diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go
index 641e57b5a4..5d1546c742 100644
--- a/agent/consul/acl_endpoint.go
+++ b/agent/consul/acl_endpoint.go
@@ -115,6 +115,10 @@ func (a *ACL) BootstrapTokens(args *structs.DCSpecificRequest, reply *structs.AC
 		return err
 	}
 
+	if err := a.srv.aclBootstrapAllowed(); err != nil {
+		return err
+	}
+
 	// Verify we are allowed to serve this request
 	if !a.srv.InACLDatacenter() {
 		return acl.ErrDisabled
diff --git a/agent/consul/acl_server_oss.go b/agent/consul/acl_server_oss.go
index 32aedd9405..7c378143bb 100644
--- a/agent/consul/acl_server_oss.go
+++ b/agent/consul/acl_server_oss.go
@@ -16,3 +16,11 @@ func (s *Server) ResolveEntTokenToIdentityAndAuthorizer(token string) (structs.A
 func (s *Server) validateEnterpriseToken(identity structs.ACLIdentity) error {
 	return nil
 }
+
+// aclBootstrapAllowed returns whether the server's configuration would allow ACL bootstrapping
+//
+// This endpoint does not take into account whether bootstrapping has been performed previously
+// nor the bootstrap reset file.
+func (s *Server) aclBootstrapAllowed() error {
+	return nil
+}