diff --git a/website/content/commands/acl/auth-method/create.mdx b/website/content/commands/acl/auth-method/create.mdx
index f6fe84eeb..a47477493 100644
--- a/website/content/commands/acl/auth-method/create.mdx
+++ b/website/content/commands/acl/auth-method/create.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Auth Method Create'
 
 Command: `consul acl auth-method create`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/auth-method](/api-docs/acl/auth-methods#create-an-auth-method)
+
 The `acl auth-method create` command creates new auth methods.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl auth-method create [options] [args]`
diff --git a/website/content/commands/acl/auth-method/delete.mdx b/website/content/commands/acl/auth-method/delete.mdx
index b0a0a10c0..3ba8324a4 100644
--- a/website/content/commands/acl/auth-method/delete.mdx
+++ b/website/content/commands/acl/auth-method/delete.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Auth Method Delete'
 
 Command: `consul acl auth-method delete`
 
+Corresponding HTTP API Endpoint: [\[DELETE\] /v1/acl/auth-method/:name](/api-docs/acl/auth-methods#delete-an-auth-method)
+
 The `acl auth-method delete` command deletes an auth method.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl auth-method delete [options]`
diff --git a/website/content/commands/acl/auth-method/list.mdx b/website/content/commands/acl/auth-method/list.mdx
index bb911a913..643e1c02c 100644
--- a/website/content/commands/acl/auth-method/list.mdx
+++ b/website/content/commands/acl/auth-method/list.mdx
@@ -7,7 +7,17 @@ page_title: 'Commands: ACL Auth Method List'
 
 Command: `consul acl auth-method list`
 
-The `acl auth-method list`s command lists all auth methods. By default it will not show metadata.
+Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/auth-methods](/api-docs/acl/auth-methods#list-auth-methods)
+
+The `acl auth-method list` command lists all auth methods. By default it will not show metadata.
+
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:read`   |
 
 ## Usage
 
diff --git a/website/content/commands/acl/auth-method/read.mdx b/website/content/commands/acl/auth-method/read.mdx
index f24c78a85..fbe7d055c 100644
--- a/website/content/commands/acl/auth-method/read.mdx
+++ b/website/content/commands/acl/auth-method/read.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Auth Method Read'
 
 Command: `consul acl auth-method read`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/auth-method/:name](/api-docs/acl/auth-methods#read-an-auth-method)
+
 The `acl auth-method read` command reads and displays an auth method's details.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:read`   |
+
 ## Usage
 
 Usage: `consul acl auth-method read [options] [args]`
diff --git a/website/content/commands/acl/auth-method/update.mdx b/website/content/commands/acl/auth-method/update.mdx
index db70c72e4..c960a09d0 100644
--- a/website/content/commands/acl/auth-method/update.mdx
+++ b/website/content/commands/acl/auth-method/update.mdx
@@ -7,11 +7,21 @@ page_title: 'Commands: ACL Auth Method Update'
 
 Command: `consul acl auth-method update`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/auth-method/:name](/api-docs/acl/auth-methods#update-an-auth-method)
+
 The `acl auth-method update` command is used to update an auth method. The
 default operations is to merge the current auth method with those values
 provided to the command invocation. Therefore to update just one field, only
 the `-name` options and the option to modify must be provided.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl auth-method update [options] [args]`
diff --git a/website/content/commands/acl/binding-rule/create.mdx b/website/content/commands/acl/binding-rule/create.mdx
index 381ded246..df65da77a 100644
--- a/website/content/commands/acl/binding-rule/create.mdx
+++ b/website/content/commands/acl/binding-rule/create.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Binding Rule Create'
 
 Command: `consul acl binding-rule create`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/binding-rule](/api-docs/acl/binding-rules#create-a-binding-rule)
+
 The `acl binding-rule create` command creates new binding rules.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl binding-rule create [options] [args]`
diff --git a/website/content/commands/acl/binding-rule/delete.mdx b/website/content/commands/acl/binding-rule/delete.mdx
index d6ada8d9b..e59d533fd 100644
--- a/website/content/commands/acl/binding-rule/delete.mdx
+++ b/website/content/commands/acl/binding-rule/delete.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Binding Rule Delete'
 
 Command: `consul acl binding-rule delete`
 
+Corresponding HTTP API Endpoint: [\[DELETE\] /v1/acl/binding-rule/:id](/api-docs/acl/binding-rules#delete-a-binding-rule)
+
 The `acl binding-rule delete` command deletes a binding rule.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl binding-rule delete [options]`
diff --git a/website/content/commands/acl/binding-rule/list.mdx b/website/content/commands/acl/binding-rule/list.mdx
index 1e7a1018c..1753f3f9b 100644
--- a/website/content/commands/acl/binding-rule/list.mdx
+++ b/website/content/commands/acl/binding-rule/list.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Binding Rule List'
 
 Command: `consul acl binding-rule list`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/binding-rules](/api-docs/acl/binding-rules#list-binding-rules)
+
 The `acl binding-rule list` command lists all binding rules. By default it will not show metadata.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:read`   |
+
 ## Usage
 
 Usage: `consul acl binding-rule list`
diff --git a/website/content/commands/acl/binding-rule/read.mdx b/website/content/commands/acl/binding-rule/read.mdx
index 550dc2478..15b66acb6 100644
--- a/website/content/commands/acl/binding-rule/read.mdx
+++ b/website/content/commands/acl/binding-rule/read.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Binding Rule Read'
 
 Command: `consul acl binding-rule read`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/binding-rule/:id](/api-docs/acl/binding-rules#read-a-binding-rule)
+
 The `acl binding-rule read` command reads and displays a binding rules details.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:read`   |
+
 ## Usage
 
 Usage: `consul acl binding-rule read [options] [args]`
diff --git a/website/content/commands/acl/binding-rule/update.mdx b/website/content/commands/acl/binding-rule/update.mdx
index a42414157..2fb1496ab 100644
--- a/website/content/commands/acl/binding-rule/update.mdx
+++ b/website/content/commands/acl/binding-rule/update.mdx
@@ -7,11 +7,21 @@ page_title: 'Commands: ACL Binding Rule Update'
 
 Command: `consul acl binding-rule update`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/binding-rule/:id](/api-docs/acl/binding-rules#update-a-binding-rule)
+
 The `acl binding-rule update` command is used to update a binding rule. The
 default operations is to merge the current binding rule with those values
 provided to the command invocation. Therefore to update just one field, only
 the `-id` option and the option to modify must be provided.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl binding-rule update [options] [args]`
diff --git a/website/content/commands/acl/bootstrap.mdx b/website/content/commands/acl/bootstrap.mdx
index 92c651b84..28592f0e7 100644
--- a/website/content/commands/acl/bootstrap.mdx
+++ b/website/content/commands/acl/bootstrap.mdx
@@ -7,12 +7,20 @@ page_title: 'Commands: ACL Bootstrap'
 
 Command: `consul acl bootstrap`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/bootstrap](/api-docs/acl#bootstrap-acls)
+
 The `acl bootstrap` command will request Consul to generate a new token with unlimited privileges to use
 for management purposes and output its details. This can only be done once and afterwards bootstrapping
 will be disabled. If all tokens are lost and you need to bootstrap again you can follow the bootstrap
 [reset procedure](https://learn.hashicorp.com/consul/security-networking/acl-troubleshooting?utm_source=consul.io&utm_medium=docs#reset-the-acl-system).
 
-The ACL system can also be bootstrapped via the [HTTP API](/api/acl/acl#bootstrap-acls).
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `none`       |
 
 ## Usage
 
diff --git a/website/content/commands/acl/policy/create.mdx b/website/content/commands/acl/policy/create.mdx
index 9067675c4..8cdcd20b7 100644
--- a/website/content/commands/acl/policy/create.mdx
+++ b/website/content/commands/acl/policy/create.mdx
@@ -7,6 +7,8 @@ page_title: 'Commands: ACL Policy Create'
 
 Command: `consul acl policy create`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/policy](/api-docs/acl/policies#create-a-policy)
+
 The `acl policy create` command creates new policies. The policies rules can either be set explicitly or the
 `-from-token` parameter may be used to load the rules from a legacy ACL token. When loading
 the rules from an existing legacy ACL token, the rules get translated from the legacy syntax
@@ -17,6 +19,14 @@ from stdin, a file or the raw value. To use stdin pass `-` as the value.
 To load the value from a file prefix the value with an `@`. Any other
 values will be used directly.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 -> **Deprecated:** The `-from-token` and `-token-secret` arguments exist only as a convenience
 to make legacy ACL migration easier. These will be removed in a future major release when
 support for the legacy ACL system is removed.
diff --git a/website/content/commands/acl/policy/delete.mdx b/website/content/commands/acl/policy/delete.mdx
index a3c02423b..c903545c7 100644
--- a/website/content/commands/acl/policy/delete.mdx
+++ b/website/content/commands/acl/policy/delete.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Policy Delete'
 
 Command: `consul acl policy delete`
 
+Corresponding HTTP API Endpoint: [\[DELETE\] /v1/acl/policy/:id](/api-docs/acl/policies#delete-a-policy)
+
 The `acl policy delete` command deletes a policy. Policies may be deleted by their ID or by name.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl policy delete [options]`
diff --git a/website/content/commands/acl/policy/list.mdx b/website/content/commands/acl/policy/list.mdx
index e46348116..dd2a6606b 100644
--- a/website/content/commands/acl/policy/list.mdx
+++ b/website/content/commands/acl/policy/list.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Policy List'
 
 Command: `consul acl policy list`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/policies](/api-docs/acl/policies#list-policies)
+
 The `acl policy list` command lists all policies. By default it will not show metadata.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:read`   |
+
 ## Usage
 
 Usage: `consul acl policy list`
diff --git a/website/content/commands/acl/policy/read.mdx b/website/content/commands/acl/policy/read.mdx
index 51a4b67db..0f45b18cb 100644
--- a/website/content/commands/acl/policy/read.mdx
+++ b/website/content/commands/acl/policy/read.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Policy Read'
 
 Command: `consul acl policy read`
 
+Corresponding HTTP API Endpoints: [\[GET\] /v1/acl/policy/:id](/api-docs/acl/policies#read-a-policy), [\[GET\] /v1/acl/policy/name/:name](/api-docs/acl/policies#read-a-policy-by-name)
+
 The `acl policy read` command reads and displays a policies details.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:read`   |
+
 ## Usage
 
 Usage: `consul acl policy read [options] [args]`
diff --git a/website/content/commands/acl/policy/update.mdx b/website/content/commands/acl/policy/update.mdx
index 5aa93a05d..4beeec210 100644
--- a/website/content/commands/acl/policy/update.mdx
+++ b/website/content/commands/acl/policy/update.mdx
@@ -7,12 +7,22 @@ page_title: 'Commands: ACL Policy Update'
 
 Command: `consul acl policy update`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/policy/:id](/api-docs/acl/policies#update-a-policy)
+
 The `acl policy update` command is used to update a policy. The default operations is to merge the current policy
 with those values provided to the command invocation. Therefore to update just one field, only
 the `-id` or `-name` options and the option to modify must be provided. Note that renaming
 policies requires both the `-id` and `-name` as the new name cannot yet be used to lookup the
 policy.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl policy update [options] [args]`
diff --git a/website/content/commands/acl/role/create.mdx b/website/content/commands/acl/role/create.mdx
index f97586c7e..37b3a9a00 100644
--- a/website/content/commands/acl/role/create.mdx
+++ b/website/content/commands/acl/role/create.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Role Create'
 
 Command: `consul acl role create`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/role](/api-docs/acl/roles#create-a-role)
+
 The `acl role create` command creates new roles.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl role create [options] [args]`
diff --git a/website/content/commands/acl/role/delete.mdx b/website/content/commands/acl/role/delete.mdx
index 80762aa67..3f37cf51e 100644
--- a/website/content/commands/acl/role/delete.mdx
+++ b/website/content/commands/acl/role/delete.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Role Delete'
 
 Command: `consul acl role delete`
 
+Corresponding HTTP API Endpoint: [\[DELETE\] /v1/acl/role/:id](/api-docs/acl/roles#delete-a-role)
+
 The `acl role delete` command deletes a role. Roles may be deleted by their ID or by name.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl role delete [options]`
diff --git a/website/content/commands/acl/role/list.mdx b/website/content/commands/acl/role/list.mdx
index 9961d5d85..9ba9115ce 100644
--- a/website/content/commands/acl/role/list.mdx
+++ b/website/content/commands/acl/role/list.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Role List'
 
 Command: `consul acl role list`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/roles](/api-docs/acl/roles#list-roles)
+
 The `acl role list` command lists all roles. By default it will not show metadata.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:read`   |
+
 ## Usage
 
 Usage: `consul acl role list`
diff --git a/website/content/commands/acl/role/read.mdx b/website/content/commands/acl/role/read.mdx
index a9d5416db..b28aa6bfd 100644
--- a/website/content/commands/acl/role/read.mdx
+++ b/website/content/commands/acl/role/read.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Role Read'
 
 Command: `consul acl role read`
 
+Corresponding HTTP API Endpoints: [\[GET\] /v1/acl/role/:id](/api-docs/acl/roles#read-a-role), [\[GET\] /v1/acl/role/name/:name](/api-docs/acl/roles#read-a-role-by-name)
+
 The `acl role read` command reads and displays a roles details.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:read`   |
+
 ## Usage
 
 Usage: `consul acl role read [options] [args]`
diff --git a/website/content/commands/acl/role/update.mdx b/website/content/commands/acl/role/update.mdx
index 99696e469..17469059c 100644
--- a/website/content/commands/acl/role/update.mdx
+++ b/website/content/commands/acl/role/update.mdx
@@ -7,12 +7,22 @@ page_title: 'Commands: ACL Role Update'
 
 Command: `consul acl role update`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/role/:id](/api-docs/acl/roles#update-a-role)
+
 The `acl role update` command is used to update a role. The default operations is to merge the
 current role with those values provided to the command invocation. Therefore to
 update just one field, only the `-id` or `-name` options and the option to
 modify must be provided. Note that renaming roles requires both the `-id` and
 `-name` as the new name cannot yet be used to lookup the role.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl role update [options] [args]`
diff --git a/website/content/commands/acl/set-agent-token.mdx b/website/content/commands/acl/set-agent-token.mdx
index d5caa308c..af142a694 100644
--- a/website/content/commands/acl/set-agent-token.mdx
+++ b/website/content/commands/acl/set-agent-token.mdx
@@ -7,6 +7,8 @@ page_title: 'Commands: ACL Set Agent Token'
 
 Command: `consul acl set-agent-token`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/agent/token/:type](/api-docs/agent#update-acl-tokens)
+
 This command updates the ACL tokens currently in use by the agent. It can be used to introduce
 ACL tokens to the agent for the first time, or to update tokens that were initially loaded from
 the agent's configuration. Tokens are not persisted unless
@@ -14,6 +16,14 @@ the agent's configuration. Tokens are not persisted unless
 is `true`, so tokens will need to be updated again if that option is `false` and
 the agent is restarted.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl set-agent-token [options] TYPE TOKEN`
diff --git a/website/content/commands/acl/token/clone.mdx b/website/content/commands/acl/token/clone.mdx
index 893bb56a7..2b7b3ca9b 100644
--- a/website/content/commands/acl/token/clone.mdx
+++ b/website/content/commands/acl/token/clone.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Token Clone'
 
 Command: `consul acl token clone`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/token/:AccessorID/clone](/api-docs/acl/tokens#clone-a-token)
+
 The `acl token clone` command clones an existing token.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl token clone [options]`
diff --git a/website/content/commands/acl/token/create.mdx b/website/content/commands/acl/token/create.mdx
index 760a3ee9e..b9e2e0ae1 100644
--- a/website/content/commands/acl/token/create.mdx
+++ b/website/content/commands/acl/token/create.mdx
@@ -7,10 +7,20 @@ page_title: 'Commands: ACL Token Create'
 
 Command: `consul acl token create`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/token](/api-docs/acl/tokens#create-a-token)
+
 This command creates new tokens. When creating a new token, policies may be linked using
 either the `-policy-id` or the `-policy-name` options. When specifying policies by IDs you
 may use a unique prefix of the UUID as a shortcut for specifying the entire UUID.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl token create [options] [args]`
diff --git a/website/content/commands/acl/token/delete.mdx b/website/content/commands/acl/token/delete.mdx
index edd2e8ce0..20545e319 100644
--- a/website/content/commands/acl/token/delete.mdx
+++ b/website/content/commands/acl/token/delete.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Token Delete'
 
 Command: `consul acl token delete`
 
+Corresponding HTTP API Endpoint: [\[DELETE\] /v1/acl/token/:AccessorID](/api-docs/acl/tokens#delete-a-token)
+
 The `acl token delete` command deletes a token.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl token delete [options]`
diff --git a/website/content/commands/acl/token/list.mdx b/website/content/commands/acl/token/list.mdx
index 2458a102e..0439dc7ed 100644
--- a/website/content/commands/acl/token/list.mdx
+++ b/website/content/commands/acl/token/list.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Token List'
 
 Command: `consul acl token list`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/tokens](/api-docs/acl/tokens#list-tokens)
+
 The `acl token list` command lists all tokens. By default it will not show metadata.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:read`   |
+
 ## Usage
 
 Usage: `consul acl token list`
diff --git a/website/content/commands/acl/token/read.mdx b/website/content/commands/acl/token/read.mdx
index 584fbeed8..6d3aefadb 100644
--- a/website/content/commands/acl/token/read.mdx
+++ b/website/content/commands/acl/token/read.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: ACL Token Read'
 
 Command: `consul acl token read`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/token/:AccessorID](/api-docs/acl/tokens#read-a-token)
+
 The `acl token read` command reads and displays a token details.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:read`   |
+
 ## Usage
 
 Usage: `consul acl token read [options] [args]`
diff --git a/website/content/commands/acl/token/update.mdx b/website/content/commands/acl/token/update.mdx
index 00947cea2..ca9c04e1f 100644
--- a/website/content/commands/acl/token/update.mdx
+++ b/website/content/commands/acl/token/update.mdx
@@ -7,9 +7,19 @@ page_title: 'Commands: ACL Token Update'
 
 Command: `consul acl token update`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/acl/token/:AccessorID](/api-docs/acl/tokens#update-a-token)
+
 The `acl token update` command will update a token. Some parts of the token like whether the
 token is local to the datacenter cannot be changed.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:write`  |
+
 ## Usage
 
 Usage: `consul acl token update [options]`
diff --git a/website/content/commands/acl/translate-rules.mdx b/website/content/commands/acl/translate-rules.mdx
index 69994ccee..6501b56e0 100644
--- a/website/content/commands/acl/translate-rules.mdx
+++ b/website/content/commands/acl/translate-rules.mdx
@@ -10,8 +10,18 @@ It will be removed in a future major release when support for the legacy ACL sys
 
 Command: `consul acl translate-rules`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/acl/rules/translate/:accessor_id](/api-docs/acl#translate-a-legacy-token-s-rules)
+
 This command translates the legacy ACL rule syntax into the new syntax.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `acl:read`   |
+
 ### Usage
 
 Usage: `consul acl translate-rules [options] TRANSLATE`
diff --git a/website/content/commands/catalog/datacenters.mdx b/website/content/commands/catalog/datacenters.mdx
index a47b8a399..8d329b786 100644
--- a/website/content/commands/catalog/datacenters.mdx
+++ b/website/content/commands/catalog/datacenters.mdx
@@ -7,8 +7,18 @@ page_title: 'Commands: Catalog List Datacenters'
 
 Command: `consul catalog datacenters`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/catalog/datacenters](/api-docs/catalog#list-datacenters)
+
 The `catalog datacenters` command prints all known datacenters.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `none`       |
+
 ## Examples
 
 List all datacenters:
diff --git a/website/content/commands/catalog/nodes.mdx b/website/content/commands/catalog/nodes.mdx
index ced2d9e8e..386948d29 100644
--- a/website/content/commands/catalog/nodes.mdx
+++ b/website/content/commands/catalog/nodes.mdx
@@ -7,10 +7,20 @@ page_title: 'Commands: Catalog List Nodes'
 
 Command: `consul catalog nodes`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/catalog/nodes](/api-docs/catalog#list-nodes)
+
 The `catalog nodes` command prints all known nodes and metadata about them.
 It can also query for nodes that match a particular metadata or provide a
 particular service.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `node:read`  |
+
 ## Examples
 
 List all nodes:
diff --git a/website/content/commands/catalog/services.mdx b/website/content/commands/catalog/services.mdx
index fac1ae858..8c414653c 100644
--- a/website/content/commands/catalog/services.mdx
+++ b/website/content/commands/catalog/services.mdx
@@ -7,10 +7,20 @@ page_title: 'Commands: Catalog List Services'
 
 Command: `consul catalog services`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/catalog/services](/api-docs/catalog#list-services)
+
 The `catalog services` command prints all known services. It can also query
 for services that match particular metadata or list the services that a
 particular node provides.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required   |
+| -------------- |
+| `service:read` |
+
 ## Examples
 
 List all services:
diff --git a/website/content/commands/config/delete.mdx b/website/content/commands/config/delete.mdx
index eda5c55d7..a869d17aa 100644
--- a/website/content/commands/config/delete.mdx
+++ b/website/content/commands/config/delete.mdx
@@ -7,10 +7,33 @@ page_title: 'Commands: Config Delete'
 
 Command: `consul config delete`
 
+Corresponding HTTP API Endpoint: [\[DELETE\] /v1/config/:kind/:name](/api-docs/config#delete-configuration)
+
 The `config delete` command deletes the configuration entry specified by the
 kind and name. See the [configuration entries docs](/docs/agent/config-entries)
 for more details about configuration entries.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required<sup>1</sup>                                      |
+| ------------------------------------------------------------- |
+| `service:write`<br />`operator:write`<br />`intentions:write` |
+
+<sup>1</sup> The ACL required depends on the config entry kind being deleted:
+
+| Config Entry Kind   | Required ACL       |
+| ------------------- | ------------------ |
+| ingress-gateway     | `operator:write`   |
+| proxy-defaults      | `operator:write`   |
+| service-defaults    | `service:write`    |
+| service-intentions  | `intentions:write` |
+| service-resolver    | `service:write`    |
+| service-router      | `service:write`    |
+| service-splitter    | `service:write`    |
+| terminating-gateway | `operator:write `  |
+
 ## Usage
 
 Usage: `consul config delete [options]`
diff --git a/website/content/commands/config/list.mdx b/website/content/commands/config/list.mdx
index 64072dcf4..a2e5a7c49 100644
--- a/website/content/commands/config/list.mdx
+++ b/website/content/commands/config/list.mdx
@@ -7,10 +7,33 @@ page_title: 'Commands: Config List'
 
 Command: `consul config list`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/config/:kind](/api-docs/config#list-configurations)
+
 The `config list` command lists all given config entries of the given kind.
 See the [configuration entries docs](/docs/agent/config-entries) for more
 details about configuration entries.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required<sup>1</sup>              |
+| ------------------------------------- |
+| `service:read`<br />`intentions:read` |
+
+<sup>1</sup> The ACL required depends on the config entry kind being read:
+
+| Config Entry Kind   | Required ACL      |
+| ------------------- | ----------------- |
+| ingress-gateway     | `service:read`    |
+| proxy-defaults      | `<none>`          |
+| service-defaults    | `service:read`    |
+| service-intentions  | `intentions:read` |
+| service-resolver    | `service:read`    |
+| service-router      | `service:read`    |
+| service-splitter    | `service:read`    |
+| terminating-gateway | `service:read`    |
+
 ## Usage
 
 Usage: `consul config list [options]`
diff --git a/website/content/commands/config/read.mdx b/website/content/commands/config/read.mdx
index b9e1bd29f..3df4009b3 100644
--- a/website/content/commands/config/read.mdx
+++ b/website/content/commands/config/read.mdx
@@ -7,11 +7,34 @@ page_title: 'Commands: Config Read'
 
 Command: `consul config read`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/config/:kind/:name](/api-docs/config#get-configuration)
+
 The `config read` command reads the config entry specified by the given
 kind and name and outputs its JSON representation. See the
 [configuration entries docs](/docs/agent/config-entries) for more
 details about configuration entries.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required<sup>1</sup>              |
+| ------------------------------------- |
+| `service:read`<br />`intentions:read` |
+
+<sup>1</sup> The ACL required depends on the config entry kind being read:
+
+| Config Entry Kind   | Required ACL      |
+| ------------------- | ----------------- |
+| ingress-gateway     | `service:read`    |
+| proxy-defaults      | `<none>`          |
+| service-defaults    | `service:read`    |
+| service-intentions  | `intentions:read` |
+| service-resolver    | `service:read`    |
+| service-router      | `service:read`    |
+| service-splitter    | `service:read`    |
+| terminating-gateway | `service:read`    |
+
 ## Usage
 
 Usage: `consul config read [options]`
diff --git a/website/content/commands/config/write.mdx b/website/content/commands/config/write.mdx
index 36708694d..d577999b4 100644
--- a/website/content/commands/config/write.mdx
+++ b/website/content/commands/config/write.mdx
@@ -7,10 +7,36 @@ page_title: 'Commands: Config Write'
 
 Command: `consul config write`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/config](/api-docs/config#apply-configuration)
+
 The `config write` command creates or updates a centralized config entry.
 See the [configuration entries docs](/docs/agent/config-entries) for more
 details about configuration entries.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required<sup>1</sup>                                      |
+| ------------------------------------------------------------- |
+| `service:write`<br />`operator:write`<br />`intentions:write` |
+
+<p>
+  <sup>1</sup> The actual ACL required depends on the config entry kind being
+  updated:
+</p>
+
+| Config Entry Kind   | Required ACL       |
+| ------------------- | ------------------ |
+| ingress-gateway     | `operator:write`   |
+| proxy-defaults      | `operator:write`   |
+| service-defaults    | `service:write`    |
+| service-intentions  | `intentions:write` |
+| service-resolver    | `service:write`    |
+| service-router      | `service:write`    |
+| service-splitter    | `service:write`    |
+| terminating-gateway | `operator:write`   |
+
 ## Usage
 
 Usage: `consul config write [options] FILE`
diff --git a/website/content/commands/connect/ca.mdx b/website/content/commands/connect/ca.mdx
index 452c110ee..3b037ea4a 100644
--- a/website/content/commands/connect/ca.mdx
+++ b/website/content/commands/connect/ca.mdx
@@ -42,8 +42,18 @@ Subcommands:
 
 This command displays the current CA configuration.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 Usage: `consul connect ca get-config [options]`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/ca/configuration](/api-docs/connect/ca#get-ca-configuration)
+
 #### API Options
 
 @include 'http_api_options_client.mdx'
@@ -67,8 +77,18 @@ Modifies the current CA configuration. If this results in a new root certificate
 being used, the [Root Rotation](/docs/connect/ca#root-certificate-rotation) process
 will be triggered.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 Usage: `consul connect ca set-config [options]`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/connect/ca/configuration](/api-docs/connect/ca#update-ca-configuration)
+
 #### API Options
 
 @include 'http_api_options_client.mdx'
diff --git a/website/content/commands/event.mdx b/website/content/commands/event.mdx
index 5ae766951..2ca668049 100644
--- a/website/content/commands/event.mdx
+++ b/website/content/commands/event.mdx
@@ -13,6 +13,8 @@ description: >-
 
 Command: `consul event`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/event/fire/:name](/api-docs/event#fire-event)
+
 The `event` command provides a mechanism to fire a custom user event to an
 entire datacenter. These events are opaque to Consul, but they can be used
 to build scripting infrastructure to do automated deploys, restart services,
@@ -35,6 +37,14 @@ message. It is hard to give an exact number, as it depends on various
 parameters of the event, but the payload should be kept very small
 (< 100 bytes). Specifying too large of an event will return an error.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required  |
+| ------------- |
+| `event:write` |
+
 ## Usage
 
 Usage: `consul event [options] [payload]`
diff --git a/website/content/commands/exec.mdx b/website/content/commands/exec.mdx
index 8bae11c8f..2244a7d6e 100644
--- a/website/content/commands/exec.mdx
+++ b/website/content/commands/exec.mdx
@@ -40,7 +40,7 @@ execute this command.
 | `key:write`     | `"_rexec"` prefix |
 | `event:write`   | `"_rexec"` prefix |
 
-In addition to the above, the policy associated with the [agent token](https://www.consul.io/docs/security/acl/acl-system#acl-agent-token) should have `write` on `"_rexec"` key prefix. This is for the agents to read the `exec` command and write its output back to the KV store.
+In addition to the above, the policy associated with the [agent token](/docs/security/acl/acl-system#acl-agent-token) should have `write` on `"_rexec"` key prefix. This is for the agents to read the `exec` command and write its output back to the KV store.
 
 ## Usage
 
diff --git a/website/content/commands/force-leave.mdx b/website/content/commands/force-leave.mdx
index cbfb21082..f923b746f 100644
--- a/website/content/commands/force-leave.mdx
+++ b/website/content/commands/force-leave.mdx
@@ -11,6 +11,8 @@ description: >-
 
 Command: `consul force-leave`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/agent/force-leave/:node](/api-docs/agent#force-leave-and-shutdown)
+
 The `force-leave` command forces a member of a Consul cluster to enter the
 "left" state. The purpose of this method is to force-remove a node that has failed or
 was shutdown without a [graceful leave](/commands/leave).
@@ -30,6 +32,14 @@ from the datacenter's member list nor from the raft configuration. Additionally,
 if the agent returns after transitioning to the "left" state, but before it is reaped
 from the member list, then it will rejoin the cluster.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 ## Usage
 
 Usage: `consul force-leave [options] node`
diff --git a/website/content/commands/intention/check.mdx b/website/content/commands/intention/check.mdx
index 346966160..a8641b653 100644
--- a/website/content/commands/intention/check.mdx
+++ b/website/content/commands/intention/check.mdx
@@ -7,6 +7,8 @@ page_title: 'Commands: Intention Check'
 
 Command: `consul intention check`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions/check](/api-docs/connect/intentions#check-intention-result)
+
 The `intention check` command checks whether a connection attempt between
 two services would be authorized given the current set of intentions and
 Consul configuration.
@@ -21,6 +23,23 @@ intention read permissions and don't evaluate the result.
 defined as _deny_ intentions during evaluation, as this endpoint is only suited
 for networking layer 4 (e.g. TCP) integration.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required                  |
+| ----------------------------- |
+| `intentions:read`<sup>1</sup> |
+
+<p>
+  <sup>1</sup> Intention ACL rules are specified as part of a{' '}
+  <code>service</code> rule. See{' '}
+  <a href="/docs/connect/intentions#intention-management-permissions">
+    Intention Management Permissions
+  </a>{' '}
+  for more details.
+</p>
+
 ## Usage
 
 Usage: `consul intention check [options] SRC DST`
diff --git a/website/content/commands/intention/create.mdx b/website/content/commands/intention/create.mdx
index c741bff51..37b70b92b 100644
--- a/website/content/commands/intention/create.mdx
+++ b/website/content/commands/intention/create.mdx
@@ -13,8 +13,27 @@ entry for the destination.
 
 Command: `consul intention create`
 
+Corresponding HTTP API Endpoint: [\[POST\] /v1/connect/intentions](/api-docs/connect/intentions#create-intention-with-id)
+
 The `intention create` command creates or updates an L4 intention.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required                   |
+| ------------------------------ |
+| `intentions:write`<sup>1</sup> |
+
+<p>
+  <sup>1</sup> Intention ACL rules are specified as part of a{' '}
+  <code>service</code> rule. See{' '}
+  <a href="/docs/connect/intentions#intention-management-permissions">
+    Intention Management Permissions
+  </a>{' '}
+  for more details.
+</p>
+
 ## Usage
 
 - `consul intention create [options] SRC DST`
diff --git a/website/content/commands/intention/delete.mdx b/website/content/commands/intention/delete.mdx
index a0f35af65..d2b58545e 100644
--- a/website/content/commands/intention/delete.mdx
+++ b/website/content/commands/intention/delete.mdx
@@ -7,8 +7,27 @@ page_title: 'Commands: Intention Delete'
 
 Command: `consul intention delete`
 
+Corresponding HTTP API Endpoints: [\[DELETE\] /v1/connect/intentions/exact](/api-docs/connect/intentions#delete-intention-by-name), [\[DELETE\] /v1/connect/intentions/:uuid](/api-docs/connect/intentions#delete-intention-by-id)
+
 The `intention delete` command deletes a matching intention.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required                   |
+| ------------------------------ |
+| `intentions:write`<sup>1</sup> |
+
+<p>
+  <sup>1</sup> Intention ACL rules are specified as part of a{' '}
+  <code>service</code> rule. See{' '}
+  <a href="/docs/connect/intentions#intention-management-permissions">
+    Intention Management Permissions
+  </a>{' '}
+  for more details.
+</p>
+
 -> **Deprecated** - The one argument form of this command is deprecated in
 Consul 1.9.0. Intentions no longer need IDs when represented as
 [`service-intentions`](/docs/connect/config-entries/service-intentions) config
diff --git a/website/content/commands/intention/get.mdx b/website/content/commands/intention/get.mdx
index c455028e6..b1252a1b4 100644
--- a/website/content/commands/intention/get.mdx
+++ b/website/content/commands/intention/get.mdx
@@ -7,6 +7,8 @@ page_title: 'Commands: Intention Get'
 
 Command: `consul intention get`
 
+Corresponding HTTP API Endpoints: [\[GET\] /v1/connect/intentions/exact](/api-docs/connect/intentions#read-specific-intention-by-name), [\[GET\] /v1/connect/intentions/:uuid](/api-docs/connect/intentions#read-specific-intention-by-id)
+
 The `intention get` command shows a single intention.
 
 -> **Deprecated** - The one argument form of this command is deprecated in
@@ -14,6 +16,23 @@ Consul 1.9.0. Intentions no longer need IDs when represented as
 [`service-intentions`](/docs/connect/config-entries/service-intentions) config
 entries.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required                  |
+| ----------------------------- |
+| `intentions:read`<sup>1</sup> |
+
+<p>
+  <sup>1</sup> Intention ACL rules are specified as part of a{' '}
+  <code>service</code> rule. See{' '}
+  <a href="/docs/connect/intentions#intention-management-permissions">
+    Intention Management Permissions
+  </a>{' '}
+  for more details.
+</p>
+
 ## Usage
 
 Usage:
diff --git a/website/content/commands/intention/list.mdx b/website/content/commands/intention/list.mdx
index f742f6e31..03dd93248 100644
--- a/website/content/commands/intention/list.mdx
+++ b/website/content/commands/intention/list.mdx
@@ -7,8 +7,27 @@ page_title: 'Commands: Intention List'
 
 Command: `consul intention list`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions](/api-docs/connect/intentions#list-intentions)
+
 The `intention list` command shows all intentions including ID and precedence.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required                  |
+| ----------------------------- |
+| `intentions:read`<sup>1</sup> |
+
+<p>
+  <sup>1</sup> Intention ACL rules are specified as part of a{' '}
+  <code>service</code> rule. See{' '}
+  <a href="/docs/connect/intentions#intention-management-permissions">
+    Intention Management Permissions
+  </a>{' '}
+  for more details.
+</p>
+
 ## Usage
 
 Usage:
diff --git a/website/content/commands/intention/match.mdx b/website/content/commands/intention/match.mdx
index 99ad3d32b..49694551a 100644
--- a/website/content/commands/intention/match.mdx
+++ b/website/content/commands/intention/match.mdx
@@ -7,6 +7,8 @@ page_title: 'Commands: Intention Match'
 
 Command: `consul intention match`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions/match](/api-docs/connect/intentions#list-matching-intentions)
+
 The `intention match` command shows the list of intentions that match
 a given source or destination. The list of intentions is listed in evaluation
 order: the first intention that matches a request would be evaluated.
@@ -14,6 +16,23 @@ order: the first intention that matches a request would be evaluated.
 The [check](/commands/intention/check) command can be used to
 check whether an L4 connection would be authorized between any two services.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required                  |
+| ----------------------------- |
+| `intentions:read`<sup>1</sup> |
+
+<p>
+  <sup>1</sup> Intention ACL rules are specified as part of a{' '}
+  <code>service</code> rule. See{' '}
+  <a href="/docs/connect/intentions#intention-management-permissions">
+    Intention Management Permissions
+  </a>{' '}
+  for more details.
+</p>
+
 ## Usage
 
 Usage: `consul intention match [options] SRC_OR_DST`
diff --git a/website/content/commands/join.mdx b/website/content/commands/join.mdx
index 8968ace5f..218419135 100644
--- a/website/content/commands/join.mdx
+++ b/website/content/commands/join.mdx
@@ -12,6 +12,8 @@ description: >-
 
 Command: `consul join`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/agent/join/:address](/api-docs/agent#join-agent)
+
 The `join` command tells a Consul agent to join an existing cluster.
 A new Consul agent may join any node in the existing cluster. After joining
 with one member, the gossip communication will propagate the updated membership
@@ -20,6 +22,14 @@ state across the cluster.
 An agent which is already part of a cluster may join an agent in a different
 cluster, causing the two clusters to be merged into a single cluster.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required  |
+| ------------- |
+| `agent:write` |
+
 ## Usage
 
 Usage: `consul join [options] address ...`
diff --git a/website/content/commands/keyring.mdx b/website/content/commands/keyring.mdx
index 168a46ca6..0d50260f9 100644
--- a/website/content/commands/keyring.mdx
+++ b/website/content/commands/keyring.mdx
@@ -7,6 +7,8 @@ page_title: 'Commands: Keyring'
 
 Command: `consul keyring`
 
+Corresponding HTTP API Endpoints: [\[VARIES\] /v1/operator/keyring](/api-docs/operator/keyring)
+
 The `keyring` command is used to examine and modify the encryption keys used in
 Consul's [Gossip Pools](/docs/internals/gossip). It is capable of
 distributing new encryption keys to the cluster, retiring old encryption keys,
@@ -27,6 +29,19 @@ All variations of the `keyring` command return 0 if all nodes reply and there
 are no errors. If any node fails to reply or reports failure, the exit code
 will be 1.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required<sup>1</sup>            |
+| ----------------------------------- |
+| `keyring:read`<br />`keyring:write` |
+
+<p>
+  <sup>1</sup> The actual ACL required depends on the flags being used in the
+  command.
+</p>
+
 ## Usage
 
 Usage: `consul keyring [options]`
diff --git a/website/content/commands/kv/delete.mdx b/website/content/commands/kv/delete.mdx
index 7c5092108..6789fa810 100644
--- a/website/content/commands/kv/delete.mdx
+++ b/website/content/commands/kv/delete.mdx
@@ -7,9 +7,19 @@ page_title: 'Commands: KV Delete'
 
 Command: `consul kv delete`
 
+Corresponding HTTP API Endpoint: [\[DELETE\] /v1/kv/:key](/api-docs/kv#delete-key)
+
 The `kv delete` command removes the value from Consul's KV store at the
 given path. If no key exists at the path, no action is taken.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `key:write`  |
+
 ## Usage
 
 Usage: `consul kv delete [options] KEY_OR_PREFIX`
diff --git a/website/content/commands/kv/export.mdx b/website/content/commands/kv/export.mdx
index ce6f1e6bf..97f675966 100644
--- a/website/content/commands/kv/export.mdx
+++ b/website/content/commands/kv/export.mdx
@@ -12,6 +12,14 @@ prefix from Consul's KV store, and write a JSON representation to
 stdout. This can be used with the command "consul kv import" to move entire
 trees between Consul clusters.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `key:read`   |
+
 ## Usage
 
 Usage: `consul kv export [options] [PREFIX]`
diff --git a/website/content/commands/kv/get.mdx b/website/content/commands/kv/get.mdx
index 924ddf1a0..044e557bb 100644
--- a/website/content/commands/kv/get.mdx
+++ b/website/content/commands/kv/get.mdx
@@ -7,6 +7,8 @@ page_title: 'Commands: KV Get'
 
 Command: `consul kv get`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/kv/:key](/api-docs/kv#read-key)
+
 The `kv get` command is used to retrieve the value from Consul's KV
 store at the given key name. If no key exists with that name, an error is
 returned. If a key exists with that name but has no data, nothing is returned.
@@ -18,6 +20,14 @@ can be used with [`kv import`](/commands/kv/import) to move entire trees between
 Consul clusters. Alternatively, the [transaction API](/api-docs/txn) provides
 support for performing up to 64 KV operations atomically.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `key:read`   |
+
 ## Usage
 
 Usage: `consul kv get [options] [KEY_OR_PREFIX]`
diff --git a/website/content/commands/kv/import.mdx b/website/content/commands/kv/import.mdx
index 6c5f1f1ee..ab9acf229 100644
--- a/website/content/commands/kv/import.mdx
+++ b/website/content/commands/kv/import.mdx
@@ -10,6 +10,14 @@ Command: `consul kv import`
 The `kv import` command is used to import KV pairs from the JSON representation
 generated by the `kv export` command.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `key:write`  |
+
 ## Usage
 
 Usage: `consul kv import [options] [DATA]`
diff --git a/website/content/commands/kv/put.mdx b/website/content/commands/kv/put.mdx
index 0f8929176..5fcf13586 100644
--- a/website/content/commands/kv/put.mdx
+++ b/website/content/commands/kv/put.mdx
@@ -7,6 +7,8 @@ page_title: 'Commands: KV Put'
 
 Command: `consul kv put`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/kv/:key](/api-docs/kv#create-update-key)
+
 The `kv put` command writes the data to the given path in the KV store.
 
 -> **Note**: When writing multiple entries at once, consider using
@@ -14,6 +16,14 @@ The `kv put` command writes the data to the given path in the KV store.
 [transaction API](/api-docs/txn) provides support for performing up to
 64 KV operations atomically.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `key:write`  |
+
 ## Usage
 
 Usage: `consul kv put [options] KEY [DATA]`
diff --git a/website/content/commands/leave.mdx b/website/content/commands/leave.mdx
index 020c3380e..527a617bf 100644
--- a/website/content/commands/leave.mdx
+++ b/website/content/commands/leave.mdx
@@ -11,6 +11,8 @@ description: >-
 
 Command: `consul leave`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/agent/leave](/api-docs/agent#graceful-leave-and-shutdown)
+
 The `leave` command triggers a graceful leave and shutdown of the agent.
 It is used to ensure other nodes see the agent as "left" instead of
 "failed". Nodes that leave will not attempt to re-join the cluster
@@ -23,6 +25,14 @@ non-graceful leave can affect cluster availability.
 Running `consul leave` on a server explicitly will reduce the quorum size. Even if the cluster used `bootstrap_expect` to set a quorum size initially, issuing `consul leave` on a server will reconfigure the cluster to have fewer servers.
 This means you could end up with just one server that is still able to commit writes because quorum is only 1, but those writes might be lost if that server fails before more are added.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required  |
+| ------------- |
+| `agent:write` |
+
 ## Usage
 
 Usage: `consul leave [options]`
diff --git a/website/content/commands/license.mdx b/website/content/commands/license.mdx
index 133e2f0db..e8073e844 100644
--- a/website/content/commands/license.mdx
+++ b/website/content/commands/license.mdx
@@ -14,7 +14,7 @@ Command: `consul license`
 
 The `license` command provides a datacenter-level view of the Consul Enterprise license. This was added
 in Consul 1.1.0 but Consul 1.10.0 removed the ability to set and reset the license using the CLI.
-See the [licensing documentation](/docs/enterprise/license/overview) for more information about 
+See the [licensing documentation](/docs/enterprise/license/overview) for more information about
 Consul Enterprise license management.
 
 If ACLs are enabled then a token with operator privileges may be required in
@@ -44,9 +44,9 @@ Usage: consul license <subcommand> [options] [args]
   Retrieve the current license:
 
       $ consul license get
-      
+
   Inspect a license:
-  
+
       $ consul license inspect "<path to license file>"
 
   Reset the current license:
@@ -66,7 +66,7 @@ Subcommands:
 ## inspect
 
 This command inspects and validates a license. Just like a Consul agent it
-can load the license from a file on disk or from the `CONSUL_LICENSE` and 
+can load the license from a file on disk or from the `CONSUL_LICENSE` and
 `CONSUL_LICENSE_PATH` environment variables.
 
 Usage: `consul license inspect [<options>] [<license file>]`
@@ -117,14 +117,25 @@ Features:
 License is valid
 
 ```
+
 ## put
 
 -> **Deprecated** The ability to manage the cluster's license via the CLI
 was removed in Consul 1.10. While the CLI command still exists it will
 always return an error. This command will be fully removed in a future release.
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/operator/license](/api-docs/operator/license#updating-the-consul-license)
+
 This command sets the Consul Enterprise license.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 Usage: `consul license put [options] LICENSE`
 
 #### API Options
@@ -153,8 +164,18 @@ Licensed Features:
 
 ## get
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/operator/license](/api-docs/operator/license#getting-the-consul-license)
+
 This command gets the Consul Enterprise license.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `none`       |
+
 Usage: `consul license get [options]`
 
 #### API Options
@@ -187,9 +208,19 @@ Licensed Features:
 was removed in Consul 1.10. While the CLI command still exists it will
 always return an error. This command will be fully removed in a future release.
 
+Corresponding HTTP API Endpoint: [\[DELETE\] /v1/operator/license](/api-docs/operator/license#resetting-the-consul-license)
+
 Resets license for the datacenter to the one builtin in Consul binary, if it is still valid.
 If the builtin license is invalid, the current one stays active.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 Usage: `consul license reset [options]`
 
 #### API Options
diff --git a/website/content/commands/login.mdx b/website/content/commands/login.mdx
index a19cf0ec9..ff04c51a4 100644
--- a/website/content/commands/login.mdx
+++ b/website/content/commands/login.mdx
@@ -10,11 +10,21 @@ description: >
 
 Command: `consul login`
 
+Corresponding HTTP API Endpoint: [\[POST\] /v1/acl/login](/api-docs/acl#login-to-auth-method)
+
 The `login` command will exchange the provided third party credentials with the
 requested auth method for a newly minted Consul ACL token. The companion
 command `consul logout` should be used to destroy any tokens created this way
 to avoid a resource leak.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `none`       |
+
 ## Usage
 
 Usage: `consul login [options]`
diff --git a/website/content/commands/logout.mdx b/website/content/commands/logout.mdx
index ced33c583..4c0af4a97 100644
--- a/website/content/commands/logout.mdx
+++ b/website/content/commands/logout.mdx
@@ -10,9 +10,19 @@ description: >
 
 Command: `consul logout`
 
+Corresponding HTTP API Endpoint: [\[POST\] /v1/acl/logout](/api-docs/acl#logout-from-auth-method)
+
 The `logout` command will destroy the provided token if it was created from
 `consul login`.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `none`       |
+
 ## Usage
 
 Usage: `consul logout [options]`
diff --git a/website/content/commands/maint.mdx b/website/content/commands/maint.mdx
index 16e517e12..221e7e67d 100644
--- a/website/content/commands/maint.mdx
+++ b/website/content/commands/maint.mdx
@@ -9,6 +9,8 @@ description: |
 
 Command: `consul maint`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/agent/maintenance](/api-docs/agent#enable-maintenance-mode)
+
 The `maint` command provides control of service maintenance mode.
 Using the command, it is possible to mark a service provided by a node or all the services on the
 node as a whole as "under maintenance". In this mode of operation, the service
@@ -19,6 +21,14 @@ Under the hood, maintenance mode is activated by registering a health check in
 critical status against a service, and deactivated by deregistering the
 health check.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `node:write` |
+
 ## Usage
 
 Usage: `consul maint [options]`
diff --git a/website/content/commands/members.mdx b/website/content/commands/members.mdx
index 5819f70a4..98a1ac58b 100644
--- a/website/content/commands/members.mdx
+++ b/website/content/commands/members.mdx
@@ -11,6 +11,8 @@ description: >-
 
 Command: `consul members`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/agent/members](/api-docs/agent#list-members)
+
 The `members` command outputs the current list of members that a Consul
 agent knows about, along with their state. The state of a node can only
 be "alive", "left", or "failed".
@@ -19,6 +21,14 @@ Nodes in the "failed" state are still listed because Consul attempts to
 reconnect with failed nodes for a certain amount of time in the case
 that the failure is actually just a network partition.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `node:read`  |
+
 ## Usage
 
 Usage: `consul members [options]`
diff --git a/website/content/commands/namespace/create.mdx b/website/content/commands/namespace/create.mdx
index f79db884a..ccadc6204 100644
--- a/website/content/commands/namespace/create.mdx
+++ b/website/content/commands/namespace/create.mdx
@@ -7,11 +7,21 @@ page_title: 'Commands: Namespace Create'
 
 Command: `consul namespace create`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/namespace](/api-docs/namespaces#create-a-namespace)
+
 <EnterpriseAlert />
 
 This `namespace create` command creates a namespaces using the CLI parameters provided.
 This was added in Consul Enterprise 1.7.2.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 ## Usage
 
 Usage: `consul namespace create -name <namespace name> [options]`
diff --git a/website/content/commands/namespace/delete.mdx b/website/content/commands/namespace/delete.mdx
index 3bd4afab9..95fd4b9e9 100644
--- a/website/content/commands/namespace/delete.mdx
+++ b/website/content/commands/namespace/delete.mdx
@@ -7,11 +7,21 @@ page_title: 'Commands: Namespace Delete'
 
 Command: `consul namespace delete`
 
+Corresponding HTTP API Endpoint: [\[DELETE\] /v1/namespace/:name](/api-docs/namespaces#delete-a-namespace)
+
 <EnterpriseAlert />
 
 This `namespace delete` command deletes a namespace. This was added in Consul Enterprise 1.7.0. If
 ACLs are enabled then this command will require a token with `operator:write` privileges.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 ## Usage
 
 Usage: `consul namespace delete <name>`
diff --git a/website/content/commands/namespace/list.mdx b/website/content/commands/namespace/list.mdx
index fdbbb25d8..1ce45328c 100644
--- a/website/content/commands/namespace/list.mdx
+++ b/website/content/commands/namespace/list.mdx
@@ -7,6 +7,8 @@ page_title: 'Commands: Namespace List'
 
 Command: `consul namespace list`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/namespaces](/api-docs/namespaces#list-all-namespaces)
+
 <EnterpriseAlert />
 
 This `namespace list` command lists all namespace configurations. This was added in Consul Enterprise 1.7.0. If
@@ -14,6 +16,17 @@ ACLs are enabled then this command will require a token with `operator:read` pri
 within the target namespaces. The results will be filtered based on the ACL token and therefore it is possible to
 see a partial list.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required                                      |
+| ------------------------------------------------- |
+| `operator:read` or `namespace:*:read`<sup>1</sup> |
+
+<sup>1</sup> Access can be granted to list the Namespace if the token used when making
+the request has been granted any access in the namespace (read, list or write).
+
 ## Usage
 
 Usage: `consul namespace list`
diff --git a/website/content/commands/namespace/read.mdx b/website/content/commands/namespace/read.mdx
index d114a8eaf..b008977b7 100644
--- a/website/content/commands/namespace/read.mdx
+++ b/website/content/commands/namespace/read.mdx
@@ -7,12 +7,25 @@ page_title: 'Commands: Namespace Read'
 
 Command: `consul namespace read`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/namespace/:name](/api-docs/namespaces#read-a-namespace)
+
 <EnterpriseAlert />
 
 This `namespace read` command reads a namespaces configuration. This was added in Consul Enterprise 1.7.0. If
 ACLs are enabled then this command will require a token with `operator:read` privileges or any `read` privileges
 within the target namespace.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required                                      |
+| ------------------------------------------------- |
+| `operator:read` or `namespace:*:read`<sup>1</sup> |
+
+<sup>1</sup> Access can be granted to list the Namespace if the token used when making
+the request has been granted any access in the namespace (read, list or write).
+
 ## Usage
 
 Usage: `consul namespace read <name>`
diff --git a/website/content/commands/namespace/update.mdx b/website/content/commands/namespace/update.mdx
index b2c79f9bf..bcbb571b4 100644
--- a/website/content/commands/namespace/update.mdx
+++ b/website/content/commands/namespace/update.mdx
@@ -7,11 +7,21 @@ page_title: 'Commands: Namespace Update'
 
 Command: `consul namespace update`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/namespace/:name](/api-docs/namespaces#update-a-namespace)
+
 <EnterpriseAlert />
 
 This `namespace update` command updates a namespaces using the CLI parameters provided.
 This was added in Consul Enterprise 1.7.2.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 ## Usage
 
 Usage: `consul namespace update -name <namespace name> [options]`
diff --git a/website/content/commands/namespace/write.mdx b/website/content/commands/namespace/write.mdx
index 31f0a9a38..1fe3e5d69 100644
--- a/website/content/commands/namespace/write.mdx
+++ b/website/content/commands/namespace/write.mdx
@@ -7,10 +7,20 @@ page_title: 'Commands: Namespace Write'
 
 Command: `consul namespace write`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/namespace/:name](/api-docs/namespaces#update-a-namespace)
+
 <EnterpriseAlert />
 
 This `namespace write` command creates or updates a namespace's configuration from its full definition. This was added in Consul Enterprise 1.7.0.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 ## Usage
 
 Usage: `consul namespace write <namespace definition>`
diff --git a/website/content/commands/operator/area.mdx b/website/content/commands/operator/area.mdx
index 590d33678..0bd927e24 100644
--- a/website/content/commands/operator/area.mdx
+++ b/website/content/commands/operator/area.mdx
@@ -47,8 +47,18 @@ read or write privileges to use these commands.
 
 ## create
 
+Corresponding HTTP API Endpoint: [\[POST\] /v1/operator/area](/api-docs/operator/area#create-network-area)
+
 This command creates a new network area.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 Usage: `consul operator area create [options]`
 
 #### API Options
@@ -79,8 +89,18 @@ The return code will indicate success or failure.
 
 ## delete
 
+Corresponding HTTP API Endpoint: [\[DELETE\] /v1/operator/area/:uuid](/api-docs/operator/area#delete-network-area)
+
 This command deletes an existing network area.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 Usage: `consul operator area delete [options]`
 
 #### API Options
@@ -107,9 +127,19 @@ The return code will indicate success or failure.
 
 ## join
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/operator/area/:uuid/join](/api-docs/operator/area#join-network-area)
+
 This command joins Consul servers into an existing network area by address, such as
 an IP or hostname with an optional port. Multiple addresses may be given.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 Usage: `consul operator area join [options] ADDRESSES`
 
 #### API Options
@@ -142,8 +172,18 @@ The return code will indicate success or failure.
 
 ## list
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/operator/area](/api-docs/operator/area#list-network-areas)
+
 This command lists all network areas.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required    |
+| --------------- |
+| `operator:read` |
+
 Usage: `consul operator area list [options]`
 
 #### API Options
@@ -170,9 +210,19 @@ The return code will indicate success or failure.
 
 ## members
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/operator/area/:uuid/members](/api-docs/operator/area#list-network-area-members)
+
 This command displays Consul server nodes present in a network area, or all
 areas if no area is specified.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required    |
+| --------------- |
+| `operator:read` |
+
 Usage: `consul operator area members [options]`
 
 #### API Options
@@ -225,8 +275,18 @@ The return code will indicate success or failure.
 
 ## update
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/operator/area/:uuid](/api-docs/operator/area#update-network-area)
+
 This command updates the configuration of network area.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 Usage: `consul operator area update [options]`
 
 #### API Options
diff --git a/website/content/commands/operator/autopilot.mdx b/website/content/commands/operator/autopilot.mdx
index a0949b9bc..ccd395b35 100644
--- a/website/content/commands/operator/autopilot.mdx
+++ b/website/content/commands/operator/autopilot.mdx
@@ -28,8 +28,18 @@ Subcommands:
 
 ## get-config
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/operator/autopilot/configuration](/api-docs/operator/autopilot#read-configuration)
+
 This command displays the current autopilot configuration.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required    |
+| --------------- |
+| `operator:read` |
+
 Usage: `consul operator autopilot get-config [options]`
 
 #### API Options
@@ -53,8 +63,18 @@ UpgradeMigrationTag = ""
 
 ## set-config
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/operator/autopilot/configuration](/api-docs/operator/autopilot#update-configuration)
+
 Modifies the current Autopilot configuration.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 Usage: `consul operator autopilot set-config [options]`
 
 #### API Options
@@ -101,8 +121,18 @@ The return code will indicate success or failure.
 
 ## state
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/operator/autopilot/state](/api-docs/operator/autopilot#read-the-autopilot-state)
+
 This command displays the current autopilot state.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required    |
+| --------------- |
+| `operator:read` |
+
 Usage: `consul operator autopilot state [options]`
 
 #### API Options
diff --git a/website/content/commands/operator/raft.mdx b/website/content/commands/operator/raft.mdx
index 5d8db1fc5..2f10cac74 100644
--- a/website/content/commands/operator/raft.mdx
+++ b/website/content/commands/operator/raft.mdx
@@ -29,8 +29,18 @@ Subcommands:
 
 ## list-peers
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/status/peers](/api-docs/status#list-raft-peers)
+
 This command displays the current Raft peer configuration.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `none`       |
+
 Usage: `consul operator raft list-peers -stale=[true|false]`
 
 - `-stale` - Optional and defaults to "false" which means the leader provides
@@ -62,6 +72,8 @@ configuration.
 
 ## remove-peer
 
+Corresponding HTTP API Endpoint: [\[DELETE\] /v1/operator/raft/peer](/api-docs/operator/raft#delete-raft-peer)
+
 This command removes the Consul server with given address from the Raft configuration.
 
 There are rare cases where a peer may be left behind in the Raft configuration
@@ -73,6 +85,14 @@ clean up by simply running
 [`consul force-leave`](/commands/force-leave)
 instead of this command.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required     |
+| ---------------- |
+| `operator:write` |
+
 Usage: `consul operator raft remove-peer -address="IP:port"`
 
 - `-address` - "IP:port" for the server to remove. The port number is usually
diff --git a/website/content/commands/reload.mdx b/website/content/commands/reload.mdx
index 930dc8746..def20e377 100644
--- a/website/content/commands/reload.mdx
+++ b/website/content/commands/reload.mdx
@@ -8,6 +8,8 @@ description: The `reload` command triggers a reload of configuration files for t
 
 Command: `consul reload`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/agent/reload](/api-docs/agent#reload-agent)
+
 The `reload` command triggers a reload of configuration files for the agent.
 
 The `SIGHUP` signal is usually used to trigger a reload of configurations,
@@ -23,6 +25,14 @@ Not all configuration options are reloadable. See the
 [Reloadable Configuration](/docs/agent/options#reloadable-configuration)
 section on the agent options page for details on which options are supported.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required  |
+| ------------- |
+| `agent:write` |
+
 ## Usage
 
 Usage: `consul reload`
diff --git a/website/content/commands/rtt.mdx b/website/content/commands/rtt.mdx
index 49294bb2b..9eed062c9 100644
--- a/website/content/commands/rtt.mdx
+++ b/website/content/commands/rtt.mdx
@@ -9,12 +9,26 @@ description: |
 
 Command: `consul rtt`
 
+Corresponding HTTP API Endpoints: [\[GET\] /v1/coordinate/datacenters](/api-docs/coordinate#read-wan-coordinates), [\[GET\] /v1/coordinate/nodes](/api-docs/coordinate#read-lan-coordinates-for-all-nodes)
+
 The `rtt` command estimates the network round trip time between two nodes using
 Consul's network coordinate model of the cluster.
 
 See the [Network Coordinates](/docs/internals/coordinates) internals guide
 for more information on how these coordinates are computed.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required            |
+| ----------------------- |
+| `node:read`<sup>1</sup> |
+
+<p>
+  <sup>1</sup> When referencing WAN coordinates, no ACL permission is needed.
+</p>
+
 ## Usage
 
 Usage: `consul rtt [options] node1 [node2]`
diff --git a/website/content/commands/services/deregister.mdx b/website/content/commands/services/deregister.mdx
index a6e3fd996..d3442d8d3 100644
--- a/website/content/commands/services/deregister.mdx
+++ b/website/content/commands/services/deregister.mdx
@@ -7,6 +7,8 @@ page_title: 'Commands: Services Deregister'
 
 Command: `consul services deregister`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/agent/service/deregister/:service_id](/api-docs/agent/service#deregister-service)
+
 The `services deregister` command deregisters a service with the local agent.
 Note that this command can only deregister services that were registered
 with the agent specified (defaults to the local agent) and is meant to
@@ -18,6 +20,14 @@ registered with a configuration file, then deleting that file and
 deregister. See [Service Definition](/docs/agent/services) for more
 information about registering services generally.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required    |
+| --------------- |
+| `service:write` |
+
 ## Usage
 
 Usage: `consul services deregister [options] [FILE...]`
diff --git a/website/content/commands/services/register.mdx b/website/content/commands/services/register.mdx
index 70e686f79..27b7494df 100644
--- a/website/content/commands/services/register.mdx
+++ b/website/content/commands/services/register.mdx
@@ -7,6 +7,8 @@ page_title: 'Commands: Services Register'
 
 Command: `consul services register`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/agent/service/register](/api-docs/agent/service#register-service)
+
 The `services register` command registers a service with the local agent.
 This command returns after registration and must be paired with explicit
 service deregistration. This command simplifies service registration from
@@ -20,6 +22,14 @@ configuration management systems that other systems that have access to
 the configuration directory. Clients may also use the
 [HTTP API](/api/agent/service) directly.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required    |
+| --------------- |
+| `service:write` |
+
 ## Usage
 
 Usage: `consul services register [options] [FILE...]`
diff --git a/website/content/commands/snapshot/restore.mdx b/website/content/commands/snapshot/restore.mdx
index 89e4ba394..bc7d68fa1 100644
--- a/website/content/commands/snapshot/restore.mdx
+++ b/website/content/commands/snapshot/restore.mdx
@@ -7,6 +7,8 @@ page_title: 'Commands: Snapshot Restore'
 
 Command: `consul snapshot restore`
 
+Corresponding HTTP API Endpoint: [\[PUT\] /v1/snapshot](/api-docs/snapshot#restore-snapshot)
+
 The `snapshot restore` command is used to restore an atomic, point-in-time
 snapshot of the state of the Consul servers which includes key/value entries,
 service catalog, prepared queries, sessions, and ACLs. The snapshot is read
@@ -17,8 +19,13 @@ designed to handle server failures during a restore. This command is primarily
 intended to be used when recovering from a disaster, restoring into a fresh
 cluster of Consul servers.
 
-If ACLs are enabled, a management token must be supplied in order to perform
-a snapshot restore.
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `management` |
 
 ## Usage
 
diff --git a/website/content/commands/snapshot/save.mdx b/website/content/commands/snapshot/save.mdx
index ecb355735..38b9a2708 100644
--- a/website/content/commands/snapshot/save.mdx
+++ b/website/content/commands/snapshot/save.mdx
@@ -7,6 +7,8 @@ page_title: 'Commands: Snapshot Save'
 
 Command: `consul snapshot save`
 
+Corresponding HTTP API Endpoint: [\[GET\] /v1/snapshot](/api-docs/snapshot#generate-snapshot)
+
 The `snapshot save` command is used to retrieve an atomic, point-in-time snapshot
 of the state of the Consul servers which includes key/value entries,
 service catalog, prepared queries, sessions, and ACLs. The snapshot is saved to
@@ -25,6 +27,14 @@ the CLI client attempting to perform a snapshot save will have no effect. It _mu
 the context of the server process. If you're using Systemd to manage your Consul server
 processes, then adding `Environment=TMPDIR=/path/to/dir` to your Consul unit file will work.
 
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `management` |
+
 ## Usage
 
 Usage: `consul snapshot save [options] FILE`