diff --git a/api/acl_test.go b/api/acl_test.go
index 1cf8708d244f..7df29457ca1c 100644
--- a/api/acl_test.go
+++ b/api/acl_test.go
@@ -291,14 +291,24 @@ func prepTokenPoliciesInPartition(t *testing.T, acl *ACL, partition string) (pol
 
 func TestAPI_ACLBootstrap(t *testing.T) {
 	t.Parallel()
-	c, s := makeNonBootstrappedACLClient(t)
-	defer s.Stop()
+	c, s := makeNonBootstrappedACLClient(t, "allow")
 
 	acl := c.ACL()
 	s.WaitForLeader(t)
+	// not bootstrapped, default allow
+	mems, err := c.Agent().Members(false)
+	require.NoError(t, err)
+	require.True(t, len(mems) == 1)
 
-	// not bootstrapped
-	_, _, err := acl.TokenList(nil)
+	s.Stop()
+	c, s = makeNonBootstrappedACLClient(t, "deny")
+	acl = c.ACL()
+	s.WaitForLeader(t)
+	//not bootstrapped, default deny
+	_, _, err = acl.TokenList(nil)
+	require.EqualError(t, err, "Unexpected response code: 403 (Permission denied: anonymous token lacks permission 'acl:read'. The anonymous token is used implicitly when a request does not specify a token.)")
+	c.config.Token = "root"
+	_, _, err = acl.TokenList(nil)
 	require.EqualError(t, err, "Unexpected response code: 403 (ACL system must be bootstrapped before making any requests that require authorization: ACL not found)")
 	// bootstrap
 	mgmtTok, _, err := acl.Bootstrap()
@@ -309,6 +319,7 @@ func TestAPI_ACLBootstrap(t *testing.T) {
 	require.NoError(t, err)
 	// management and anonymous should be only tokens
 	require.Len(t, toks, 2)
+	s.Stop()
 }
 
 func TestAPI_ACLToken_CreateReadDelete(t *testing.T) {
diff --git a/api/api_test.go b/api/api_test.go
index 94eadd959fe9..7c8048cb4bb2 100644
--- a/api/api_test.go
+++ b/api/api_test.go
@@ -50,15 +50,15 @@ func makeACLClient(t *testing.T) (*Client, *testutil.TestServer) {
 	})
 }
 
-func makeNonBootstrappedACLClient(t *testing.T) (*Client, *testutil.TestServer) {
+func makeNonBootstrappedACLClient(t *testing.T, defaultPolicy string) (*Client, *testutil.TestServer) {
 	return makeClientWithConfig(t,
 		func(clientConfig *Config) {
-			clientConfig.Token = "root"
+			clientConfig.Token = ""
 		},
 		func(serverConfig *testutil.TestServerConfig) {
 			serverConfig.PrimaryDatacenter = "dc1"
 			serverConfig.ACL.Enabled = true
-			serverConfig.ACL.DefaultPolicy = "deny"
+			serverConfig.ACL.DefaultPolicy = defaultPolicy
 			serverConfig.Bootstrap = true
 		})
 }