diff --git a/changelog/29060.txt b/changelog/29060.txt
new file mode 100644
index 0000000000..41e9ab952d
--- /dev/null
+++ b/changelog/29060.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+CLI: adds an optional flag (--fail-if-not-fulfilled) to the renew command, which lets the renew command fail on unfulfillable requests and allows command chaining to allow further executions.
+```
\ No newline at end of file
diff --git a/command/token_renew.go b/command/token_renew.go
index c354b4e6a5..b7e5f573cf 100644
--- a/command/token_renew.go
+++ b/command/token_renew.go
@@ -21,8 +21,9 @@ var (
 type TokenRenewCommand struct {
 	*BaseCommand
 
-	flagAccessor  bool
-	flagIncrement time.Duration
+	flagAccessor           bool
+	flagIncrement          time.Duration
+	flagFailIfNotFulfilled bool
 }
 
 func (c *TokenRenewCommand) Synopsis() string {
@@ -86,6 +87,15 @@ func (c *TokenRenewCommand) Flags() *FlagSets {
 			"numeric string with suffix like \"30s\" or \"5m\".",
 	})
 
+	f.BoolVar(&BoolVar{
+		Name:       "fail-if-not-fulfilled",
+		Target:     &c.flagFailIfNotFulfilled,
+		Default:    false,
+		EnvVar:     "",
+		Completion: complete.PredictNothing,
+		Usage:      "Fail if the requested TTL increment cannot be fully fulfilled.",
+	})
+
 	return set
 }
 
@@ -140,5 +150,10 @@ func (c *TokenRenewCommand) Run(args []string) int {
 		return 2
 	}
 
+	if c.flagFailIfNotFulfilled && secret.Auth.LeaseDuration < int(increment.Seconds()) {
+		c.UI.Info("Token renewal completed with capped duration, failing the command because of --fail-if-not-fulfilled")
+		return 1
+	}
+
 	return OutputSecret(c.UI, secret)
 }
diff --git a/command/token_renew_test.go b/command/token_renew_test.go
index 4fc469995b..fa2a1b6564 100644
--- a/command/token_renew_test.go
+++ b/command/token_renew_test.go
@@ -56,6 +56,18 @@ func TestTokenRenewCommand_Run(t *testing.T) {
 			"",
 			0,
 		},
+		{
+			"fail_if_not_fulfilled_exceeds_max_ttl",
+			[]string{"-increment", "33d", "--fail-if-not-fulfilled"},
+			"Token renewal completed with capped duration, failing the command because of --fail-if-not-fulfilled",
+			1,
+		},
+		{
+			"fail_if_not_fulfilled_within_max_ttl",
+			[]string{"-increment", "30m", "--fail-if-not-fulfilled"},
+			"",
+			0,
+		},
 	}
 
 	t.Run("validations", func(t *testing.T) {
diff --git a/website/content/docs/commands/token/renew.mdx b/website/content/docs/commands/token/renew.mdx
index 6dc3420641..38934e6920 100644
--- a/website/content/docs/commands/token/renew.mdx
+++ b/website/content/docs/commands/token/renew.mdx
@@ -36,6 +36,12 @@ Renew a token requesting a specific increment value:
 $ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017
 ```
 
+Fail if the requested TTL increment cannot be fully fulfilled:
+
+```shell-session
+$ vault token renew -increment=30m 96ddf4bc-d217-f3ba-f9bd-017055595017 --fail-if-not-fulfilled || vault login
+```
+
 ## Usage
 
 The following flags are available in addition to the [standard set of
@@ -56,3 +62,7 @@ flags](/vault/docs/commands) included on all commands.
 
 - `-accessor` `(bool: false)` - Treat the argument as an accessor instead of a
 token. When this option is selected, the output will NOT include the token.
+
+- `--fail-if-not-fulfilled` - Fail if the requested TTL increment cannot be
+fully fulfilled. Vault allows command chaining and token renewal request
+completion with capped duration even if renew request fails.
\ No newline at end of file