diff --git a/awx_collection/plugins/doc_fragments/auth.py b/awx_collection/plugins/doc_fragments/auth.py
index 4ada9588a2..9508577fb9 100644
--- a/awx_collection/plugins/doc_fragments/auth.py
+++ b/awx_collection/plugins/doc_fragments/auth.py
@@ -40,6 +40,7 @@ options:
     - A dictionary structure as returned by the token module.
     - If value not set, will try environment variable C(CONTROLLER_OAUTH_TOKEN) and then config files
     type: raw
+    aliases: [ controller_oauthtoken ]
     version_added: "3.7.0"
   validate_certs:
     description:
diff --git a/awx_collection/plugins/doc_fragments/auth_plugin.py b/awx_collection/plugins/doc_fragments/auth_plugin.py
index 44ad326eda..d2112f141e 100644
--- a/awx_collection/plugins/doc_fragments/auth_plugin.py
+++ b/awx_collection/plugins/doc_fragments/auth_plugin.py
@@ -40,15 +40,18 @@ options:
         version: '4.0.0'
         why: Collection name change
         alternatives: 'TOWER_PASSWORD, AAP_PASSWORD'
-  aap_token:
+  oauth_token:
     description:
     - The OAuth token to use.
     env:
     - name: AAP_TOKEN
+    - name: CONTROLLER_OAUTH_TOKEN
+    - name: TOWER_OAUTH_TOKEN
       deprecated:
         collection_name: 'awx.awx'
         version: '4.0.0'
         why: Collection name change
+        alternatives: 'CONTROLLER_OAUTH_TOKEN'
   verify_ssl:
     description:
     - Specify whether Ansible should verify the SSL certificate of the controller host.
diff --git a/awx_collection/plugins/module_utils/controller_api.py b/awx_collection/plugins/module_utils/controller_api.py
index 33acdca85e..701c930638 100644
--- a/awx_collection/plugins/module_utils/controller_api.py
+++ b/awx_collection/plugins/module_utils/controller_api.py
@@ -73,6 +73,7 @@ class ControllerModule(AnsibleModule):
         aap_token=dict(
             type='raw',
             no_log=True,
+            aliases=['controller_oauthtoken',],
             required=False,
             fallback=(env_fallback, ['CONTROLLER_OAUTH_TOKEN', 'TOWER_OAUTH_TOKEN', 'AAP_TOKEN'])
         ),
@@ -129,18 +130,18 @@ class ControllerModule(AnsibleModule):
             if direct_value is not None:
                 setattr(self, short_param, direct_value)
 
-        # Perform magic depending on whether controller_oauthtoken is a string or a dict
-        if self.params.get('controller_oauthtoken'):
-            token_param = self.params.get('controller_oauthtoken')
+        # Perform magic depending on whether aap_token is a string or a dict
+        if self.params.get('aap_token'):
+            token_param = self.params.get('aap_token')
             if isinstance(token_param, dict):
                 if 'token' in token_param:
-                    self.oauth_token = self.params.get('controller_oauthtoken')['token']
+                    self.oauth_token = self.params.get('aap_token')['token']
                 else:
-                    self.fail_json(msg="The provided dict in controller_oauthtoken did not properly contain the token entry")
+                    self.fail_json(msg="The provided dict in aap_token did not properly contain the token entry")
             elif isinstance(token_param, string_types):
-                self.oauth_token = self.params.get('controller_oauthtoken')
+                self.oauth_token = self.params.get('aap_token')
             else:
-                error_msg = "The provided controller_oauthtoken type was not valid ({0}). Valid options are str or dict.".format(type(token_param).__name__)
+                error_msg = "The provided aap_token type was not valid ({0}). Valid options are str or dict.".format(type(token_param).__name__)
                 self.fail_json(msg=error_msg)
 
         # Perform some basic validation
diff --git a/awx_collection/tests/integration/targets/token/tasks/main.yml b/awx_collection/tests/integration/targets/token/tasks/main.yml
index 9cd4972a93..92aace82cc 100644
--- a/awx_collection/tests/integration/targets/token/tasks/main.yml
+++ b/awx_collection/tests/integration/targets/token/tasks/main.yml
@@ -18,7 +18,7 @@
 - assert:
     that:
       - results is failed
-      - '"The provided dict in controller_oauthtoken did not properly contain the token entry" == results.msg'
+      - '"The provided dict in aap_token did not properly contain the token entry" == results.msg'
 
 - name: Try to use a token as a list
   job_list:
@@ -30,7 +30,7 @@
 - assert:
     that:
       - results is failed
-      - '"The provided controller_oauthtoken type was not valid (list). Valid options are str or dict." == results.msg'
+      - '"The provided aap_token type was not valid (list). Valid options are str or dict." == results.msg'
 
 - name: Try to delete a token with no existing_token or existing_token_id
   token:
@@ -113,3 +113,42 @@
     - assert:
         that:
           - results is changed or resuslts is skipped
+
+- block:
+    - name: Create a less privileged token (read)
+      token:
+        description: '{{ token_description }}'
+        scope: "read"
+        state: present
+      register: read_only_token
+
+    - debug:
+        msg: "{{read_only_token}}"
+
+    - name: Exercise the aap_token parameter with the new token.
+      job_list:
+        aap_token: "{{ read_only_token.ansible_facts.controller_token.token }}"
+
+    - name: Ensure the new token is being used and not the default token for the tests.
+      token:
+        aap_token: "{{ read_only_token.ansible_facts.controller_token.token }}"
+        scope: "write"
+        state: present
+      ignore_errors: true
+      register: result
+
+    - assert:
+        that:
+          - "'You don\\'t have permission to POST' in result.msg"
+
+  always:
+    - name: Delete the less privileged token
+      token:
+        existing_token_id: "{{ read_only_token['id'] }}"
+        state: absent
+      when: read_only_token is defined
+      register: result
+
+    - assert:
+        that:
+          - result is changed