diff --git a/website/content/docs/api-clients/client-cache.mdx b/website/content/docs/api-clients/client-cache.mdx
index 2c041b2588..7a2a5a3877 100644
--- a/website/content/docs/api-clients/client-cache.mdx
+++ b/website/content/docs/api-clients/client-cache.mdx
@@ -23,6 +23,15 @@ When you use the `search` command, however, Boundary searches the local cache to
 
 For more information, refer to the [`search`](/boundary/docs/commands/search) command documentation.
 
+<Note>
+
+The `search` operation only displays the resources that you have read permissions to view.
+If you are logged in as a user who does not have the permissions to view a resource, it does not display in the list of results.
+
+For more information, refer to [Identity and access management (IAM)](/boundary/docs/concepts/iam).
+
+</Note>
+
 ## Client cache management
 
 The Boundary client daemon starts automatically in the background when a user runs a CLI command that interacts with a Boundary instance.
diff --git a/website/content/docs/commands/daemon/add-token.mdx b/website/content/docs/commands/daemon/add-token.mdx
index dc06a08854..3e8c501911 100644
--- a/website/content/docs/commands/daemon/add-token.mdx
+++ b/website/content/docs/commands/daemon/add-token.mdx
@@ -17,6 +17,16 @@ If you authenticate to multiple Boundary instances, the client cache stores mult
 
 By adding auth tokens to your client cache, you can select which specific Boundary instance you want to search.
 
+<Note>
+
+The `search` operation only displays the resources that you have permissions to view.
+You must have the `read` or `read:self` grant on the auth token to successfully add it.
+If you are logged in as a user who does not have the permissions to view a resource, it does not display in the list of results.
+
+For more information, refer to [Identity and access management (IAM)](/boundary/docs/concepts/iam).
+
+</Note>
+
 ## Examples
 
 The following command adds an auth token to the client cache from your keyring: