diff --git a/pages/spicedb/getting-started/client-libraries.mdx b/pages/spicedb/getting-started/client-libraries.mdx
index f233e28..760b760 100644
--- a/pages/spicedb/getting-started/client-libraries.mdx
+++ b/pages/spicedb/getting-started/client-libraries.mdx
@@ -16,6 +16,19 @@ the primary documentation for the gRPC API is in the [buf documentation] for Spi
 The gRPC client documentation associated with each host language will also be helpful for putting together invocations.
 Additionally, there are `example` directories in the client libraries that provide example usages.
 
+## Local Development
+
+When developing locally with SpiceDB running without TLS, you'll need to configure insecure credentials:
+
+- **Node.js**: `v1.ClientSecurity.INSECURE_PLAINTEXT_CREDENTIALS`
+- **Python**: `insecure_bearer_token_credentials()`
+- **Go**: `grpcutil.WithInsecureBearerToken()` and `grpc.WithTransportCredentials(insecure.NewCredentials())`
+- **Ruby**: `credentials: :this_channel_is_insecure`
+- **Java**: `.usePlaintext()`
+- **Dotnet**: `ChannelCredentials.Insecure` with `UnsafeUseInsecureChannelCallCredentials = true`
+
+See the [Protecting a Blog Application](./protecting-a-blog#checking-permissions) guide for examples.
+
 ## HTTP Clients
 
 SpiceDB exposes an HTTP API when run with the `--http-enabled` flag.
diff --git a/pages/spicedb/getting-started/protecting-a-blog.mdx b/pages/spicedb/getting-started/protecting-a-blog.mdx
index 9df7d3c..d8627ae 100644
--- a/pages/spicedb/getting-started/protecting-a-blog.mdx
+++ b/pages/spicedb/getting-started/protecting-a-blog.mdx
@@ -730,6 +730,18 @@ When doing a permission check, in order to get read-after-write consistency, you
 
 The following examples demonstrate the transitive property of checks:
 
+<Callout type="info">
+When developing locally with SpiceDB without TLS, use insecure credentials in your client library:
+- **Node.js**: `INSECURE_PLAINTEXT_CREDENTIALS`
+- **Python**: `insecure_bearer_token_credentials()`
+- **Go**: `grpcutil.WithInsecureBearerToken()` and `grpc.WithTransportCredentials(insecure.NewCredentials())`
+- **Ruby**: `credentials: :this_channel_is_insecure`
+- **Java**: `.usePlaintext()`
+- **Dotnet**: `ChannelCredentials.Insecure` with `UnsafeUseInsecureChannelCallCredentials = true`
+
+This applies to localhost, Docker, Orbstack, and other local environments. Always switch to secure credentials before production deployment.
+</Callout>
+
 <Tabs items={['zed', 'Node', 'Go', 'Python', 'Ruby', 'Java']}>
 <Tabs.Tab>
 
@@ -749,7 +761,7 @@ import { v1 } from '@authzed/authzed-node';
 const { promises: client } = v1.NewClient(
   't_your_token_here_1234567deadbeef',
   'grpc.authzed.com:50051',
-  // NOTE: Remove if SpiceDB is behind TLS
+  // For local development without TLS
   v1.ClientSecurity.INSECURE_PLAINTEXT_CREDENTIALS
 );