diff --git a/vault/token_store.go b/vault/token_store.go
index 69a6b288b3..66ea8bea16 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -159,7 +159,7 @@ func NewTokenStore(ctx context.Context, c *Core, config *logical.BackendConfig)
 			},
 
 			&framework.Path{
-				Pattern: "accessors/?$",
+				Pattern: "accessors/$",
 
 				Callbacks: map[logical.Operation]framework.OperationFunc{
 					logical.ListOperation: t.tokenStoreAccessorList,
diff --git a/website/source/docs/concepts/policies.html.md b/website/source/docs/concepts/policies.html.md
index 182af4a040..fb7097a0f9 100644
--- a/website/source/docs/concepts/policies.html.md
+++ b/website/source/docs/concepts/policies.html.md
@@ -161,6 +161,20 @@ policy for `"secret/foo*"`, the policy would also match `"secret/foobar"`.
 !> The glob character is only supported as the **last character of the path**,
 and **is not a regular expression**!
 
+When providing `list` capability, it is important to note that since listing
+always operates on a prefix, policies must operate on a prefix because Vault
+will sanitize request paths to be prefixes:
+
+```ruby
+path "secret/foo" {
+  capabilities = ["read"]
+}
+
+path "secret/foo/" {
+  capabilities = ["list"]
+}
+```
+
 ### Capabilities
 
 Each path must define one or more capabilities which provide fine-grained