diff --git a/tools/security-bootstrap-console/security_bootstrap_console.py b/tools/security-bootstrap-console/security_bootstrap_console.py
index 97a978e..f941c13 100755
--- a/tools/security-bootstrap-console/security_bootstrap_console.py
+++ b/tools/security-bootstrap-console/security_bootstrap_console.py
@@ -1503,6 +1503,9 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
     audit_list_command = token_prompt_command("bao audit list")
     secrets_list_command = token_prompt_command("bao secrets list")
     auth_list_command = token_prompt_command("bao auth list")
+    platform_admin_token_command = token_prompt_command(
+        "bao token create -policy=platform-admin -period=24h -orphan"
+    )
     rotate_init_command = interactive_token_command(
         "bao operator rotate-keys -init -key-shares=3 -key-threshold=2"
     )
@@ -1592,6 +1595,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
             auth_list_command,
             downstream_taint,
         ),
+        action(
+            "Create platform-admin token",
+            "Create a renewable 24-hour non-root OpenBao token with the platform-admin policy. The emitted token is secret; store it immediately through the approved operator secret path.",
+            platform_admin_token_command,
+            downstream_taint,
+        ),
         action(
             "Start unseal-key rotation",
             "Run once to start a new 3-share, threshold-2 rotation. If rotation is already in progress, do not rerun init; check status and submit existing shares.",
diff --git a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
index e7398bc..1346648 100644
--- a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
+++ b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
@@ -296,6 +296,13 @@ rotation flow after the operator successfully started rotate-keys and then hit
 run-once step and that the next step is checking status or submitting existing
 shares with the nonce until quorum completes.
 
+**2026-05-26:** Added a Usecases action card for creating the temporary
+Railiance OpenBao `platform-admin` token with
+`bao token create -policy=platform-admin -period=24h -orphan`. The command
+prompts for the bootstrap/root token without placing it on the command line
+and reminds the operator to store the emitted token through the approved secret
+path.
+
 **2026-05-24:** Stepped back from ad hoc secret rollout and added the
 custodian age-key bootstrap model to the control surface. The UI now records
 the custodian public age recipient, a derived fingerprint, and a non-secret