diff --git a/oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java b/oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java
index baa2f6530..861adba16 100644
--- a/oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/AppEngineCredentials.java
@@ -79,18 +79,32 @@ class AppEngineCredentials extends GoogleCredentials implements ServiceAccountSi
   private transient Method getSignature;
   private transient String account;
 
-  AppEngineCredentials(Collection<String> scopes) throws IOException {
-    this.scopes = scopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(scopes);
+  AppEngineCredentials(Collection<String> scopes, Collection<String> defaultScopes)
+      throws IOException {
+    // Use defaultScopes only when scopes don't exist.
+    if (scopes == null || scopes.isEmpty()) {
+      this.scopes =
+          defaultScopes == null ? ImmutableList.<String>of() : ImmutableList.copyOf(defaultScopes);
+    } else {
+      this.scopes = ImmutableList.copyOf(scopes);
+    }
     this.scopesRequired = this.scopes.isEmpty();
     init();
   }
 
-  AppEngineCredentials(Collection<String> scopes, AppEngineCredentials unscoped) {
+  AppEngineCredentials(
+      Collection<String> scopes, Collection<String> defaultScopes, AppEngineCredentials unscoped) {
     this.appIdentityService = unscoped.appIdentityService;
     this.getAccessToken = unscoped.getAccessToken;
     this.getAccessTokenResult = unscoped.getAccessTokenResult;
     this.getExpirationTime = unscoped.getExpirationTime;
-    this.scopes = scopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(scopes);
+    // Use defaultScopes only when scopes don't exist.
+    if (scopes == null || scopes.isEmpty()) {
+      this.scopes =
+          defaultScopes == null ? ImmutableSet.<String>of() : ImmutableList.copyOf(defaultScopes);
+    } else {
+      this.scopes = ImmutableList.copyOf(scopes);
+    }
     this.scopesRequired = this.scopes.isEmpty();
   }
 
@@ -145,7 +159,13 @@ public boolean createScopedRequired() {
 
   @Override
   public GoogleCredentials createScoped(Collection<String> scopes) {
-    return new AppEngineCredentials(scopes, this);
+    return new AppEngineCredentials(scopes, null, this);
+  }
+
+  @Override
+  public GoogleCredentials createScoped(
+      Collection<String> scopes, Collection<String> defaultScopes) {
+    return new AppEngineCredentials(scopes, defaultScopes, this);
   }
 
   @Override
diff --git a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
index ede42cee9..01988d1f4 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
@@ -109,14 +109,22 @@ public class ComputeEngineCredentials extends GoogleCredentials
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.
    * @param scopes scope strings for the APIs to be called. May be null or an empty collection.
+   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty
+   *     collection. Default scopes are ignored if scopes are provided.
    */
   private ComputeEngineCredentials(
-      HttpTransportFactory transportFactory, Collection<String> scopes) {
+      HttpTransportFactory transportFactory,
+      Collection<String> scopes,
+      Collection<String> defaultScopes) {
     this.transportFactory =
         firstNonNull(
             transportFactory,
             getFromServiceLoader(HttpTransportFactory.class, OAuth2Utils.HTTP_TRANSPORT_FACTORY));
     this.transportFactoryClassName = this.transportFactory.getClass().getName();
+    // Use defaultScopes only when scopes don't exist.
+    if (scopes == null || scopes.isEmpty()) {
+      scopes = defaultScopes;
+    }
     if (scopes == null) {
       this.scopes = ImmutableSet.<String>of();
     } else {
@@ -129,7 +137,14 @@ private ComputeEngineCredentials(
   /** Clones the compute engine account with the specified scopes. */
   @Override
   public GoogleCredentials createScoped(Collection<String> newScopes) {
-    return new ComputeEngineCredentials(this.transportFactory, newScopes);
+    return new ComputeEngineCredentials(this.transportFactory, newScopes, null);
+  }
+
+  /** Clones the compute engine account with the specified scopes. */
+  @Override
+  public GoogleCredentials createScoped(
+      Collection<String> newScopes, Collection<String> newDefaultScopes) {
+    return new ComputeEngineCredentials(this.transportFactory, newScopes, newDefaultScopes);
   }
 
   /**
@@ -138,7 +153,7 @@ public GoogleCredentials createScoped(Collection<String> newScopes) {
    * @return new ComputeEngineCredentials
    */
   public static ComputeEngineCredentials create() {
-    return new ComputeEngineCredentials(null, null);
+    return new ComputeEngineCredentials(null, null, null);
   }
 
   public final Collection<String> getScopes() {
@@ -465,7 +480,7 @@ public Collection<String> getScopes() {
     }
 
     public ComputeEngineCredentials build() {
-      return new ComputeEngineCredentials(transportFactory, scopes);
+      return new ComputeEngineCredentials(transportFactory, scopes, null);
     }
   }
 }
diff --git a/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java b/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java
index 78ad73066..12fff6a37 100644
--- a/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java
+++ b/oauth2_http/java/com/google/auth/oauth2/DefaultCredentialsProvider.java
@@ -301,7 +301,8 @@ private GoogleCredentials tryGetAppEngineCredential() throws IOException {
     if (!onAppEngine) {
       return null;
     }
-    return new AppEngineCredentials(Collections.<String>emptyList());
+    return new AppEngineCredentials(
+        Collections.<String>emptyList(), Collections.<String>emptyList());
   }
 
   private final GoogleCredentials tryGetComputeCredentials(HttpTransportFactory transportFactory) {
diff --git a/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java b/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java
index 3e61e5d60..5a215322f 100644
--- a/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/GoogleCredentials.java
@@ -235,6 +235,20 @@ public GoogleCredentials createScoped(Collection<String> scopes) {
     return this;
   }
 
+  /**
+   * If the credentials support scopes, creates a copy of the the identity with the specified scopes
+   * and default scopes; otherwise, returns the same instance. This is mainly used by client
+   * libraries.
+   *
+   * @param scopes Collection of scopes to request.
+   * @param defaultScopes Collection of default scopes to request.
+   * @return GoogleCredentials with requested scopes.
+   */
+  public GoogleCredentials createScoped(
+      Collection<String> scopes, Collection<String> defaultScopes) {
+    return this;
+  }
+
   /**
    * If the credentials support scopes, creates a copy of the the identity with the specified
    * scopes; otherwise, returns the same instance.
diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
index e12f8d412..aa9043611 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
@@ -53,6 +53,7 @@
 import com.google.api.client.util.PemReader.Section;
 import com.google.api.client.util.Preconditions;
 import com.google.api.client.util.SecurityUtils;
+import com.google.auth.RequestMetadataCallback;
 import com.google.auth.ServiceAccountSigner;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.common.annotations.VisibleForTesting;
@@ -80,6 +81,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.concurrent.Executor;
 
 /**
  * OAuth2 credentials representing a Service Account for calling Google APIs.
@@ -104,27 +106,29 @@ public class ServiceAccountCredentials extends GoogleCredentials
   private final String transportFactoryClassName;
   private final URI tokenServerUri;
   private final Collection<String> scopes;
+  private final Collection<String> defaultScopes;
   private final String quotaProjectId;
   private final int lifetime;
 
   private transient HttpTransportFactory transportFactory;
+  private transient ServiceAccountJwtAccessCredentials jwtCredentials = null;
 
   /**
    * Constructor with minimum identifying information and custom HTTP transport.
    *
-   * @param clientId Client ID of the service account from the console. May be null.
-   * @param clientEmail Client email address of the service account from the console.
-   * @param privateKey RSA private key object for the service account.
-   * @param privateKeyId Private key identifier for the service account. May be null.
-   * @param scopes Scope strings for the APIs to be called. May be null or an empty collection,
-   *     which results in a credential that must have createScoped called before use.
+   * @param clientId client ID of the service account from the console. May be null.
+   * @param clientEmail client email address of the service account from the console
+   * @param privateKey RSA private key object for the service account
+   * @param privateKeyId private key identifier for the service account. May be null.
+   * @param scopes scope strings for the APIs to be called. May be null or an empty collection.
+   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty.
    * @param transportFactory HTTP transport factory, creates the transport used to get access
    *     tokens.
    * @param tokenServerUri URI of the end point that provides tokens.
-   * @param serviceAccountUser Email of the user account to impersonate, if delegating domain-wide
+   * @param serviceAccountUser email of the user account to impersonate, if delegating domain-wide
    *     authority to the service account.
    * @param projectId the project used for billing
-   * @param quotaProjectId The project used for quota and billing purposes. May be null.
+   * @param quotaProjectId the project used for quota and billing purposes. May be null.
    * @param lifetime number of seconds the access token should be valid for. The value should be at
    *     most 43200 (12 hours). If the token is used for calling a Google API, then the value should
    *     be at most 3600 (1 hour). If the given value is 0, then the default value 3600 will be used
@@ -136,6 +140,7 @@ public class ServiceAccountCredentials extends GoogleCredentials
       PrivateKey privateKey,
       String privateKeyId,
       Collection<String> scopes,
+      Collection<String> defaultScopes,
       HttpTransportFactory transportFactory,
       URI tokenServerUri,
       String serviceAccountUser,
@@ -147,6 +152,8 @@ public class ServiceAccountCredentials extends GoogleCredentials
     this.privateKey = Preconditions.checkNotNull(privateKey);
     this.privateKeyId = privateKeyId;
     this.scopes = (scopes == null) ? ImmutableSet.<String>of() : ImmutableSet.copyOf(scopes);
+    this.defaultScopes =
+        (defaultScopes == null) ? ImmutableSet.<String>of() : ImmutableSet.copyOf(defaultScopes);
     this.transportFactory =
         firstNonNull(
             transportFactory,
@@ -160,6 +167,18 @@ public class ServiceAccountCredentials extends GoogleCredentials
       throw new IllegalStateException("lifetime must be less than or equal to 43200");
     }
     this.lifetime = lifetime;
+
+    // Use self signed JWT if scopes is not set, see https://google.aip.dev/auth/4111.
+    if (this.scopes.isEmpty()) {
+      jwtCredentials =
+          new ServiceAccountJwtAccessCredentials.Builder()
+              .setClientEmail(clientEmail)
+              .setClientId(clientId)
+              .setPrivateKey(privateKey)
+              .setPrivateKeyId(privateKeyId)
+              .setQuotaProjectId(quotaProjectId)
+              .build();
+    }
   }
 
   /**
@@ -204,6 +223,7 @@ static ServiceAccountCredentials fromJson(
         privateKeyPkcs8,
         privateKeyId,
         null,
+        null,
         transportFactory,
         tokenServerUriFromCreds,
         null,
@@ -231,7 +251,51 @@ public static ServiceAccountCredentials fromPkcs8(
       Collection<String> scopes)
       throws IOException {
     return fromPkcs8(
-        clientId, clientEmail, privateKeyPkcs8, privateKeyId, scopes, null, null, null, null, null);
+        clientId,
+        clientEmail,
+        privateKeyPkcs8,
+        privateKeyId,
+        scopes,
+        null,
+        null,
+        null,
+        null,
+        null,
+        null);
+  }
+
+  /**
+   * Factory with minimum identifying information using PKCS#8 for the private key.
+   *
+   * @param clientId client ID of the service account from the console. May be null.
+   * @param clientEmail client email address of the service account from the console
+   * @param privateKeyPkcs8 RSA private key object for the service account in PKCS#8 format.
+   * @param privateKeyId private key identifier for the service account. May be null.
+   * @param scopes scope strings for the APIs to be called. May be null or an empty collection.
+   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty.
+   * @return new ServiceAccountCredentials created from a private key
+   * @throws IOException if the credential cannot be created from the private key
+   */
+  public static ServiceAccountCredentials fromPkcs8(
+      String clientId,
+      String clientEmail,
+      String privateKeyPkcs8,
+      String privateKeyId,
+      Collection<String> scopes,
+      Collection<String> defaultScopes)
+      throws IOException {
+    return fromPkcs8(
+        clientId,
+        clientEmail,
+        privateKeyPkcs8,
+        privateKeyId,
+        scopes,
+        defaultScopes,
+        null,
+        null,
+        null,
+        null,
+        null);
   }
 
   /**
@@ -265,6 +329,49 @@ public static ServiceAccountCredentials fromPkcs8(
         privateKeyPkcs8,
         privateKeyId,
         scopes,
+        null,
+        transportFactory,
+        tokenServerUri,
+        null,
+        null,
+        null);
+  }
+
+  /**
+   * Factory with minimum identifying information and custom transport using PKCS#8 for the private
+   * key.
+   *
+   * @param clientId client ID of the service account from the console. May be null.
+   * @param clientEmail client email address of the service account from the console
+   * @param privateKeyPkcs8 RSA private key object for the service account in PKCS#8 format.
+   * @param privateKeyId private key identifier for the service account. May be null.
+   * @param scopes scope strings for the APIs to be called. May be null or an empty collection,
+   *     which results in a credential that must have createScoped called before use.
+   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty
+   *     collection, which results in a credential that must have createScoped called before use.
+   * @param transportFactory HTTP transport factory, creates the transport used to get access
+   *     tokens.
+   * @param tokenServerUri URI of the end point that provides tokens
+   * @return new ServiceAccountCredentials created from a private key
+   * @throws IOException if the credential cannot be created from the private key
+   */
+  public static ServiceAccountCredentials fromPkcs8(
+      String clientId,
+      String clientEmail,
+      String privateKeyPkcs8,
+      String privateKeyId,
+      Collection<String> scopes,
+      Collection<String> defaultScopes,
+      HttpTransportFactory transportFactory,
+      URI tokenServerUri)
+      throws IOException {
+    return fromPkcs8(
+        clientId,
+        clientEmail,
+        privateKeyPkcs8,
+        privateKeyId,
+        scopes,
+        defaultScopes,
         transportFactory,
         tokenServerUri,
         null,
@@ -306,6 +413,52 @@ public static ServiceAccountCredentials fromPkcs8(
         privateKeyPkcs8,
         privateKeyId,
         scopes,
+        null,
+        transportFactory,
+        tokenServerUri,
+        serviceAccountUser,
+        null,
+        null);
+  }
+
+  /**
+   * Factory with minimum identifying information and custom transport using PKCS#8 for the private
+   * key.
+   *
+   * @param clientId client ID of the service account from the console. May be null.
+   * @param clientEmail client email address of the service account from the console
+   * @param privateKeyPkcs8 RSA private key object for the service account in PKCS#8 format.
+   * @param privateKeyId private key identifier for the service account. May be null.
+   * @param scopes scope strings for the APIs to be called. May be null or an empty collection,
+   *     which results in a credential that must have createScoped called before use.
+   * @param defaultScopes default scope strings for the APIs to be called. May be null or an empty
+   *     collection, which results in a credential that must have createScoped called before use.
+   * @param transportFactory HTTP transport factory, creates the transport used to get access
+   *     tokens.
+   * @param tokenServerUri URI of the end point that provides tokens
+   * @param serviceAccountUser the email of the user account to impersonate, if delegating
+   *     domain-wide authority to the service account.
+   * @return new ServiceAccountCredentials created from a private key
+   * @throws IOException if the credential cannot be created from the private key
+   */
+  public static ServiceAccountCredentials fromPkcs8(
+      String clientId,
+      String clientEmail,
+      String privateKeyPkcs8,
+      String privateKeyId,
+      Collection<String> scopes,
+      Collection<String> defaultScopes,
+      HttpTransportFactory transportFactory,
+      URI tokenServerUri,
+      String serviceAccountUser)
+      throws IOException {
+    return fromPkcs8(
+        clientId,
+        clientEmail,
+        privateKeyPkcs8,
+        privateKeyId,
+        scopes,
+        defaultScopes,
         transportFactory,
         tokenServerUri,
         serviceAccountUser,
@@ -319,6 +472,7 @@ static ServiceAccountCredentials fromPkcs8(
       String privateKeyPkcs8,
       String privateKeyId,
       Collection<String> scopes,
+      Collection<String> defaultScopes,
       HttpTransportFactory transportFactory,
       URI tokenServerUri,
       String serviceAccountUser,
@@ -332,6 +486,7 @@ static ServiceAccountCredentials fromPkcs8(
         privateKey,
         privateKeyId,
         scopes,
+        defaultScopes,
         transportFactory,
         tokenServerUri,
         serviceAccountUser,
@@ -411,12 +566,6 @@ public static ServiceAccountCredentials fromStream(
    */
   @Override
   public AccessToken refreshAccessToken() throws IOException {
-    if (createScopedRequired()) {
-      throw new IOException(
-          "Scopes not configured for service account. Scoped should be specified"
-              + " by calling createScoped or passing scopes to constructor.");
-    }
-
     JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY;
     long currentTime = clock.currentTimeMillis();
     String assertion = createAssertion(jsonFactory, currentTime, tokenServerUri.toString());
@@ -501,10 +650,14 @@ public IdToken idTokenWithAudience(String targetAudience, List<Option> options)
     return IdToken.create(rawToken);
   }
 
-  /** Returns whether the scopes are empty, meaning createScoped must be called before use. */
+  /**
+   * Clones the service account with the specified scopes.
+   *
+   * <p>Should be called before use for instances with empty scopes.
+   */
   @Override
-  public boolean createScopedRequired() {
-    return scopes.isEmpty();
+  public GoogleCredentials createScoped(Collection<String> newScopes) {
+    return createScoped(newScopes, null);
   }
 
   /**
@@ -513,13 +666,15 @@ public boolean createScopedRequired() {
    * <p>Should be called before use for instances with empty scopes.
    */
   @Override
-  public GoogleCredentials createScoped(Collection<String> newScopes) {
+  public GoogleCredentials createScoped(
+      Collection<String> newScopes, Collection<String> newDefaultScopes) {
     return new ServiceAccountCredentials(
         clientId,
         clientEmail,
         privateKey,
         privateKeyId,
         newScopes,
+        newDefaultScopes,
         transportFactory,
         tokenServerUri,
         serviceAccountUser,
@@ -549,6 +704,7 @@ public GoogleCredentials createDelegated(String user) {
         privateKey,
         privateKeyId,
         scopes,
+        defaultScopes,
         transportFactory,
         tokenServerUri,
         user,
@@ -577,6 +733,10 @@ public final Collection<String> getScopes() {
     return scopes;
   }
 
+  public final Collection<String> getDefaultScopes() {
+    return defaultScopes;
+  }
+
   public final String getServiceAccountUser() {
     return serviceAccountUser;
   }
@@ -649,6 +809,7 @@ public int hashCode() {
         transportFactoryClassName,
         tokenServerUri,
         scopes,
+        defaultScopes,
         quotaProjectId,
         lifetime);
   }
@@ -662,6 +823,7 @@ public String toString() {
         .add("transportFactoryClassName", transportFactoryClassName)
         .add("tokenServerUri", tokenServerUri)
         .add("scopes", scopes)
+        .add("defaultScopes", defaultScopes)
         .add("serviceAccountUser", serviceAccountUser)
         .add("quotaProjectId", quotaProjectId)
         .add("lifetime", lifetime)
@@ -681,6 +843,7 @@ public boolean equals(Object obj) {
         && Objects.equals(this.transportFactoryClassName, other.transportFactoryClassName)
         && Objects.equals(this.tokenServerUri, other.tokenServerUri)
         && Objects.equals(this.scopes, other.scopes)
+        && Objects.equals(this.defaultScopes, other.defaultScopes)
         && Objects.equals(this.quotaProjectId, other.quotaProjectId)
         && Objects.equals(this.lifetime, other.lifetime);
   }
@@ -697,7 +860,11 @@ String createAssertion(JsonFactory jsonFactory, long currentTime, String audienc
     payload.setIssuedAtTimeSeconds(currentTime / 1000);
     payload.setExpirationTimeSeconds(currentTime / 1000 + this.lifetime);
     payload.setSubject(serviceAccountUser);
-    payload.put("scope", Joiner.on(' ').join(scopes));
+    if (scopes.isEmpty()) {
+      payload.put("scope", Joiner.on(' ').join(defaultScopes));
+    } else {
+      payload.put("scope", Joiner.on(' ').join(scopes));
+    }
 
     if (audience == null) {
       payload.setAudience(OAuth2Utils.TOKEN_SERVER_URI.toString());
@@ -748,6 +915,32 @@ String createAssertionForIdToken(
     }
   }
 
+  @Override
+  public void getRequestMetadata(
+      final URI uri, Executor executor, final RequestMetadataCallback callback) {
+    if (jwtCredentials != null && uri != null) {
+      jwtCredentials.getRequestMetadata(uri, executor, callback);
+    } else {
+      super.getRequestMetadata(uri, executor, callback);
+    }
+  }
+
+  /** Provide the request metadata by putting an access JWT directly in the metadata. */
+  @Override
+  public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
+    if (scopes.isEmpty() && defaultScopes.isEmpty() && uri == null) {
+      throw new IOException(
+          "Scopes and uri are not configured for service account. Either pass uri"
+              + " to getRequestMetadata to use self signed JWT, or specify the scopes"
+              + " by calling createScoped or passing scopes to constructor.");
+    }
+    if (jwtCredentials != null && uri != null) {
+      return jwtCredentials.getRequestMetadata(uri);
+    } else {
+      return super.getRequestMetadata(uri);
+    }
+  }
+
   @SuppressWarnings("unused")
   private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException {
     // properly deserialize the transient transportFactory
@@ -778,6 +971,7 @@ public static class Builder extends GoogleCredentials.Builder {
     private String projectId;
     private URI tokenServerUri;
     private Collection<String> scopes;
+    private Collection<String> defaultScopes;
     private HttpTransportFactory transportFactory;
     private String quotaProjectId;
     private int lifetime = DEFAULT_LIFETIME_IN_SECONDS;
@@ -790,6 +984,7 @@ protected Builder(ServiceAccountCredentials credentials) {
       this.privateKey = credentials.privateKey;
       this.privateKeyId = credentials.privateKeyId;
       this.scopes = credentials.scopes;
+      this.defaultScopes = credentials.defaultScopes;
       this.transportFactory = credentials.transportFactory;
       this.tokenServerUri = credentials.tokenServerUri;
       this.serviceAccountUser = credentials.serviceAccountUser;
@@ -820,6 +1015,13 @@ public Builder setPrivateKeyId(String privateKeyId) {
 
     public Builder setScopes(Collection<String> scopes) {
       this.scopes = scopes;
+      this.defaultScopes = ImmutableSet.<String>of();
+      return this;
+    }
+
+    public Builder setScopes(Collection<String> scopes, Collection<String> defaultScopes) {
+      this.scopes = scopes;
+      this.defaultScopes = defaultScopes;
       return this;
     }
 
@@ -873,6 +1075,10 @@ public Collection<String> getScopes() {
       return scopes;
     }
 
+    public Collection<String> getDefaultScopes() {
+      return defaultScopes;
+    }
+
     public String getServiceAccountUser() {
       return serviceAccountUser;
     }
@@ -904,6 +1110,7 @@ public ServiceAccountCredentials build() {
           privateKey,
           privateKeyId,
           scopes,
+          defaultScopes,
           transportFactory,
           tokenServerUri,
           serviceAccountUser,
diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java
index 707b657a7..c4f024256 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java
@@ -54,6 +54,7 @@
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
@@ -331,17 +332,35 @@ public boolean hasRequestMetadataOnly() {
     return true;
   }
 
+  /**
+   * Self signed JWT uses uri as audience, which should have the "https://{host}/" format. For
+   * instance, if the uri is "https://compute.googleapis.com/compute/v1/projects/", then this
+   * function returns "https://compute.googleapis.com/".
+   */
+  @VisibleForTesting
+  static URI getUriForSelfSignedJWT(URI uri) {
+    if (uri == null) {
+      return uri;
+    }
+    try {
+      return new URI(uri.getScheme(), uri.getHost(), "/", null);
+    } catch (URISyntaxException unused) {
+      return uri;
+    }
+  }
+
   @Override
   public void getRequestMetadata(
       final URI uri, Executor executor, final RequestMetadataCallback callback) {
     // It doesn't use network. Only some CPU work on par with TLS handshake. So it's preferrable
     // to do it in the current thread, which is likely to be the network thread.
-    blockingGetToCallback(uri, callback);
+    blockingGetToCallback(getUriForSelfSignedJWT(uri), callback);
   }
 
   /** Provide the request metadata by putting an access JWT directly in the metadata. */
   @Override
   public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
+    uri = getUriForSelfSignedJWT(uri);
     if (uri == null) {
       if (defaultAudience != null) {
         uri = defaultAudience;
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java
index a13522a60..82b76d879 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/AppEngineCredentialsTest.java
@@ -62,6 +62,8 @@ public class AppEngineCredentialsTest extends BaseSerializationTest {
 
   private static final Collection<String> SCOPES =
       Collections.unmodifiableCollection(Arrays.asList("scope1", "scope2"));
+  private static final Collection<String> DEFAULT_SCOPES =
+      Collections.unmodifiableCollection(Arrays.asList("scope3"));
 
   @Test
   public void constructor_usesAppIdentityService() throws IOException {
@@ -130,6 +132,25 @@ public void createScoped_clonesWithScopes() throws IOException {
     assertEquals(EXPECTED_EXPIRATION_DATE, accessToken.getExpirationTime());
   }
 
+  @Test
+  public void createScoped_defaultScopes() throws IOException {
+    TestAppEngineCredentials credentials = new TestAppEngineCredentials(null);
+    assertTrue(credentials.createScopedRequired());
+
+    GoogleCredentials newCredentials = credentials.createScoped(null, DEFAULT_SCOPES);
+    assertFalse(newCredentials.createScopedRequired());
+
+    newCredentials = credentials.createScoped(SCOPES, null);
+    assertFalse(newCredentials.createScopedRequired());
+
+    newCredentials = credentials.createScoped(SCOPES, DEFAULT_SCOPES);
+    assertFalse(newCredentials.createScopedRequired());
+
+    AccessToken accessToken = newCredentials.refreshAccessToken();
+    assertEquals(EXPECTED_ACCESS_TOKEN, accessToken.getTokenValue());
+    assertEquals(EXPECTED_EXPIRATION_DATE, accessToken.getExpirationTime());
+  }
+
   @Test
   public void equals_true() throws IOException {
     GoogleCredentials credentials = new TestAppEngineCredentials(SCOPES);
@@ -246,7 +267,12 @@ private static class TestAppEngineCredentials extends AppEngineCredentials {
     private List<String> forNameArgs;
 
     TestAppEngineCredentials(Collection<String> scopes) throws IOException {
-      super(scopes);
+      super(scopes, null);
+    }
+
+    TestAppEngineCredentials(Collection<String> scopes, Collection<String> defaultScopes)
+        throws IOException {
+      super(scopes, defaultScopes);
     }
 
     @Override
@@ -272,7 +298,7 @@ private static class TestAppEngineCredentialsNoSdk extends AppEngineCredentials
     private static final long serialVersionUID = -8987103249265111274L;
 
     TestAppEngineCredentialsNoSdk() throws IOException {
-      super(null);
+      super(null, null);
     }
 
     @Override
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
index be8841cb2..41ff946b0 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
@@ -169,6 +169,21 @@ public void createTokenUrlWithScopes_multiple_scopes() {
     assertEquals("bar", scopes.toArray()[1]);
   }
 
+  @Test
+  public void createTokenUrlWithScopes_defaultScopes() {
+    ComputeEngineCredentials credentials = ComputeEngineCredentials.newBuilder().build();
+    credentials =
+        (ComputeEngineCredentials)
+            credentials.createScoped(null, Arrays.asList(null, "foo", "", "bar"));
+    Collection<String> scopes = credentials.getScopes();
+    String tokenUrlWithScopes = credentials.createTokenUrlWithScopes();
+
+    assertEquals(TOKEN_URL + "?scopes=foo,bar", tokenUrlWithScopes);
+    assertEquals(2, scopes.size());
+    assertEquals("foo", scopes.toArray()[0]);
+    assertEquals("bar", scopes.toArray()[1]);
+  }
+
   @Test
   public void createScoped() {
     ComputeEngineCredentials credentials =
@@ -181,6 +196,16 @@ public void createScoped() {
     assertEquals("foo", scopes.toArray()[0]);
   }
 
+  @Test
+  public void createScoped_defaultScopes() {
+    GoogleCredentials credentials =
+        ComputeEngineCredentials.create().createScoped(null, Arrays.asList("foo"));
+    Collection<String> scopes = ((ComputeEngineCredentials) credentials).getScopes();
+
+    assertEquals(1, scopes.size());
+    assertEquals("foo", scopes.toArray()[0]);
+  }
+
   @Test
   public void getRequestMetadata_hasAccessToken() throws IOException {
     String accessToken = "1/MkSJoj1xsli0AccessToken_NKPY2";
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/GoogleCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/GoogleCredentialsTest.java
index 6af637284..a87dc84fe 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/GoogleCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/GoogleCredentialsTest.java
@@ -78,6 +78,8 @@ public class GoogleCredentialsTest {
 
   private static final Collection<String> SCOPES =
       Collections.unmodifiableCollection(Arrays.asList("scope1", "scope2"));
+  private static final Collection<String> DEFAULT_SCOPES =
+      Collections.unmodifiableCollection(Arrays.asList("scope3"));
 
   static class MockHttpTransportFactory implements HttpTransportFactory {
 
@@ -146,6 +148,10 @@ public void fromStream_serviceAccount_providesToken() throws IOException {
     credentials = credentials.createScoped(SCOPES);
     Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
     TestUtils.assertContainsBearerToken(metadata, ACCESS_TOKEN);
+
+    credentials = credentials.createScoped(SCOPES, DEFAULT_SCOPES);
+    metadata = credentials.getRequestMetadata(CALL_URI);
+    TestUtils.assertContainsBearerToken(metadata, ACCESS_TOKEN);
   }
 
   @Test
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
index 77bd2862d..904093154 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
@@ -43,6 +43,7 @@
 
 import com.google.api.client.json.GenericJson;
 import com.google.api.client.json.JsonFactory;
+import com.google.api.client.json.gson.GsonFactory;
 import com.google.api.client.json.webtoken.JsonWebSignature;
 import com.google.api.client.json.webtoken.JsonWebToken;
 import com.google.api.client.testing.http.FixedClock;
@@ -51,6 +52,7 @@
 import com.google.api.client.util.Joiner;
 import com.google.auth.RequestMetadataCallback;
 import com.google.auth.TestUtils;
+import com.google.auth.http.AuthHttpConstants;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.auth.oauth2.GoogleCredentialsTest.MockHttpTransportFactory;
 import com.google.auth.oauth2.GoogleCredentialsTest.MockTokenServerTransportFactory;
@@ -98,10 +100,13 @@ public class ServiceAccountCredentialsTest extends BaseSerializationTest {
           + "==\n-----END PRIVATE KEY-----\n";
   private static final String ACCESS_TOKEN = "1/MkSJoj1xsli0AccessToken_NKPY2";
   private static final Collection<String> SCOPES = Collections.singletonList("dummy.scope");
+  private static final Collection<String> DEFAULT_SCOPES =
+      Collections.singletonList("dummy.default.scope");
   private static final String USER = "user@example.com";
   private static final String PROJECT_ID = "project-id";
   private static final Collection<String> EMPTY_SCOPES = Collections.emptyList();
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
+  private static final String JWT_AUDIENCE = "http://googleapis.com/";
   private static final HttpTransportFactory DUMMY_TRANSPORT_FACTORY =
       new MockTokenServerTransportFactory();
   public static final String DEFAULT_ID_TOKEN =
@@ -113,6 +118,7 @@ public class ServiceAccountCredentialsTest extends BaseSerializationTest {
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
   private static final int DEFAULT_LIFETIME_IN_SECONDS = 3600;
   private static final int INVALID_LIFETIME = 43210;
+  private static final String JWT_ACCESS_PREFIX = "Bearer ";
 
   private ServiceAccountCredentials.Builder createDefaultBuilder() throws IOException {
     PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8);
@@ -250,6 +256,36 @@ public void createAssertion_correct() throws IOException {
     assertEquals(Joiner.on(' ').join(scopes), payload.get("scope"));
   }
 
+  @Test
+  public void createAssertion_defaultScopes_correct() throws IOException {
+    PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8);
+    List<String> scopes = Arrays.asList("scope1", "scope2");
+    ServiceAccountCredentials.Builder builder =
+        ServiceAccountCredentials.newBuilder()
+            .setClientId(CLIENT_ID)
+            .setClientEmail(CLIENT_EMAIL)
+            .setPrivateKey(privateKey)
+            .setPrivateKeyId(PRIVATE_KEY_ID)
+            .setScopes(null, scopes)
+            .setServiceAccountUser(USER)
+            .setProjectId(PROJECT_ID);
+    assertEquals(2, builder.getDefaultScopes().size());
+    ServiceAccountCredentials credentials = builder.build();
+
+    JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY;
+    long currentTimeMillis = Clock.SYSTEM.currentTimeMillis();
+    String assertion = credentials.createAssertion(jsonFactory, currentTimeMillis, null);
+
+    JsonWebSignature signature = JsonWebSignature.parse(jsonFactory, assertion);
+    JsonWebToken.Payload payload = signature.getPayload();
+    assertEquals(CLIENT_EMAIL, payload.getIssuer());
+    assertEquals(OAuth2Utils.TOKEN_SERVER_URI.toString(), payload.getAudience());
+    assertEquals(currentTimeMillis / 1000, (long) payload.getIssuedAtTimeSeconds());
+    assertEquals(currentTimeMillis / 1000 + 3600, (long) payload.getExpirationTimeSeconds());
+    assertEquals(USER, payload.getSubject());
+    assertEquals(Joiner.on(' ').join(scopes), payload.get("scope"));
+  }
+
   @Test
   public void createAssertion_custom_lifetime() throws IOException {
     ServiceAccountCredentials credentials = createDefaultBuilder().setLifetime(4000).build();
@@ -383,25 +419,72 @@ public void createdScoped_enablesAccessTokens() throws IOException {
             null);
 
     try {
-      credentials.getRequestMetadata(CALL_URI);
-      fail("Should not be able to get token without scopes");
-    } catch (Exception expected) {
-      // Expected
+      credentials.getRequestMetadata(null);
+      fail("Should not be able to get token without scopes, defaultScopes and uri");
+    } catch (IOException e) {
+      assertTrue(
+          "expected to fail with exception",
+          e.getMessage().contains("Scopes and uri are not configured for service account"));
     }
 
-    GoogleCredentials scopedCredentials = credentials.createScoped(SCOPES);
+    // Since scopes are not provided, self signed JWT will be used.
+    Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
+    verifyJwtAccess(metadata);
 
-    Map<String, List<String>> metadata = scopedCredentials.getRequestMetadata(CALL_URI);
+    // Since scopes are provided, self signed JWT will not be used.
+    GoogleCredentials scopedCredentials = credentials.createScoped(SCOPES);
+    metadata = scopedCredentials.getRequestMetadata(CALL_URI);
     TestUtils.assertContainsBearerToken(metadata, ACCESS_TOKEN);
   }
 
   @Test
-  public void createScopedRequired_emptyScopes_true() throws IOException {
+  public void createdScoped_defaultScopes() throws IOException {
+    final URI TOKEN_SERVER = URI.create("https://foo.com/bar");
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    transportFactory.transport.addServiceAccount(CLIENT_EMAIL, ACCESS_TOKEN);
+    transportFactory.transport.setTokenServerUri(TOKEN_SERVER);
+
+    ServiceAccountCredentials credentials =
+        ServiceAccountCredentials.fromPkcs8(
+            CLIENT_ID, CLIENT_EMAIL, PRIVATE_KEY_PKCS8, PRIVATE_KEY_ID, SCOPES, DEFAULT_SCOPES);
+    assertEquals(1, credentials.getDefaultScopes().size());
+    assertEquals("dummy.default.scope", credentials.getDefaultScopes().toArray()[0]);
+
+    credentials =
+        ServiceAccountCredentials.fromPkcs8(
+            CLIENT_ID,
+            CLIENT_EMAIL,
+            PRIVATE_KEY_PKCS8,
+            PRIVATE_KEY_ID,
+            SCOPES,
+            DEFAULT_SCOPES,
+            transportFactory,
+            TOKEN_SERVER);
+    assertEquals(1, credentials.getDefaultScopes().size());
+    assertEquals("dummy.default.scope", credentials.getDefaultScopes().toArray()[0]);
+
+    credentials =
+        ServiceAccountCredentials.fromPkcs8(
+            CLIENT_ID,
+            CLIENT_EMAIL,
+            PRIVATE_KEY_PKCS8,
+            PRIVATE_KEY_ID,
+            SCOPES,
+            DEFAULT_SCOPES,
+            transportFactory,
+            TOKEN_SERVER,
+            "service_account_user");
+    assertEquals(1, credentials.getDefaultScopes().size());
+    assertEquals("dummy.default.scope", credentials.getDefaultScopes().toArray()[0]);
+  }
+
+  @Test
+  public void createScopedRequired_emptyScopes_false() throws IOException {
     GoogleCredentials credentials =
         ServiceAccountCredentials.fromPkcs8(
             CLIENT_ID, CLIENT_EMAIL, PRIVATE_KEY_PKCS8, PRIVATE_KEY_ID, EMPTY_SCOPES);
 
-    assertTrue(credentials.createScopedRequired());
+    assertFalse(credentials.createScopedRequired());
   }
 
   @Test
@@ -972,6 +1055,7 @@ public void toString_containsFields() throws IOException {
             PRIVATE_KEY_PKCS8,
             PRIVATE_KEY_ID,
             SCOPES,
+            DEFAULT_SCOPES,
             transportFactory,
             tokenServer,
             USER,
@@ -980,7 +1064,7 @@ public void toString_containsFields() throws IOException {
     String expectedToString =
         String.format(
             "ServiceAccountCredentials{clientId=%s, clientEmail=%s, privateKeyId=%s, "
-                + "transportFactoryClassName=%s, tokenServerUri=%s, scopes=%s, serviceAccountUser=%s, "
+                + "transportFactoryClassName=%s, tokenServerUri=%s, scopes=%s, defaultScopes=%s, serviceAccountUser=%s, "
                 + "quotaProjectId=%s, lifetime=3600}",
             CLIENT_ID,
             CLIENT_EMAIL,
@@ -988,6 +1072,7 @@ public void toString_containsFields() throws IOException {
             MockTokenServerTransportFactory.class.getName(),
             tokenServer,
             SCOPES,
+            DEFAULT_SCOPES,
             USER,
             QUOTA_PROJECT);
     assertEquals(expectedToString, credentials.toString());
@@ -1202,6 +1287,70 @@ public void onFailure(Throwable exception) {
     assertTrue("Should have run onSuccess() callback", success.get());
   }
 
+  @Test
+  public void getRequestMetadataWithCallback_selfSignedJWT() throws IOException {
+    MockTokenServerTransportFactory transportFactory = new MockTokenServerTransportFactory();
+    transportFactory.transport.addClient(CLIENT_ID, "unused-client-secret");
+    transportFactory.transport.addServiceAccount(CLIENT_EMAIL, ACCESS_TOKEN);
+
+    PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(PRIVATE_KEY_PKCS8);
+    GoogleCredentials credentials =
+        ServiceAccountCredentials.newBuilder()
+            .setClientId(CLIENT_ID)
+            .setClientEmail(CLIENT_EMAIL)
+            .setPrivateKey(privateKey)
+            .setPrivateKeyId(PRIVATE_KEY_ID)
+            .setScopes(null, DEFAULT_SCOPES)
+            .setServiceAccountUser(USER)
+            .setProjectId(PROJECT_ID)
+            .setQuotaProjectId("my-quota-project-id")
+            .setHttpTransportFactory(transportFactory)
+            .build();
+
+    final AtomicBoolean success = new AtomicBoolean(false);
+    credentials.getRequestMetadata(
+        CALL_URI,
+        null,
+        new RequestMetadataCallback() {
+          @Override
+          public void onSuccess(Map<String, List<String>> metadata) {
+            try {
+              verifyJwtAccess(metadata);
+            } catch (IOException e) {
+              fail("Should not throw a failure");
+            }
+            success.set(true);
+          }
+
+          @Override
+          public void onFailure(Throwable exception) {
+            fail("Should not throw a failure.");
+          }
+        });
+
+    assertTrue("Should have run onSuccess() callback", success.get());
+  }
+
+  private void verifyJwtAccess(Map<String, List<String>> metadata) throws IOException {
+    assertNotNull(metadata);
+    List<String> authorizations = metadata.get(AuthHttpConstants.AUTHORIZATION);
+    assertNotNull("Authorization headers not found", authorizations);
+    String assertion = null;
+    for (String authorization : authorizations) {
+      if (authorization.startsWith(JWT_ACCESS_PREFIX)) {
+        assertNull("Multiple bearer assertions found", assertion);
+        assertion = authorization.substring(JWT_ACCESS_PREFIX.length());
+      }
+    }
+    assertNotNull("Bearer assertion not found", assertion);
+    JsonWebSignature signature =
+        JsonWebSignature.parse(GsonFactory.getDefaultInstance(), assertion);
+    assertEquals(CLIENT_EMAIL, signature.getPayload().getIssuer());
+    assertEquals(CLIENT_EMAIL, signature.getPayload().getSubject());
+    assertEquals(JWT_AUDIENCE, signature.getPayload().getAudience());
+    assertEquals(PRIVATE_KEY_ID, signature.getHeader().getKeyId());
+  }
+
   static GenericJson writeServiceAccountJson(
       String clientId,
       String clientEmail,
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountJwtAccessCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountJwtAccessCredentialsTest.java
index 5020317f2..4e9aa93b1 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountJwtAccessCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountJwtAccessCredentialsTest.java
@@ -92,6 +92,7 @@ public class ServiceAccountJwtAccessCredentialsTest extends BaseSerializationTes
   private static final String JWT_ACCESS_PREFIX =
       ServiceAccountJwtAccessCredentials.JWT_ACCESS_PREFIX;
   private static final URI CALL_URI = URI.create("http://googleapis.com/testapi/v1/foo");
+  private static final URI CALL_URI_AUDIENCE = URI.create("http://googleapis.com/");
   private static final JsonFactory JSON_FACTORY = GsonFactory.getDefaultInstance();
   private static final String QUOTA_PROJECT = "sample-quota-project-id";
 
@@ -171,6 +172,15 @@ public void getAuthenticationType_returnsJwtAccess() throws IOException {
     assertEquals(credentials.getAuthenticationType(), "JWTAccess");
   }
 
+  @Test
+  public void getUriForSelfSignedJWT() {
+    assertNull(ServiceAccountJwtAccessCredentials.getUriForSelfSignedJWT(null));
+
+    URI uri = URI.create("https://compute.googleapis.com/compute/v1/projects/");
+    URI expected = URI.create("https://compute.googleapis.com/");
+    assertEquals(expected, ServiceAccountJwtAccessCredentials.getUriForSelfSignedJWT(uri));
+  }
+
   @Test
   public void hasRequestMetadata_returnsTrue() throws IOException {
     Credentials credentials =
@@ -200,7 +210,7 @@ public void getRequestMetadata_blocking_hasJwtAccess() throws IOException {
 
     Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
 
-    verifyJwtAccess(metadata, SA_CLIENT_EMAIL, CALL_URI, SA_PRIVATE_KEY_ID);
+    verifyJwtAccess(metadata, SA_CLIENT_EMAIL, CALL_URI_AUDIENCE, SA_PRIVATE_KEY_ID);
   }
 
   @Test
@@ -305,7 +315,7 @@ public void getRequestMetadata_async_hasJwtAccess() throws IOException {
     credentials.getRequestMetadata(CALL_URI, executor, callback);
     assertEquals(0, executor.numTasks());
     assertNotNull(callback.metadata);
-    verifyJwtAccess(callback.metadata, SA_CLIENT_EMAIL, CALL_URI, SA_PRIVATE_KEY_ID);
+    verifyJwtAccess(callback.metadata, SA_CLIENT_EMAIL, CALL_URI_AUDIENCE, SA_PRIVATE_KEY_ID);
   }
 
   @Test
@@ -654,7 +664,7 @@ public void fromStream_hasJwtAccess() throws IOException {
 
     assertNotNull(credentials);
     Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
-    verifyJwtAccess(metadata, SA_CLIENT_EMAIL, CALL_URI, SA_PRIVATE_KEY_ID);
+    verifyJwtAccess(metadata, SA_CLIENT_EMAIL, CALL_URI_AUDIENCE, SA_PRIVATE_KEY_ID);
   }
 
   @Test