diff --git a/oauth2_http/java/com/google/auth/oauth2/MtlsConfig.java b/oauth2_http/java/com/google/auth/oauth2/MtlsConfig.java
index de4ab23ff..61ee45cd8 100644
--- a/oauth2_http/java/com/google/auth/oauth2/MtlsConfig.java
+++ b/oauth2_http/java/com/google/auth/oauth2/MtlsConfig.java
@@ -1,18 +1,58 @@
 package com.google.auth.oauth2;
 
+import com.google.errorprone.annotations.CanIgnoreReturnValue;
+
 /** Holds an mTLS configuration (consists of address of S2A) retrieved from the Metadata Server. */
 public final class MtlsConfig {
-  private final String s2aAddress;
+  // plaintextS2AAddress is the plaintext address to reach the S2A.
+  private final String plaintextS2AAddress;
+
+  // mtlsS2AAddress is the mTLS address to reach the S2A.
+  private final String mtlsS2AAddress;
+
+  public static Builder createBuilder() {
+    return new Builder();
+  }
+
+  public String getPlaintextS2AAddress() {
+    return plaintextS2AAddress;
+  }
 
-  public static MtlsConfig createMtlsConfig(String addr) {
-    return new MtlsConfig(addr);
+  public String getMtlsS2AAddress() {
+    return mtlsS2AAddress;
   }
 
-  public String getS2AAddress() {
-    return s2aAddress;
+  public static final class Builder {
+    // plaintextS2AAddress is the plaintext address to reach the S2A.
+    private String plaintextS2AAddress;
+
+    // mtlsS2AAddress is the mTLS address to reach the S2A.
+    private String mtlsS2AAddress;
+
+    Builder() {
+      plaintextS2AAddress = "";
+      mtlsS2AAddress = "";
+    }
+
+    @CanIgnoreReturnValue
+    public Builder setPlaintextS2AAddress(String plaintextS2AAddress) {
+      this.plaintextS2AAddress = plaintextS2AAddress;
+      return this;
+    }
+
+    @CanIgnoreReturnValue
+    public Builder setMtlsS2AAddress(String mtlsS2AAddress) {
+      this.mtlsS2AAddress = mtlsS2AAddress;
+      return this;
+    }
+
+    public MtlsConfig build() {
+      return new MtlsConfig(plaintextS2AAddress, mtlsS2AAddress);
+    }
   }
 
-  private MtlsConfig(String addr) {
-    this.s2aAddress = addr;
+  private MtlsConfig(String plaintextS2AAddress, String mtlsS2AAddress) {
+    this.plaintextS2AAddress = plaintextS2AAddress;
+    this.mtlsS2AAddress = mtlsS2AAddress;
   }
 }
diff --git a/oauth2_http/java/com/google/auth/oauth2/S2A.java b/oauth2_http/java/com/google/auth/oauth2/S2A.java
index 930c030ee..ff8450b60 100644
--- a/oauth2_http/java/com/google/auth/oauth2/S2A.java
+++ b/oauth2_http/java/com/google/auth/oauth2/S2A.java
@@ -37,28 +37,32 @@ public void setHttpTransportFactory(HttpTransportFactory tf) {
     this.transportFactory = tf;
   }
 
-  /**
-   * Returns the S2A Address from the mTLS config.
-   *
-   * @return the S2A address.
-   */
-  public synchronized String getS2AAddress() {
+  /** @return the mTLS S2A Address from the mTLS config. */
+  public synchronized String getMtlsS2AAddress() {
+    if (config == null) {
+      config = getMdsMtlsConfig();
+    }
+    return config.getMtlsS2AAddress();
+  }
+
+  /** @return the plaintext S2A Address from the mTLS config. */
+  public synchronized String getPlaintextS2AAddress() {
     if (config == null) {
-      String addr = getMdsMtlsConfigData();
-      config = MtlsConfig.createMtlsConfig(addr);
+      config = getMdsMtlsConfig();
     }
-    return config.getS2AAddress();
+    return config.getPlaintextS2AAddress();
   }
 
   /**
-   * Queries the MDS mTLS Autoconfiguration endpoint and returns the S2A address.
+   * Queries the MDS mTLS Autoconfiguration endpoint and returns the {@link MtlsConfig}.
    *
-   * <p>Returns an empty address on error.
+   * <p>Returns {@link MtlsConfig} with empty addresses on error.
    *
-   * @return the S2A address.
+   * @return the {@link MtlsConfig}.
    */
-  private String getMdsMtlsConfigData() {
-    String s2aAddress = "";
+  private MtlsConfig getMdsMtlsConfig() {
+    String plaintextS2AAddress = "";
+    String mtlsS2AAddress = "";
     try {
       if (transportFactory == null) {
         transportFactory =
@@ -76,19 +80,24 @@ private String getMdsMtlsConfigData() {
       HttpResponse response = request.execute();
 
       if (!response.isSuccessStatusCode()) {
-        return "";
+        return MtlsConfig.createBuilder().build();
       }
 
       InputStream content = response.getContent();
       if (content == null) {
-        return "";
+        return MtlsConfig.createBuilder().build();
       }
       GenericData responseData = response.parseAs(GenericData.class);
-      s2aAddress = OAuth2Utils.validateString(responseData, "s2a", PARSE_ERROR_S2A);
+      plaintextS2AAddress =
+          OAuth2Utils.validateString(responseData, "plaintext_address", PARSE_ERROR_S2A);
+      mtlsS2AAddress = OAuth2Utils.validateString(responseData, "mtls_address", PARSE_ERROR_S2A);
     } catch (IOException e) {
-      return "";
+      return MtlsConfig.createBuilder().build();
     }
-    return s2aAddress;
+    return MtlsConfig.createBuilder()
+        .setPlaintextS2AAddress(plaintextS2AAddress)
+        .setMtlsS2AAddress(mtlsS2AAddress)
+        .build();
   }
 
   /** @return MDS mTLS autoconfig endpoint. */
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java b/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java
index 2554ff5a4..8e1a0b455 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/MockMetadataServerTransport.java
@@ -60,7 +60,9 @@ public class MockMetadataServerTransport extends MockHttpTransport {
 
   private byte[] signature;
 
-  private String s2aAddress;
+  private String plaintextS2AAddress;
+
+  private String mtlsS2AAddress;
 
   private boolean emptyContent;
 
@@ -86,8 +88,12 @@ public void setIdToken(String idToken) {
     this.idToken = idToken;
   }
 
-  public void setS2AAddress(String address) {
-    this.s2aAddress = address;
+  public void setPlaintextS2AAddress(String address) {
+    this.plaintextS2AAddress = address;
+  }
+
+  public void setMtlsS2AAddress(String address) {
+    this.mtlsS2AAddress = address;
   }
 
   public void setEmptyContent(boolean emptyContent) {
@@ -260,7 +266,8 @@ public LowLevelHttpResponse execute() throws IOException {
         // Create the JSON response
         GenericJson content = new GenericJson();
         content.setFactory(OAuth2Utils.JSON_FACTORY);
-        content.put("s2a", s2aAddress);
+        content.put("plaintext_address", plaintextS2AAddress);
+        content.put("mtls_address", mtlsS2AAddress);
         String contentText = content.toPrettyString();
 
         MockLowLevelHttpResponse response = new MockLowLevelHttpResponse();
@@ -292,7 +299,8 @@ protected boolean isIdentityDocumentUrl(String url) {
   }
 
   protected boolean isMtlsConfigRequestUrl(String url) {
-    return s2aAddress != null
+    return plaintextS2AAddress != null
+        && mtlsS2AAddress != null
         && url.equals(String.format(S2A.DEFAULT_METADATA_SERVER_URL + S2A.MTLS_CONFIG_ENDPOINT));
   }
 }
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/MtlsConfigTest.java b/oauth2_http/javatests/com/google/auth/oauth2/MtlsConfigTest.java
index 201756d05..64f1185d5 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/MtlsConfigTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/MtlsConfigTest.java
@@ -1,6 +1,7 @@
 package com.google.auth.oauth2;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -9,11 +10,24 @@
 /** Test cases for {@link MtlsConfig}. */
 @RunWith(JUnit4.class)
 public class MtlsConfigTest {
-  private static final String S2A_ADDRESS_A = "addr_a";
+  private static final String S2A_PLAINTEXT_ADDRESS = "plaintext";
+  private static final String S2A_MTLS_ADDRESS = "mtls";
 
   @Test
   public void createMtlsConfig_success() {
-    MtlsConfig config = MtlsConfig.createMtlsConfig(S2A_ADDRESS_A);
-    assertEquals(S2A_ADDRESS_A, config.getS2AAddress());
+    MtlsConfig config =
+        MtlsConfig.createBuilder()
+            .setPlaintextS2AAddress(S2A_PLAINTEXT_ADDRESS)
+            .setMtlsS2AAddress(S2A_MTLS_ADDRESS)
+            .build();
+    assertEquals(S2A_PLAINTEXT_ADDRESS, config.getPlaintextS2AAddress());
+    assertEquals(S2A_MTLS_ADDRESS, config.getMtlsS2AAddress());
+  }
+
+  @Test
+  public void createEmptyMtlsConfig_success() {
+    MtlsConfig config = MtlsConfig.createBuilder().build();
+    assertTrue(config.getPlaintextS2AAddress().isEmpty());
+    assertTrue(config.getMtlsS2AAddress().isEmpty());
   }
 }
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/S2ATest.java b/oauth2_http/javatests/com/google/auth/oauth2/S2ATest.java
index 163043c98..590662e43 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/S2ATest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/S2ATest.java
@@ -13,43 +13,53 @@
 @RunWith(JUnit4.class)
 public class S2ATest {
 
-  private static final String S2A_ADDRESS_A = "addr_a";
+  private static final String S2A_PLAINTEXT_ADDRESS = "plaintext";
+  private static final String S2A_MTLS_ADDRESS = "mtls";
 
   @Test
   public void getS2AAddress_validAddress() {
     MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();
-    transportFactory.transport.setS2AAddress(S2A_ADDRESS_A);
+    transportFactory.transport.setPlaintextS2AAddress(S2A_PLAINTEXT_ADDRESS);
+    transportFactory.transport.setMtlsS2AAddress(S2A_MTLS_ADDRESS);
     transportFactory.transport.setRequestStatusCode(HttpStatusCodes.STATUS_CODE_OK);
 
     S2A s2aUtils = new S2A();
     s2aUtils.setHttpTransportFactory(transportFactory);
-    String s2aAddress = s2aUtils.getS2AAddress();
-    assertEquals(S2A_ADDRESS_A, s2aAddress);
+    String plaintextS2AAddress = s2aUtils.getPlaintextS2AAddress();
+    String mtlsS2AAddress = s2aUtils.getMtlsS2AAddress();
+    assertEquals(S2A_PLAINTEXT_ADDRESS, plaintextS2AAddress);
+    assertEquals(S2A_MTLS_ADDRESS, mtlsS2AAddress);
   }
 
   @Test
   public void getS2AAddress_queryEndpointResponseErrorCode_emptyAddress() {
     MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();
-    transportFactory.transport.setS2AAddress(S2A_ADDRESS_A);
+    transportFactory.transport.setPlaintextS2AAddress(S2A_PLAINTEXT_ADDRESS);
+    transportFactory.transport.setMtlsS2AAddress(S2A_MTLS_ADDRESS);
     transportFactory.transport.setRequestStatusCode(
         HttpStatusCodes.STATUS_CODE_SERVICE_UNAVAILABLE);
 
     S2A s2aUtils = new S2A();
     s2aUtils.setHttpTransportFactory(transportFactory);
-    String s2aAddress = s2aUtils.getS2AAddress();
-    assertTrue(s2aAddress.isEmpty());
+    String plaintextS2AAddress = s2aUtils.getPlaintextS2AAddress();
+    String mtlsS2AAddress = s2aUtils.getMtlsS2AAddress();
+    assertTrue(plaintextS2AAddress.isEmpty());
+    assertTrue(mtlsS2AAddress.isEmpty());
   }
 
   @Test
   public void getS2AAddress_queryEndpointResponseEmpty_emptyAddress() {
     MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();
-    transportFactory.transport.setS2AAddress(S2A_ADDRESS_A);
+    transportFactory.transport.setPlaintextS2AAddress(S2A_PLAINTEXT_ADDRESS);
+    transportFactory.transport.setMtlsS2AAddress(S2A_MTLS_ADDRESS);
     transportFactory.transport.setRequestStatusCode(HttpStatusCodes.STATUS_CODE_OK);
     transportFactory.transport.setEmptyContent(true);
 
     S2A s2aUtils = new S2A();
     s2aUtils.setHttpTransportFactory(transportFactory);
-    String s2aAddress = s2aUtils.getS2AAddress();
-    assertTrue(s2aAddress.isEmpty());
+    String plaintextS2AAddress = s2aUtils.getPlaintextS2AAddress();
+    String mtlsS2AAddress = s2aUtils.getMtlsS2AAddress();
+    assertTrue(plaintextS2AAddress.isEmpty());
+    assertTrue(mtlsS2AAddress.isEmpty());
   }
 }