open-consul/website/content/commands/intention/check.mdx

---
layout: commands
page_title: 'Commands: Intention Check'
sidebar_title: check
---

# Consul Intention Check

Command: `consul intention check`

The `intention check` command checks whether a connection attempt between
two services would be authorized given the current set of intentions and
Consul configuration.

This command requires less ACL permissions than other intention-related
tasks because no information about the intention is revealed. Therefore,
callers only need to have `service:read` access for the destination. Richer
commands like [match](/commands/intention/match) require full
intention read permissions and don't evaluate the result.

-> **Note:** This command will always treat intentions with `Permissions`
defined as _deny_ intentions during evaluation, as this endpoint is only suited
for networking layer 4 (e.g. TCP) integration.

## Usage

Usage: `consul intention check [options] SRC DST`

`SRC` and `DST` can both take [several forms](/commands/intention#source-and-destination-naming).

#### API Options

@include 'http_api_options_client.mdx'

#### Enterprise Options

@include 'http_api_namespace_options.mdx'

## Examples

```shell-session
$ consul intention check web db
Denied

$ consul intention check web billing
Allowed
```
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`---`
docs: update structure (#8506) - moved and renamed files/folders based on new structure - updated docs navigation based on new structure - moved CLI to top nav (created commands.jsx and commands-navigation.js) - updated and added redirects - updating to be consistent with standalone categories - changing "overview" link in top nav to lead to where intro was moved (docs/intro) - adding redirects for intro content - deleting old intro folders - format all data/navigation files - deleting old commands folder - reverting changes to glossary page - adjust intro navigation for removal of 'vs' paths - add helm page redirect - fix more redirects - add a missing redirect - fix broken anchor links and formatting mistakes - deleted duplicate section, added redirect, changed link - removed duplicate glossary page 2020-09-01 15:14:13 +00:00			`layout: commands`
intro and api navigation converted 2020-04-07 18:55:19 +00:00			`page_title: 'Commands: Intention Check'`
remove 'sidebar_current' from frontmatter 2020-04-13 18:40:26 +00:00			`sidebar_title: check`
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`---`

			`# Consul Intention Check`

			Command: `consul intention check`

			The `intention check` command checks whether a connection attempt between
			`two services would be authorized given the current set of intentions and`
			`Consul configuration.`

			`This command requires less ACL permissions than other intention-related`
			`tasks because no information about the intention is revealed. Therefore,`
			callers only need to have `service:read` access for the destination. Richer
docs: all intention documentation updates (#8869) 2020-10-14 15:23:05 +00:00			`commands like [match](/commands/intention/match) require full`
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`intention read permissions and don't evaluate the result.`

docs: all intention documentation updates (#8869) 2020-10-14 15:23:05 +00:00			-> Note: This command will always treat intentions with `Permissions`
maintenance complete, pending markdown-page component addition 2020-12-08 23:24:36 +00:00			`defined as _deny_ intentions during evaluation, as this endpoint is only suited`
docs: all intention documentation updates (#8869) 2020-10-14 15:23:05 +00:00			`for networking layer 4 (e.g. TCP) integration.`

Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`## Usage`

			Usage: `consul intention check [options] SRC DST`

docs: all intention documentation updates (#8869) 2020-10-14 15:23:05 +00:00			`SRC` and `DST` can both take [several forms](/commands/intention#source-and-destination-naming).
connect: various changes to make namespaces for intentions work more like for other subsystems (#8194) Highlights: - add new endpoint to query for intentions by exact match - using this endpoint from the CLI instead of the dump+filter approach - enforcing that OSS can only read/write intentions with a SourceNS or DestinationNS field of "default". - preexisting OSS intentions with now-invalid namespace fields will delete those intentions on initial election or for wildcard namespaces an attempt will be made to downgrade them to "default" unless one exists. - also allow the '-namespace' CLI arg on all of the intention subcommands - update lots of docs 2020-06-26 21:59:15 +00:00
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`#### API Options`

intro and api navigation converted 2020-04-07 18:55:19 +00:00			`@include 'http_api_options_client.mdx'`
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00
connect: various changes to make namespaces for intentions work more like for other subsystems (#8194) Highlights: - add new endpoint to query for intentions by exact match - using this endpoint from the CLI instead of the dump+filter approach - enforcing that OSS can only read/write intentions with a SourceNS or DestinationNS field of "default". - preexisting OSS intentions with now-invalid namespace fields will delete those intentions on initial election or for wildcard namespaces an attempt will be made to downgrade them to "default" unless one exists. - also allow the '-namespace' CLI arg on all of the intention subcommands - update lots of docs 2020-06-26 21:59:15 +00:00			`#### Enterprise Options`

			`@include 'http_api_namespace_options.mdx'`

Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`## Examples`

update dependencies 2020-05-19 18:32:38 +00:00			```shell-session
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`$ consul intention check web db`
			`Denied`

			`$ consul intention check web billing`
			`Allowed`
			```