diff --git a/website/content/api-docs/config.mdx b/website/content/api-docs/config.mdx
index 3c49e0c8d3..96e6a7b4de 100644
--- a/website/content/api-docs/config.mdx
+++ b/website/content/api-docs/config.mdx
@@ -31,25 +31,32 @@ The table below shows this endpoint's support for
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
| ---------------- | ----------------- | ------------- | ------------------------------------------------- |
-| `NO` | `none` | `none` | `service:write`
`operator:write`1 |
-
-
- 1 The ACL required depends on the config entry kind being updated:
-
-
-| Config Entry Kind | Required ACL |
-| ------------------- | ------------------ |
-| ingress-gateway | `operator:write` |
-| proxy-defaults | `operator:write` |
-| service-defaults | `service:write` |
-| service-intentions | `intentions:write` |
-| service-resolver | `service:write` |
-| service-router | `service:write` |
-| service-splitter | `service:write` |
-| terminating-gateway | `operator:write` |
+| `NO` | `none` | `none` | Refer to [Permissions](#permissions) |
The corresponding CLI command is [`consul config write`](/consul/commands/config/write).
+### Permissions
+
+The ACL required depends on the config entry being written:
+
+| Config Entry Kind | Required ACLs |
+| ------------------- | -------------------------------- |
+| api-gateway | `mesh:write` or `operator:write` |
+| bound-api-gateway | Not writable. |
+| exported-services | `mesh:write` or `operator:write` |
+| http-route | `mesh:write` or `operator:write` |
+| ingress-gateway | `mesh:write` or `operator:write` |
+| inline-certificate | `mesh:write` or `operator:write` |
+| mesh | `mesh:write` or `operator:write` |
+| proxy-defaults | `mesh:write` or `operator:write` |
+| service-defaults | `service:write` |
+| service-intentions | `intentions:write` |
+| service-resolver | `service:write` |
+| service-router | `service:write` |
+| service-splitter | `service:write` |
+| tcp-route | `mesh:write` or `operator:write` |
+| terminating-gateway | `mesh:write` or `operator:write` |
+
### Query Parameters
- `dc` `(string: "")` - Specifies the datacenter to query.
@@ -96,25 +103,35 @@ The table below shows this endpoint's support for
[agent caching](/consul/api-docs/features/caching), and
[required ACLs](/consul/api-docs/api-structure#authentication).
-| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
-| ---------------- | ----------------- | ------------- | -------------------------- |
-| `YES` | `all` | `none` | `service:read`1 |
-
-1 The ACL required depends on the config entry kind being read:
+| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
+| ---------------- | ----------------- | ------------- | -------------------------------------- |
+| `YES` | `all` | `none` | Refer to [Permissions](#permissions-1) |
-| Config Entry Kind | Required ACL |
-| ------------------- | ----------------- |
-| ingress-gateway | `service:read` |
-| proxy-defaults | `` |
-| service-defaults | `service:read` |
-| service-intentions | `intentions:read` |
-| service-resolver | `service:read` |
-| service-router | `service:read` |
-| service-splitter | `service:read` |
-| terminating-gateway | `service:read` |
The corresponding CLI command is [`consul config read`](/consul/commands/config/read).
+### Permissions
+
+The ACL required depends on the config entry kind being read:
+
+| Config Entry Kind | Required ACLs |
+| ------------------- | -------------------------------- |
+| api-gateway | `service:read` |
+| bound-api-gateway | `service:read` |
+| exported-services | `mesh:read` or `operator:read` |
+| http-route | `mesh:read` or `operator:read` |
+| ingress-gateway | `service:read` |
+| inline-certificate | `mesh:read` or `operator:read` |
+| mesh | No ACL required |
+| proxy-defaults | No ACL required |
+| service-defaults | `service:read` |
+| service-intentions | `intentions:read` |
+| service-resolver | `service:read` |
+| service-router | `service:read` |
+| service-splitter | `service:read` |
+| tcp-route | `mesh:read` or `operator:read` |
+| terminating-gateway | `service:read` |
+
### Path Parameters
- `kind` `(string: )` - Specifies the kind of the entry to read.
@@ -167,22 +184,31 @@ The table below shows this endpoint's support for
[agent caching](/consul/api-docs/features/caching), and
[required ACLs](/consul/api-docs/api-structure#authentication).
-| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
-| ---------------- | ----------------- | ------------- | -------------------------- |
-| `YES` | `all` | `none` | `service:read`1 |
-
-1 The ACL required depends on the config entry kind being read:
-
-| Config Entry Kind | Required ACL |
-| ------------------- | ----------------- |
-| ingress-gateway | `service:read` |
-| proxy-defaults | `` |
-| service-defaults | `service:read` |
-| service-intentions | `intentions:read` |
-| service-resolver | `service:read` |
-| service-router | `service:read` |
-| service-splitter | `service:read` |
-| terminating-gateway | `service:read` |
+| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
+| ---------------- | ----------------- | ------------- | -------------------------------------- |
+| `YES` | `all` | `none` | Refer to [Permissions](#permissions-2) |
+
+### Permissions
+
+The ACL required depends on the config entry kind being read:
+
+| Config Entry Kind | Required ACLs |
+| ------------------- | -------------------------------- |
+| api-gateway | `service:read` |
+| bound-api-gateway | `service:read` |
+| exported-services | `mesh:read` or `operator:read` |
+| http-route | `mesh:read` or `operator:read` |
+| ingress-gateway | `service:read` |
+| inline-certificate | `mesh:read` or `operator:read` |
+| mesh | No ACL required |
+| proxy-defaults | No ACL required |
+| service-defaults | `service:read` |
+| service-intentions | `intentions:read` |
+| service-resolver | `service:read` |
+| service-router | `service:read` |
+| service-splitter | `service:read` |
+| tcp-route | `mesh:read` or `operator:read` |
+| terminating-gateway | `service:read` |
The corresponding CLI command is [`consul config list`](/consul/commands/config/list).
@@ -243,20 +269,29 @@ The table below shows this endpoint's support for
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
| ---------------- | ----------------- | ------------- | ------------------------------------------------- |
-| `NO` | `none` | `none` | `service:write`
`operator:write`1 |
-
-1 The ACL required depends on the config entry kind being deleted:
-
-| Config Entry Kind | Required ACL |
-| ------------------- | ------------------ |
-| ingress-gateway | `operator:write` |
-| proxy-defaults | `operator:write` |
-| service-defaults | `service:write` |
-| service-intentions | `intentions:write` |
-| service-resolver | `service:write` |
-| service-router | `service:write` |
-| service-splitter | `service:write` |
-| terminating-gateway | `operator:write ` |
+| `NO` | `none` | `none` | Refer to [Permissions](#permissions-3) |
+
+### Permissions
+
+The ACL required depends on the config entry kind being deleted:
+
+| Config Entry Kind | Required ACLs |
+| ------------------- | -------------------------------- |
+| api-gateway | `mesh:write` or `operator:write` |
+| bound-api-gateway | Not writable. |
+| exported-services | `mesh:write` or `operator:write` |
+| http-route | `mesh:write` or `operator:write` |
+| ingress-gateway | `mesh:write` or `operator:write` |
+| inline-certificate | `mesh:write` or `operator:write` |
+| mesh | `mesh:write` or `operator:write` |
+| proxy-defaults | `mesh:write` or `operator:write` |
+| service-defaults | `service:write` |
+| service-intentions | `intentions:write` |
+| service-resolver | `service:write` |
+| service-router | `service:write` |
+| service-splitter | `service:write` |
+| tcp-route | `mesh:write` or `operator:write` |
+| terminating-gateway | `mesh:write` or `operator:write` |
The corresponding CLI command is [`consul config delete`](/consul/commands/config/delete).