diff --git a/netbox/users/forms.py b/netbox/users/forms.py
index b4e86461d..a1a7cb986 100644
--- a/netbox/users/forms.py
+++ b/netbox/users/forms.py
@@ -1,4 +1,5 @@
 from django import forms
+from django.conf import settings
 from django.contrib.auth.forms import AuthenticationForm, PasswordChangeForm as DjangoPasswordChangeForm
 from django.contrib.postgres.forms import SimpleArrayField
 from django.utils.html import mark_safe
@@ -117,3 +118,12 @@ class TokenForm(BootstrapMixin, forms.ModelForm):
         widgets = {
             'expires': DateTimePicker(),
         }
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        instance = getattr(self, 'instance', None)
+        if instance and instance.id and not settings.ALLOW_TOKEN_RETRIEVAL:
+            keyfield = self.fields['key']
+            keyfield.disabled = True
+            keyfield.required = False
+            keyfield.widget = forms.HiddenInput()
diff --git a/netbox/users/models.py b/netbox/users/models.py
index 4ee4dce6b..e6a86be80 100644
--- a/netbox/users/models.py
+++ b/netbox/users/models.py
@@ -235,7 +235,7 @@ class Token(models.Model):
 
     def __str__(self):
         # Only display the last 24 bits of the token to avoid accidental exposure.
-        return f"{self.key[-6:]} ({self.user})"
+        return f"{self.description or self.key[-6:]} ({self.user})"
 
     def save(self, *args, **kwargs):
         if not self.key: