diff --git a/agent/config/builder.go b/agent/config/builder.go
index db7c81ea73..8ea78c9729 100644
--- a/agent/config/builder.go
+++ b/agent/config/builder.go
@@ -745,13 +745,6 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 		primaryDatacenter = datacenter
 	}
 
-	enableTokenReplication := false
-	if c.ACLReplicationToken != nil {
-		enableTokenReplication = true
-	}
-
-	boolValWithDefault(c.ACL.TokenReplication, boolValWithDefault(c.EnableACLReplication, enableTokenReplication))
-
 	enableRemoteScriptChecks := boolVal(c.EnableScriptChecks)
 	enableLocalScriptChecks := boolValWithDefault(c.EnableLocalScriptChecks, enableRemoteScriptChecks)
 
@@ -870,9 +863,9 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 		},
 
 		ACLEnableKeyListPolicy: boolValWithDefault(c.ACL.EnableKeyListPolicy, boolVal(c.ACLEnableKeyListPolicy)),
-		ACLMasterToken:         stringValWithDefault(c.ACL.Tokens.Master, stringVal(c.ACLMasterToken)),
+		ACLMasterToken:         stringVal(c.ACL.Tokens.Master),
 
-		ACLTokenReplication: boolValWithDefault(c.ACL.TokenReplication, boolValWithDefault(c.EnableACLReplication, enableTokenReplication)),
+		ACLTokenReplication: boolValWithDefault(c.ACL.TokenReplication, boolVal(c.EnableACLReplication)),
 
 		ACLTokens: token.Config{
 			DataDir:             dataDir,
@@ -880,7 +873,7 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 			ACLDefaultToken:     stringVal(c.ACL.Tokens.Default),
 			ACLAgentToken:       stringVal(c.ACL.Tokens.Agent),
 			ACLAgentMasterToken: stringVal(c.ACL.Tokens.AgentMaster),
-			ACLReplicationToken: stringValWithDefault(c.ACL.Tokens.Replication, stringVal(c.ACLReplicationToken)),
+			ACLReplicationToken: stringVal(c.ACL.Tokens.Replication),
 		},
 
 		// Autopilot
diff --git a/agent/config/config.go b/agent/config/config.go
index 0d3747e0ae..e21e884dd2 100644
--- a/agent/config/config.go
+++ b/agent/config/config.go
@@ -136,10 +136,6 @@ type Config struct {
 	ACLDownPolicy *string `mapstructure:"acl_down_policy"`
 	// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl" stanza
 	ACLEnableKeyListPolicy *bool `mapstructure:"acl_enable_key_list_policy"`
-	// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl" stanza
-	ACLMasterToken *string `mapstructure:"acl_master_token"`
-	// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza
-	ACLReplicationToken *string `mapstructure:"acl_replication_token"`
 	// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza
 	ACLTTL                           *string             `mapstructure:"acl_ttl"`
 	ACL                              ACL                 `mapstructure:"acl"`
diff --git a/agent/config/deprecated.go b/agent/config/deprecated.go
index 4cae4622a3..09edb23cff 100644
--- a/agent/config/deprecated.go
+++ b/agent/config/deprecated.go
@@ -10,6 +10,11 @@ type DeprecatedConfig struct {
 	// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza
 	ACLToken *string `mapstructure:"acl_token"`
 
+	// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl" stanza
+	ACLMasterToken *string `mapstructure:"acl_master_token"`
+	// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza
+	ACLReplicationToken *string `mapstructure:"acl_replication_token"`
+
 	// DEPRECATED (ACL-Legacy-Compat) - moved to "primary_datacenter"
 	ACLDatacenter *string `mapstructure:"acl_datacenter"`
 }
@@ -39,6 +44,21 @@ func applyDeprecatedConfig(d *decodeTarget) (Config, []string) {
 		warns = append(warns, deprecationWarning("acl_token", "acl.tokens.default"))
 	}
 
+	if dep.ACLMasterToken != nil {
+		if d.Config.ACL.Tokens.Master == nil {
+			d.Config.ACL.Tokens.Master = dep.ACLMasterToken
+		}
+		warns = append(warns, deprecationWarning("acl_master_token", "acl.tokens.master"))
+	}
+
+	if dep.ACLReplicationToken != nil {
+		if d.Config.ACL.Tokens.Replication == nil {
+			d.Config.ACL.Tokens.Replication = dep.ACLReplicationToken
+		}
+		d.Config.ACL.TokenReplication = pBool(true)
+		warns = append(warns, deprecationWarning("acl_replication_token", "acl.tokens.replication"))
+	}
+
 	if dep.ACLDatacenter != nil {
 		if d.Config.PrimaryDatacenter == nil {
 			d.Config.PrimaryDatacenter = dep.ACLDatacenter
diff --git a/agent/config/deprecated_test.go b/agent/config/deprecated_test.go
index 07da342bdd..fd35c957b1 100644
--- a/agent/config/deprecated_test.go
+++ b/agent/config/deprecated_test.go
@@ -18,6 +18,9 @@ acl_agent_master_token = "token1"
 acl_agent_token = "token2"
 acl_token = "token3"
 
+acl_master_token = "token4"
+acl_replication_token = "token5"
+
 `},
 	}
 	patchLoadOptsShims(&opts)
@@ -28,6 +31,8 @@ acl_token = "token3"
 		deprecationWarning("acl_agent_master_token", "acl.tokens.agent_master"),
 		deprecationWarning("acl_agent_token", "acl.tokens.agent"),
 		deprecationWarning("acl_datacenter", "primary_datacenter"),
+		deprecationWarning("acl_master_token", "acl.tokens.master"),
+		deprecationWarning("acl_replication_token", "acl.tokens.replication"),
 		deprecationWarning("acl_token", "acl.tokens.default"),
 	}
 	sort.Strings(result.Warnings)
@@ -42,4 +47,6 @@ acl_token = "token3"
 	require.Equal(t, "token1", rt.ACLTokens.ACLAgentMasterToken)
 	require.Equal(t, "token2", rt.ACLTokens.ACLAgentToken)
 	require.Equal(t, "token3", rt.ACLTokens.ACLDefaultToken)
+	require.Equal(t, "token4", rt.ACLMasterToken)
+	require.Equal(t, "token5", rt.ACLTokens.ACLReplicationToken)
 }
diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go
index 11a5a9efd6..1f5ff3aaed 100644
--- a/agent/config/runtime_test.go
+++ b/agent/config/runtime_test.go
@@ -1633,16 +1633,28 @@ func TestLoad_IntegrationWithFlags(t *testing.T) {
 		expectedWarnings: []string{`The 'acl_datacenter' field is deprecated. Use the 'primary_datacenter' field instead.`},
 	})
 	run(t, testCase{
-		desc: "acl_replication_token enables acl replication",
-		args: []string{`-data-dir=` + dataDir},
-		json: []string{`{ "acl_replication_token": "a" }`},
-		hcl:  []string{`acl_replication_token = "a"`},
+		desc:             "acl_replication_token enables acl replication",
+		args:             []string{`-data-dir=` + dataDir},
+		json:             []string{`{ "acl_replication_token": "a" }`},
+		hcl:              []string{`acl_replication_token = "a"`},
+		expectedWarnings: []string{deprecationWarning("acl_replication_token", "acl.tokens.replication")},
 		expected: func(rt *RuntimeConfig) {
 			rt.ACLTokens.ACLReplicationToken = "a"
 			rt.ACLTokenReplication = true
 			rt.DataDir = dataDir
 		},
 	})
+	run(t, testCase{
+		desc: "acl.tokens.replace does not enable acl replication",
+		args: []string{`-data-dir=` + dataDir},
+		json: []string{`{ "acl": { "tokens": { "replication": "a" }}}`},
+		hcl:  []string{`acl { tokens { replication = "a"}}`},
+		expected: func(rt *RuntimeConfig) {
+			rt.ACLTokens.ACLReplicationToken = "a"
+			rt.ACLTokenReplication = false
+			rt.DataDir = dataDir
+		},
+	})
 	run(t, testCase{
 		desc: "acl_enforce_version_8 is deprecated",
 		args: []string{`-data-dir=` + dataDir},
@@ -5906,6 +5918,8 @@ func TestLoad_FullConfig(t *testing.T) {
 		deprecationWarning("acl_agent_master_token", "acl.tokens.agent_master"),
 		deprecationWarning("acl_agent_token", "acl.tokens.agent"),
 		deprecationWarning("acl_token", "acl.tokens.default"),
+		deprecationWarning("acl_master_token", "acl.tokens.master"),
+		deprecationWarning("acl_replication_token", "acl.tokens.replication"),
 		`bootstrap_expect > 0: expecting 53 servers`,
 	}
 	expectedWarns = append(expectedWarns, enterpriseConfigKeyWarnings...)