diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h
index fd3e7e79..dc5c5d84 100644
--- a/lib/libcryptsetup.h
+++ b/lib/libcryptsetup.h
@@ -2601,11 +2601,11 @@ int crypt_token_luks2_keyring_get(struct crypt_device *cd,
  * (There can be more keyslots assigned to one token id.)
  *
  * @param cd crypt device handle
- * @param token token id
+ * @param token specific token id
  * @param keyslot keyslot to be assigned to token (CRYPT_ANY SLOT
  * 	  assigns all active keyslots to token)
  *
- * @return allocated token id or negative errno otherwise.
+ * @return requested token id to be assigned or negative errno otherwise.
  */
 int crypt_token_assign_keyslot(struct crypt_device *cd,
 	int token,
@@ -2616,11 +2616,11 @@ int crypt_token_assign_keyslot(struct crypt_device *cd,
  * (There can be more keyslots assigned to one token id.)
  *
  * @param cd crypt device handle
- * @param token token id
+ * @param token specific token id
  * @param keyslot keyslot to be unassigned from token (CRYPT_ANY SLOT
  * 	  unassigns all active keyslots from token)
  *
- * @return allocated token id or negative errno otherwise.
+ * @return requested token id to be unassigned or negative errno otherwise.
  */
 int crypt_token_unassign_keyslot(struct crypt_device *cd,
 	int token,
diff --git a/lib/setup.c b/lib/setup.c
index 482f5c60..5b14a7c5 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -6882,6 +6882,9 @@ int crypt_token_assign_keyslot(struct crypt_device *cd, int token, int keyslot)
 	if ((r = onlyLUKS2(cd)))
 		return r;
 
+	if (token == CRYPT_ANY_TOKEN)
+		return -EINVAL;
+
 	return LUKS2_token_assign(cd, &cd->u.luks2.hdr, keyslot, token, 1, 1);
 }
 
@@ -6892,6 +6895,9 @@ int crypt_token_unassign_keyslot(struct crypt_device *cd, int token, int keyslot
 	if ((r = onlyLUKS2(cd)))
 		return r;
 
+	if (token == CRYPT_ANY_TOKEN)
+		return -EINVAL;
+
 	return LUKS2_token_assign(cd, &cd->u.luks2.hdr, keyslot, token, 0, 1);
 }
 
diff --git a/tests/api-test-2.c b/tests/api-test-2.c
index 6b746de2..c51a068a 100644
--- a/tests/api-test-2.c
+++ b/tests/api-test-2.c
@@ -2149,8 +2149,12 @@ static void Tokens(void)
 	EQ_(crypt_token_json_get(cd, 2, &dummy), 2);
 
 	// exercise assign/unassign keyslots API
+	FAIL_(crypt_token_unassign_keyslot(cd, CRYPT_ANY_TOKEN, 1), "Token id must be specific.");
+	OK_(crypt_token_is_assigned(cd, 2, 1));
 	EQ_(crypt_token_unassign_keyslot(cd, 2, 1), 2);
 	FAIL_(crypt_activate_by_token(cd, CDEVICE_1, 2, passptr1, 0), "Token assigned to no keyslot");
+	FAIL_(crypt_token_assign_keyslot(cd, CRYPT_ANY_TOKEN, 0), "Token id must be specific.");
+	FAIL_(crypt_token_is_assigned(cd, 2, 0), "Token 2 must not be assigned to keyslot 0.");
 	EQ_(crypt_token_assign_keyslot(cd, 2, 0), 2);
 	FAIL_(crypt_activate_by_token(cd, CDEVICE_1, 2, passptr1, 0), "Wrong passphrase");
 	EQ_(crypt_activate_by_token(cd, CDEVICE_1, 2, passptr, 0), 0);