diff --git a/changelog/28498.txt b/changelog/28498.txt
new file mode 100644
index 000000000000..0a6810ad7392
--- /dev/null
+++ b/changelog/28498.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/token: Fix token TTL calculation so that it uses `max_lease_ttl` tune value for tokens created via `auth/token/create`.
+```
diff --git a/vault/token_store.go b/vault/token_store.go
index 30d9170e20dc..492c3b629eb3 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -3138,9 +3138,16 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
 
 	sysView := ts.System().(extendedSystemView)
 
+	var backendMaxTTL time.Duration
+
+	mountEntry := ts.core.router.MatchingMountByAccessor(req.MountAccessor)
+	if mountEntry != nil {
+		backendMaxTTL = mountEntry.Config.MaxLeaseTTL
+	}
+
 	// Only calculate a TTL if you are A) periodic, B) have a TTL, C) do not have a TTL and are not a root token
 	if periodToUse > 0 || te.TTL > 0 || (te.TTL == 0 && !strutil.StrListContains(te.Policies, "root")) {
-		ttl, warnings, err := framework.CalculateTTL(sysView, 0, te.TTL, periodToUse, 0, explicitMaxTTLToUse, time.Unix(te.CreationTime, 0))
+		ttl, warnings, err := framework.CalculateTTL(sysView, 0, te.TTL, periodToUse, backendMaxTTL, explicitMaxTTLToUse, time.Unix(te.CreationTime, 0))
 		if err != nil {
 			return nil, err
 		}