diff --git a/auth/mtls/mtls.go b/auth/mtls/mtls.go
index 76d34c04..ca12f180 100644
--- a/auth/mtls/mtls.go
+++ b/auth/mtls/mtls.go
@@ -36,10 +36,16 @@ var (
 type CredentialsLoader interface {
 	// LoadClientCA returns a CertPool which should be used by a server to
 	// validate client certificates.
+	// NOTE: The pool returned here will be the only pool used to validate certificates.
+	//       Inclusion of system certificates should be done by copying from x509.SystemCertPool(),
+	//       with any custom certificates appended.
 	LoadClientCA(context.Context) (*x509.CertPool, error)
 
 	// LoadRootCA returns a CertPool which should be used by clients to
 	// validate server certificates.
+	// NOTE: The pool returned here will be the only pool used to validate certificates.
+	//       Inclusion of system certificates should be done by copying from x509.SystemCertPool(),
+	//       with any custom certificates appended.
 	LoadRootCA(context.Context) (*x509.CertPool, error)
 
 	// LoadClientCertificates returns the certificate that should be presented