diff --git a/agent/session_endpoint.go b/agent/session_endpoint.go
index d1b6dd7cf1..8e76d577ab 100644
--- a/agent/session_endpoint.go
+++ b/agent/session_endpoint.go
@@ -47,6 +47,10 @@ func (s *HTTPHandlers) SessionCreate(resp http.ResponseWriter, req *http.Request
 
 	fixupEmptySessionChecks(&args.Session)
 
+	if (s.agent.config.Datacenter != args.Datacenter) && (!s.agent.config.ServerMode) {
+		return nil, fmt.Errorf("cross datacenter lock must be created at server agent")
+	}
+
 	// Create the session, get the ID
 	var out string
 	if err := s.agent.RPC("Session.Apply", &args, &out); err != nil {
diff --git a/website/content/commands/lock.mdx b/website/content/commands/lock.mdx
index 8abf4c12cd..fb80f65547 100644
--- a/website/content/commands/lock.mdx
+++ b/website/content/commands/lock.mdx
@@ -24,6 +24,8 @@ If the lock holder count is more than one, then a semaphore is used instead.
 A semaphore allows more than a single holder, but this is less efficient than
 a simple lock. This follows the [semaphore algorithm](https://learn.hashicorp.com/consul/developer-configuration/semaphore).
 
+To apply a lock to a remote WAN federated datacenter, run the command with the `-datacenter=<name>` flag on a server agent. You cannot use the command with `-datacenter` on client agents because they are unavailable to the remote datacenter.
+
 All locks using the same prefix must agree on the value of `-n`. If conflicting
 values of `-n` are provided, an error will be returned.