diff --git a/agent/agent_endpoint.go b/agent/agent_endpoint.go
index 0342d1fd4..b52abc732 100644
--- a/agent/agent_endpoint.go
+++ b/agent/agent_endpoint.go
@@ -1106,6 +1106,9 @@ func (s *HTTPServer) agentLocalBlockingQuery(resp http.ResponseWriter, hash stri
 // AgentConnectAuthorize
 //
 // POST /v1/agent/connect/authorize
+//
+// Note: when this logic changes, consider if the Intention.Test RPC method
+// also needs to be updated.
 func (s *HTTPServer) AgentConnectAuthorize(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
 	// Fetch the token
 	var token string
diff --git a/agent/consul/intention_endpoint.go b/agent/consul/intention_endpoint.go
index 7662ea852..2bae56f5e 100644
--- a/agent/consul/intention_endpoint.go
+++ b/agent/consul/intention_endpoint.go
@@ -256,6 +256,10 @@ func (s *Intention) Match(
 
 // Test tests a source/destination and returns whether it would be allowed
 // or denied based on the current ACL configuration.
+//
+// Note: Whenever the logic for this method is changed, you should take
+// a look at the agent authorize endpoint (agent/agent_endpoint.go) since
+// the logic there is similar.
 func (s *Intention) Test(
 	args *structs.IntentionQueryRequest,
 	reply *structs.IntentionQueryTestResponse) error {