--- layout: commands page_title: 'Commands: Intention Check' --- # Consul Intention Check Command: `consul intention check` The `intention check` command checks whether a connection attempt between two services would be authorized given the current set of intentions and Consul configuration. This command requires less ACL permissions than other intention-related tasks because no information about the intention is revealed. Therefore, callers only need to have `service:read` access for the destination. Richer commands like [match](/commands/intention/match) require full intention read permissions and don't evaluate the result. -> **Note:** This command will always treat intentions with `Permissions` defined as _deny_ intentions during evaluation, as this endpoint is only suited for networking layer 4 (e.g. TCP) integration. ## Usage Usage: `consul intention check [options] SRC DST` `SRC` and `DST` can both take [several forms](/commands/intention#source-and-destination-naming). #### API Options @include 'http_api_options_client.mdx' #### Enterprise Options @include 'http_api_namespace_options.mdx' @include 'http_api_partition_options.mdx' ## Examples ```shell-session $ consul intention check web db Denied $ consul intention check web billing Allowed ```