
@@ -128,6 +131,7 @@ func NewUserContext(user services.User, userRoles services.RoleSet) (*UserContex
 		Events:          eventAccess,
 		SSHLogins:       logins,
 		Users:           userAccess,
+		Tokens:          tokenAccess,
 	}
 
 	// local user
diff --git a/lib/web/ui/usercontext_test.go b/lib/web/ui/usercontext_test.go
index 38f5a6d6ea4d1..6536642db67a0 100644
--- a/lib/web/ui/usercontext_test.go
+++ b/lib/web/ui/usercontext_test.go
@@ -68,6 +68,7 @@ func (s *UserContextSuite) TestNewUserContext(c *check.C) {
 	c.Assert(userContext.ACL.Sessions, check.DeepEquals, denied)
 	c.Assert(userContext.ACL.Roles, check.DeepEquals, denied)
 	c.Assert(userContext.ACL.Users, check.DeepEquals, denied)
+	c.Assert(userContext.ACL.Tokens, check.DeepEquals, denied)
 	c.Assert(userContext.ACL.SSHLogins, check.DeepEquals, []string{"a", "b", "d"})
 
 	// test local auth type