diff --git a/command/capabilities.go b/command/capabilities.go
index c40c42f120..ca6a2741e4 100644
--- a/command/capabilities.go
+++ b/command/capabilities.go
@@ -47,11 +47,11 @@ func (c *CapabilitiesCommand) Run(args []string) int {
 		return 2
 	}
 
-	var capabilities *api.CapabilitiesResponse
+	var resp *api.CapabilitiesResponse
 	if token == "" {
-		capabilities, err = client.Sys().CapabilitiesSelf(path)
+		resp, err = client.Sys().CapabilitiesSelf(path)
 	} else {
-		capabilities, err = client.Sys().Capabilities(token, path)
+		resp, err = client.Sys().Capabilities(token, path)
 	}
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf(
@@ -59,7 +59,10 @@ func (c *CapabilitiesCommand) Run(args []string) int {
 		return 1
 	}
 
-	c.Ui.Output(fmt.Sprintf("Capabilities:%s\nMessage:%s\n", capabilities.Capabilities, capabilities.Message))
+	c.Ui.Output(fmt.Sprintf("Capabilities: %s", resp.Capabilities))
+	if resp.Message != "" {
+		c.Ui.Output(fmt.Sprintf("Message: %s", resp.Message))
+	}
 	return 0
 }
 
@@ -72,9 +75,9 @@ func (c *CapabilitiesCommand) Help() string {
 Usage: vault capabilities [options] [token] path
 
   Fetch the capabilities of a token on a given path.
-  If a token is given to the command '/sys/capabilities' will be called with
-  the given token; otherwise '/sys/capabilities-self' will be called with the
-  client token.
+  If a token is provided to the command, API '/sys/capabilities' will be invoked
+  with the given token; otherwise API '/sys/capabilities-self' will be invoked with
+  the client token.
 
 General Options:
 
diff --git a/http/sys_capabilities.go b/http/sys_capabilities.go
index c42fe0cf34..6f1eb46feb 100644
--- a/http/sys_capabilities.go
+++ b/http/sys_capabilities.go
@@ -32,28 +32,34 @@ func handleSysCapabilities(core *vault.Core) http.Handler {
 			data.Token = req.ClientToken
 		}
 
-		capabilities, err := core.Capabilities(data.Token, data.Path)
+		resp, err := core.Capabilities(data.Token, data.Path)
 		if err != nil {
 			respondError(w, http.StatusInternalServerError, err)
 			return
 		}
-		if capabilities == nil {
-			respondOk(w, &capabilitiesResponse{Message: "Token has no capabilities on the given path"})
+		if resp == nil {
+			respondOk(w, &capabilitiesResponse{
+				Message:      "Token has no capabilities on the path",
+				Capabilities: nil,
+			})
 			return
 		}
 
-		var response capabilitiesResponse
-		switch capabilities.Root {
+		var result capabilitiesResponse
+		switch resp.Root {
 		case true:
-			response.Message = `Thij is a 'root' token. It has all the capabilities on all the paths.
-This token can be used on any valid path.`
-			response.Capabilities = nil
+			result.Message = "This is a 'root' token. It has all the capabilities on all the 'valid' paths."
+			result.Capabilities = nil
 		case false:
-			response.Message = ""
-			response.Capabilities = capabilities.Capabilities
+			if len(resp.Capabilities) == 0 {
+				result.Message = "Token has no capabilities on the path"
+			} else {
+				result.Message = ""
+			}
+			result.Capabilities = resp.Capabilities
 		}
 
-		respondOk(w, response)
+		respondOk(w, result)
 	})
 
 }
diff --git a/vault/capabilities.go b/vault/capabilities.go
index 16935feb52..3730914248 100644
--- a/vault/capabilities.go
+++ b/vault/capabilities.go
@@ -6,14 +6,14 @@ import (
 	"strings"
 )
 
-// CapabilitiesResult holds the result of fetching the capabilities of token on a path
-type CapabilitiesResult struct {
+// CapabilitiesResponse holds the result of fetching the capabilities of token on a path
+type CapabilitiesResponse struct {
 	Root         bool
 	Capabilities []string
 }
 
 // Capabilities is used to fetch the capabilities of the given token on the given path
-func (c *Core) Capabilities(token, path string) (*CapabilitiesResult, error) {
+func (c *Core) Capabilities(token, path string) (*CapabilitiesResponse, error) {
 	if path == "" {
 		return nil, fmt.Errorf("missing path")
 	}
@@ -34,7 +34,7 @@ func (c *Core) Capabilities(token, path string) (*CapabilitiesResult, error) {
 		return nil, nil
 	}
 
-	var result CapabilitiesResult
+	var result CapabilitiesResponse
 	capabilities := make(map[string]bool)
 	for _, tePolicy := range te.Policies {
 		if tePolicy == "root" {
@@ -45,6 +45,9 @@ func (c *Core) Capabilities(token, path string) (*CapabilitiesResult, error) {
 		if err != nil {
 			return nil, err
 		}
+		if policy == nil || policy.Paths == nil {
+			continue
+		}
 		for _, pathCapability := range policy.Paths {
 			switch pathCapability.Glob {
 			case true:
@@ -67,6 +70,11 @@ func (c *Core) Capabilities(token, path string) (*CapabilitiesResult, error) {
 		}
 	}
 
+	if len(capabilities) == 0 {
+		result.Capabilities = nil
+		return &result, nil
+	}
+
 	for capability, _ := range capabilities {
 		result.Capabilities = append(result.Capabilities, capability)
 	}