diff --git a/agent/acl.go b/agent/acl.go
index b84f40ffca..2e30848a43 100644
--- a/agent/acl.go
+++ b/agent/acl.go
@@ -104,6 +104,12 @@ func newACLManager(config *Config) (*aclManager, error) {
 					Policy: acl.PolicyWrite,
 				},
 			},
+			Nodes: []*acl.NodePolicy{
+				&acl.NodePolicy{
+					Name:   "",
+					Policy: acl.PolicyRead,
+				},
+			},
 		}
 		acl, err := acl.New(acl.DenyAll(), policy)
 		if err != nil {
diff --git a/agent/acl_test.go b/agent/acl_test.go
index bcee072d77..44980abcf4 100644
--- a/agent/acl_test.go
+++ b/agent/acl_test.go
@@ -166,6 +166,12 @@ func TestACL_Special_IDs(t *testing.T) {
 	if !acl.AgentWrite(cfg.NodeName) {
 		t.Fatalf("should be able to write agent")
 	}
+	if !acl.NodeRead("hello") {
+		t.Fatalf("should be able to read any node")
+	}
+	if acl.NodeWrite("hello") {
+		t.Fatalf("should not be able to write any node")
+	}
 }
 
 func TestACL_Down_Deny(t *testing.T) {
diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md
index 75c597afe6..be8a6fbf0b 100644
--- a/website/source/docs/agent/options.html.md
+++ b/website/source/docs/agent/options.html.md
@@ -453,10 +453,10 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
 
 * <a name="acl_agent_master_token"></a><a href="#acl_agent_master_token">`acl_agent_master_token`</a> -
   Used to access <a href="/api/agent.html">agent endpoints</a> that require agent read
-  or write privileges even if Consul servers aren't present to validate any tokens. This should only
-  be used by operators during outages, regular ACL tokens should normally be used by applications.
-  This was added in Consul 0.7.2 and is only used when <a href="#acl_enforce_version_8">`acl_enforce_version_8`</a>
-  is set to true.
+  or write privileges, or node read privileges, even if Consul servers aren't present to validate
+  any tokens. This should only be used by operators during outages, regular ACL tokens should normally
+  be used by applications. This was added in Consul 0.7.2 and is only used when
+  <a href="#acl_enforce_version_8">`acl_enforce_version_8`</a> is set to true.
 
 * <a name="acl_agent_token"></a><a href="#acl_agent_token">`acl_agent_token`</a> - Used for clients
   and servers to perform internal operations to the service catalog. If this isn't specified, then
diff --git a/website/source/docs/guides/acl.html.md b/website/source/docs/guides/acl.html.md
index 8ef73c5c9c..a8a9296d1c 100644
--- a/website/source/docs/guides/acl.html.md
+++ b/website/source/docs/guides/acl.html.md
@@ -133,6 +133,20 @@ system, or accessing Consul in special situations:
 | [`acl_master_token`](/docs/agent/options.html#acl_master_token) | `REQUIRED` | `N/A` | Special token used to bootstrap the ACL system, see details below |
 | [`acl_token`](/docs/agent/options.html#acl_token) | `OPTIONAL` | `OPTIONAL` | Default token to use for client requests where no token is supplied; this is often configured with read-only access to services to enable DNS service discovery on agents |
 
+Since it is designed to be used when the Consul servers are not available, the
+`acl_agent_master_token` is managed locally on the agent and does not need to have a
+policy defined on the Consul servers via the ACL API. Once set, it implicitly has the
+following policy associated with it (the `node` policy was added in Consul 0.9.0):
+
+```text
+agent "<node name of agent>" {
+  policy = "write"
+}
+node "" {
+  policy = "read"
+}
+```
+
 #### Bootstrapping ACLs
 
 Bootstrapping ACLs on a new cluster requires a few steps, outlined in the example in this
@@ -933,9 +947,9 @@ Two new configuration options are used once version 8 ACLs are enabled:
 
 * [`acl_agent_master_token`](/docs/agent/options.html#acl_agent_master_token) is used as
   a special access token that has `agent` ACL policy `write` privileges on each agent where
-  it is configured. This token should only be used by operators during outages when Consul
-  servers aren't available to resolve ACL tokens. Applications should use regular ACL
-  tokens during normal operation.
+  it is configured, as well as `node` ACL policy `read` privileges for all nodes. This token
+  should only be used by operators during outages when Consul servers aren't available to
+  resolve ACL tokens. Applications should use regular ACL tokens during normal operation.
 * [`acl_agent_token`](/docs/agent/options.html#acl_agent_token) is used internally by
   Consul agents to perform operations to the service catalog when registering themselves
   or sending network coordinates to the servers. This token must at least have `node` ACL