diff --git a/api_token_create.php b/api_token_create.php
index b0c1e93bf3..09dfd710b3 100644
--- a/api_token_create.php
+++ b/api_token_create.php
@@ -42,7 +42,7 @@
 
 user_ensure_unprotected( $t_user_id );
 
-if( !auth_can_create_api_token() ) {
+if( !api_token_can_create() ) {
 	access_denied();
 }
 
diff --git a/api_tokens_page.php b/api_tokens_page.php
index 870a4ea5b9..2b3210b084 100644
--- a/api_tokens_page.php
+++ b/api_tokens_page.php
@@ -40,7 +40,7 @@
 
 current_user_ensure_unprotected();
 
-if( !auth_can_create_api_token() ) {
+if( !api_token_can_create() ) {
 	access_denied();
 }
 
diff --git a/core/api_token_api.php b/core/api_token_api.php
index be833fc71e..b4c0f004b0 100644
--- a/core/api_token_api.php
+++ b/core/api_token_api.php
@@ -28,6 +28,16 @@
 
 require_api( 'crypto_api.php' );
 
+/**
+ * Checks if specified user can create API tokens.
+ * @param integer|null $p_user_id User id or null for current logged in user.
+ * @return bool true: can create tokens, false: otherwise.
+ */
+function api_token_can_create( $p_user_id = null ) {
+	$t_user_id = is_null( $p_user_id ) ? auth_get_current_user_id() : $p_user_id;
+	return !user_is_protected( $t_user_id );
+}
+
 /**
  * Create an API token
  *
@@ -146,13 +156,6 @@ function api_token_validate( $p_username, $p_token ) {
 		return false;
 	}
 
-	# If users can't create tokens, then they can't use them.  This can change in the future if we enabled
-	# admins to create tokens on behalf of users that are usable.  This is a defense in depth anyways for
-	# cases where users may have had tokens before this config option changes.
-	if( !auth_can_create_api_token( $t_user_id ) ) {
-		return false;
-	}
-
 	$t_encrypted_token = api_token_hash( $p_token );
 
 	db_param_push();
diff --git a/core/authentication_api.php b/core/authentication_api.php
index 41d565a4b4..6b952baf40 100644
--- a/core/authentication_api.php
+++ b/core/authentication_api.php
@@ -219,16 +219,6 @@ function auth_logout_redirect_page() {
 	return $t_auth_flags->getLogoutRedirectPage();
 }
 
-/**
- * Checks if specified user can create API tokens.
- * @param integer|null $p_user_id User id or null for current logged in user.
- * @return bool true: can create tokens, false: otherwise.
- */
-function auth_can_create_api_token( $p_user_id = null ) {
-	$t_auth_flags = auth_flags();
-	return access_has_global_level( $t_auth_flags->getCreateApiTokensThreshold(), $p_user_id );
-}
-
 /**
  * Checks if specified user can set their own password.
  * @param integer|null $p_user_id The user id or null for logged in user or 0 for signup scenarios.
diff --git a/core/classes/AuthFlags.class.php b/core/classes/AuthFlags.class.php
index 2b24554435..07ddd9169d 100644
--- a/core/classes/AuthFlags.class.php
+++ b/core/classes/AuthFlags.class.php
@@ -149,18 +149,6 @@ function getPasswordManagedExternallyMessage() {
 		}
 	}
 
-	function setCreateApiTokensThreshold( $p_threshold ) {
-		$this->access_level_create_api_tokens = $p_threshold;
-	}
-
-	function getCreateApiTokensThreshold() {
-		if( is_null( $this->access_level_create_api_tokens ) ) {
-			return VIEWER;
-		}
-
-		return $this->access_level_create_api_tokens;
-	}
-
 	function setUserStandardLoginThreshold( $p_threshold ) {
 		$this->access_level_can_use_standard_login = $p_threshold;
 	}
diff --git a/core/html_api.php b/core/html_api.php
index 03958a02c5..e4a22a32ac 100644
--- a/core/html_api.php
+++ b/core/html_api.php
@@ -739,7 +739,7 @@ function print_account_menu( $p_page = '' ) {
 		$t_pages['account_sponsor_page.php'] = array( 'url'=>'account_sponsor_page.php', 'label'=>'my_sponsorship' );
 	}
 
-	if( auth_can_create_api_token() ) {
+	if( api_token_can_create() ) {
 		$t_pages['api_tokens_page.php'] = array( 'url' => 'api_tokens_page.php', 'label' => 'api_tokens_link' );
 	}