diff --git a/api/http/proxy/docker_transport.go b/api/http/proxy/docker_transport.go
index 9effb54d8..37e46c2dd 100644
--- a/api/http/proxy/docker_transport.go
+++ b/api/http/proxy/docker_transport.go
@@ -248,7 +248,7 @@ func (p *proxyTransport) proxyNodeRequest(request *http.Request) (*http.Response
 func (p *proxyTransport) proxySwarmRequest(request *http.Request) (*http.Response, error) {
 	switch requestPath := request.URL.Path; requestPath {
 	case "/swarm":
-		return p.executeDockerRequest(request)
+		return p.rewriteOperation(request, swarmInspectOperation)
 	default:
 		// assume /swarm/{action}
 		return p.administratorOperation(request)
diff --git a/api/http/proxy/swarm.go b/api/http/proxy/swarm.go
new file mode 100644
index 000000000..0048b3a38
--- /dev/null
+++ b/api/http/proxy/swarm.go
@@ -0,0 +1,23 @@
+package proxy
+
+import (
+	"net/http"
+)
+
+// swarmInspectOperation extracts the response as a JSON object and rewrites the response based
+// on the current user role. Sensitive fields are deleted from the response for non-administrator users.
+func swarmInspectOperation(response *http.Response, executor *operationExecutor) error {
+	// SwarmInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.30/#operation/SwarmInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if !executor.operationContext.isAdmin {
+		delete(responseObject, "JoinTokens")
+		delete(responseObject, "TLSInfo")
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}