diff --git a/command/token_create.go b/command/token_create.go
index 10b4e92dfda..5c0c5353c66 100644
--- a/command/token_create.go
+++ b/command/token_create.go
@@ -123,7 +123,7 @@ func (c *TokenCreateCommand) Flags() *FlagSets {
 		Default: false,
 		Usage: "Create the token with no parent. This prevents the token from " +
 			"being revoked when the token which created it expires. Setting this " +
-			"value requires sudo permissions.",
+			"value requires root or sudo permissions.",
 	})
 
 	f.BoolVar(&BoolVar{
diff --git a/website/pages/api-docs/auth/token/index.mdx b/website/pages/api-docs/auth/token/index.mdx
index 8c22bfb5aa8..462dcd74fdb 100644
--- a/website/pages/api-docs/auth/token/index.mdx
+++ b/website/pages/api-docs/auth/token/index.mdx
@@ -74,8 +74,8 @@ during this call.
   If not specified, defaults to all the policies of the calling token.
 - `meta` `(map: {})` – A map of string to string valued metadata. This is
   passed through to the audit devices.
-- `no_parent` `(bool: false)` - If true and set by a root caller, the token will
-  not have the parent token of the caller. This creates a token with no parent.
+- `no_parent` `(bool: false)` - This argument only has effect if used by a root
+  or sudo caller. When set to true, the token created will not have a parent.
 - `no_default_policy` `(bool: false)` - If true the `default` policy will not be
   contained in this token's policy set.
 - `renewable` `(bool: true)` - Set to `false` to disable the ability of the token
@@ -99,7 +99,7 @@ during this call.
   limit to the number of uses.
 - `period` `(string: "")` - If specified, the token will be periodic; it will have
   no maximum TTL (unless an "explicit-max-ttl" is also set) but every renewal
-  will use the given period. Requires a root/sudo token to use.
+  will use the given period. Requires a root token or one with the sudo capability.
 - `entity_alias` `(string: "")` - Name of the entity alias to associate with
   during token creation. Only works in combination with `role_name` argument
   and used entity alias must be listed in `allowed_entity_aliases`. If this has
diff --git a/website/pages/docs/concepts/tokens.mdx b/website/pages/docs/concepts/tokens.mdx
index 9e6dce7ddd1..d7a2da51671 100644
--- a/website/pages/docs/concepts/tokens.mdx
+++ b/website/pages/docs/concepts/tokens.mdx
@@ -91,9 +91,9 @@ Often this behavior is not desired, so users with appropriate access can create
 `orphan` tokens. These tokens have no parent -- they are the root of their own
 token tree. These orphan tokens can be created:
 
-1. Via the `auth/token/create-orphan` endpoint
-2. By having `sudo` capability or `root` policy when accessing
-   `auth/token/create` and setting the `orphan` parameter to `true`
+1. Via `write` access to the `auth/token/create-orphan` endpoint
+2. By having `sudo` or `root` access to the `auth/token/create`
+   and setting the `no_parent` parameter to `true`
 3. Via token store roles
 4. By logging in with any other (non-`token`) auth method