diff --git a/pagure/default_config.py b/pagure/default_config.py
index 225c637..c033b06 100644
--- a/pagure/default_config.py
+++ b/pagure/default_config.py
@@ -264,6 +264,9 @@ ACLS = {
     'modify_project': 'Modify an existing project'
 }
 
+# From the ACLs above lists which ones are allowed for regular users
+USER_ACLS = ACLS.keys()
+
 # From the ACLs above lists which ones are tolerated to be associated with
 # an API token that isn't linked to a particular project.
 CROSS_PROJECT_ACLS = [
diff --git a/pagure/ui/repo.py b/pagure/ui/repo.py
index dfea6bc..8e4a451 100644
--- a/pagure/ui/repo.py
+++ b/pagure/ui/repo.py
@@ -1995,7 +1995,8 @@ def add_token(repo, username=None, namespace=None):
             403,
             'You are not allowed to change the settings for this project')
 
-    acls = pagure.lib.get_acls(SESSION)
+    acls = pagure.lib.get_acls(
+        SESSION, restrict=APP.config.get('USER_ACLS'))
     form = pagure.forms.NewTokenForm(acls=acls)
 
     if form.validate_on_submit():
diff --git a/tests/test_pagure_flask_ui_repo.py b/tests/test_pagure_flask_ui_repo.py
index 1e2e7a9..28078ac 100644
--- a/tests/test_pagure_flask_ui_repo.py
+++ b/tests/test_pagure_flask_ui_repo.py
@@ -3870,6 +3870,43 @@ index 0000000..fb7093d
             self.assertIn('This project has not been tagged.', output.data)
 
     @patch('pagure.ui.repo.admin_session_timedout')
+    def test_add_token_all_tokens(self, ast):
+        """ Test the add_token endpoint. """
+        ast.return_value = False
+        tests.create_projects(self.session)
+        tests.create_projects_git(
+            os.path.join(self.path, 'repos'), bare=True)
+
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(pagure.APP, user):
+            output = self.app.get('/test/token/new/')
+            self.assertEqual(output.status_code, 200)
+            self.assertIn('<strong>Create a new token</strong>', output.data)
+            self.assertEqual(
+                output.data.count('<label class="c-input c-checkbox">'),
+                len(pagure.APP.config['ACLS'].keys())
+            )
+
+    @patch.dict('pagure.APP.config', {'USER_ACLS': ['create_project']})
+    @patch('pagure.ui.repo.admin_session_timedout')
+    def test_add_token_one_token(self, ast):
+        """ Test the add_token endpoint. """
+        ast.return_value = False
+        tests.create_projects(self.session)
+        tests.create_projects_git(
+            os.path.join(self.path, 'repos'), bare=True)
+
+        user = tests.FakeUser(username='pingou')
+        with tests.user_set(pagure.APP, user):
+            output = self.app.get('/test/token/new/')
+            self.assertEqual(output.status_code, 200)
+            self.assertIn('<strong>Create a new token</strong>', output.data)
+            self.assertEqual(
+                output.data.count('<label class="c-input c-checkbox">'),
+                1
+            )
+
+    @patch('pagure.ui.repo.admin_session_timedout')
     def test_add_token(self, ast):
         """ Test the add_token endpoint. """
         ast.return_value = False