diff --git a/api/system-current.txt b/api/system-current.txt
index 28dcd155467c3..5f2e1f2a85251 100755
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -1771,6 +1771,7 @@ package android.content {
   }
 
   public abstract class ContentResolver {
+    method public int checkUriPermission(@NonNull android.net.Uri, int, int);
     method @NonNull public static android.net.Uri decodeFromFile(@NonNull java.io.File);
     method @NonNull public static java.io.File encodeToFile(@NonNull android.net.Uri);
     method @Nullable @RequiresPermission("android.permission.CACHE_CONTENT") public android.os.Bundle getCache(@NonNull android.net.Uri);
diff --git a/core/java/android/content/ContentProvider.java b/core/java/android/content/ContentProvider.java
index d8e8b27d06216..65eb642369c95 100644
--- a/core/java/android/content/ContentProvider.java
+++ b/core/java/android/content/ContentProvider.java
@@ -1585,6 +1585,10 @@ public abstract class ContentProvider implements ContentInterface, ComponentCall
      * This method is typically used when the provider implements more dynamic
      * access controls that cannot be expressed with {@code <path-permission>}
      * style static rules.
+     * <p>
+     * Because validation of these dynamic access controls has significant
+     * system health impact, this feature is only available to providers that
+     * are built into the system.
      *
      * @param uri the {@link Uri} to perform an access check on.
      * @param uid the UID to check the permission for.
diff --git a/core/java/android/content/ContentResolver.java b/core/java/android/content/ContentResolver.java
index b134c3796b406..7510ce73a59a9 100644
--- a/core/java/android/content/ContentResolver.java
+++ b/core/java/android/content/ContentResolver.java
@@ -1357,8 +1357,28 @@ public abstract class ContentResolver implements ContentInterface {
         }
     }
 
-    /** {@hide} */
+    /**
+     * Perform a detailed internal check on a {@link Uri} to determine if a UID
+     * is able to access it with specific mode flags.
+     * <p>
+     * This method is typically used when the provider implements more dynamic
+     * access controls that cannot be expressed with {@code <path-permission>}
+     * style static rules.
+     * <p>
+     * Because validation of these dynamic access controls has significant
+     * system health impact, this feature is only available to providers that
+     * are built into the system.
+     *
+     * @param uri the {@link Uri} to perform an access check on.
+     * @param uid the UID to check the permission for.
+     * @param modeFlags the access flags to use for the access check, such as
+     *            {@link Intent#FLAG_GRANT_READ_URI_PERMISSION}.
+     * @return {@link PackageManager#PERMISSION_GRANTED} if access is allowed,
+     *         otherwise {@link PackageManager#PERMISSION_DENIED}.
+     * @hide
+     */
     @Override
+    @SystemApi
     public int checkUriPermission(@NonNull Uri uri, int uid, @Intent.AccessUriMode int modeFlags) {
         Objects.requireNonNull(uri, "uri");