diff --git a/doc/source/admin/identity-bootstrap.rst b/doc/source/admin/identity-bootstrap.rst
index af77e2c3e5..242bca7166 100644
--- a/doc/source/admin/identity-bootstrap.rst
+++ b/doc/source/admin/identity-bootstrap.rst
@@ -102,7 +102,8 @@ Using a shared secret
     ``keystone-manage bootstrap`` command and not the ``ADMIN_TOKEN``. The
     ``ADMIN_TOKEN`` can leave your deployment vulnerable by exposing
     administrator functionality through the API based solely on a single
-    secret.
+    secret. You shouldn't have to use ``ADMIN_TOKEN`` at all, unless you have
+    some special case bootstrapping requirements.
 
 
 Before you can use the identity API, you need to configure keystone with a
@@ -120,7 +121,5 @@ keystone that bootstrap the rest of the deployment.  You must create a project,
 user, and role in order to use normal user authentication through the API.
 
 The ``admin_token`` does not represent a user or explicit authorization of any
-kind. It is imperative that you disable the ``AdminTokenAuthMiddleware`` from
-your paste application pipelines after bootstrapping, especially in production
-deployments. Failure to remove this functionality exposes an additional attack
-vector and security risk.
+kind. After bootstrapping, failure to remove this functionality exposes an
+additional attack vector and security risk.
diff --git a/keystone/conf/default.py b/keystone/conf/default.py
index 2b49b2f848..e198d4af29 100644
--- a/keystone/conf/default.py
+++ b/keystone/conf/default.py
@@ -41,10 +41,6 @@ that can be used to bootstrap Keystone through the API. This "token" does not
 represent a user (it has no identity), and carries no explicit authorization
 (it effectively bypasses most authorization checks). If set to `None`, the
 value is ignored and the `admin_token` middleware is effectively disabled.
-However, to completely disable `admin_token` in production (highly recommended,
-as it presents a security risk), remove `AdminTokenAuthMiddleware`
-(the `admin_token_auth` filter) from your paste application pipelines (for
-example, in `keystone-paste.ini`).
 """))
 
 public_endpoint = cfg.URIOpt(