diff --git a/api/sys_capabilities.go b/api/sys_capabilities.go
index 7f215cf6dc..5001986749 100644
--- a/api/sys_capabilities.go
+++ b/api/sys_capabilities.go
@@ -44,6 +44,5 @@ func (c *Sys) Capabilities(token, path string) (*CapabilitiesResponse, error) {
 }
 
 type CapabilitiesResponse struct {
-	Message      string   `json:"message"`
 	Capabilities []string `json:"capabilities"`
 }
diff --git a/command/capabilities.go b/command/capabilities.go
index ca6a2741e4..9f60d6854f 100644
--- a/command/capabilities.go
+++ b/command/capabilities.go
@@ -60,9 +60,6 @@ func (c *CapabilitiesCommand) Run(args []string) int {
 	}
 
 	c.Ui.Output(fmt.Sprintf("Capabilities: %s", resp.Capabilities))
-	if resp.Message != "" {
-		c.Ui.Output(fmt.Sprintf("Message: %s", resp.Message))
-	}
 	return 0
 }
 
diff --git a/http/sys_capabilities.go b/http/sys_capabilities.go
index 6f1eb46feb..d6d638b90f 100644
--- a/http/sys_capabilities.go
+++ b/http/sys_capabilities.go
@@ -39,7 +39,6 @@ func handleSysCapabilities(core *vault.Core) http.Handler {
 		}
 		if resp == nil {
 			respondOk(w, &capabilitiesResponse{
-				Message:      "Token has no capabilities on the path",
 				Capabilities: nil,
 			})
 			return
@@ -48,14 +47,8 @@ func handleSysCapabilities(core *vault.Core) http.Handler {
 		var result capabilitiesResponse
 		switch resp.Root {
 		case true:
-			result.Message = "This is a 'root' token. It has all the capabilities on all the 'valid' paths."
 			result.Capabilities = nil
 		case false:
-			if len(resp.Capabilities) == 0 {
-				result.Message = "Token has no capabilities on the path"
-			} else {
-				result.Message = ""
-			}
 			result.Capabilities = resp.Capabilities
 		}
 
@@ -65,7 +58,6 @@ func handleSysCapabilities(core *vault.Core) http.Handler {
 }
 
 type capabilitiesResponse struct {
-	Message      string   `json:"message"`
 	Capabilities []string `json:"capabilities"`
 }
 
diff --git a/vault/capabilities.go b/vault/capabilities.go
index 3730914248..f5a7797aa3 100644
--- a/vault/capabilities.go
+++ b/vault/capabilities.go
@@ -38,7 +38,9 @@ func (c *Core) Capabilities(token, path string) (*CapabilitiesResponse, error) {
 	capabilities := make(map[string]bool)
 	for _, tePolicy := range te.Policies {
 		if tePolicy == "root" {
-			result.Root = true
+			capabilities = map[string]bool{
+				"root": true,
+			}
 			break
 		}
 		policy, err := c.policyStore.GetPolicy(tePolicy)
@@ -49,8 +51,8 @@ func (c *Core) Capabilities(token, path string) (*CapabilitiesResponse, error) {
 			continue
 		}
 		for _, pathCapability := range policy.Paths {
-			switch pathCapability.Glob {
-			case true:
+			switch {
+			case pathCapability.Glob:
 				if strings.HasPrefix(path, pathCapability.Prefix) {
 					for _, capability := range pathCapability.Capabilities {
 						if _, ok := capabilities[capability]; !ok {
@@ -58,7 +60,7 @@ func (c *Core) Capabilities(token, path string) (*CapabilitiesResponse, error) {
 						}
 					}
 				}
-			case false:
+			default:
 				if path == pathCapability.Prefix {
 					for _, capability := range pathCapability.Capabilities {
 						if _, ok := capabilities[capability]; !ok {
@@ -71,7 +73,7 @@ func (c *Core) Capabilities(token, path string) (*CapabilitiesResponse, error) {
 	}
 
 	if len(capabilities) == 0 {
-		result.Capabilities = nil
+		result.Capabilities = []string{"deny"}
 		return &result, nil
 	}