diff --git a/core/src/main/java/google/registry/tools/RequestFactoryModule.java b/core/src/main/java/google/registry/tools/RequestFactoryModule.java
index 79b531a42..906a3f93d 100644
--- a/core/src/main/java/google/registry/tools/RequestFactoryModule.java
+++ b/core/src/main/java/google/registry/tools/RequestFactoryModule.java
@@ -69,14 +69,15 @@ class RequestFactoryModule {
       return new NetHttpTransport()
           .createRequestFactory(
               request -> {
+                // Use the standard credential initializer to set the Authorization header
+                credentialsBundle.getHttpRequestInitializer().initialize(request);
                 // If using IAP, use the refresh token to acquire an IAP-enabled ID token and use
                 // that for authentication.
                 if (iapClientId.isPresent()) {
                   String idToken = getIdToken(credentialsBundle, iapClientId.get());
-                  request.getHeaders().setAuthorization("Bearer " + idToken);
-                } else {
-                  // Otherwise, use the standard credential HTTP initializer
-                  credentialsBundle.getHttpRequestInitializer().initialize(request);
+                  // Set the Proxy-Authentication header so that IAP can read from it, see
+                  // https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_proxy-authorization_header
+                  request.getHeaders().set("Proxy-Authorization", "Bearer " + idToken);
                 }
                 // GAE request times out after 10 min, so here we set the timeout to 10 min. This is
                 // needed to support some nomulus commands like updating premium lists that take
diff --git a/core/src/test/java/google/registry/tools/RequestFactoryModuleTest.java b/core/src/test/java/google/registry/tools/RequestFactoryModuleTest.java
index 05132ff87..d423aebc3 100644
--- a/core/src/test/java/google/registry/tools/RequestFactoryModuleTest.java
+++ b/core/src/test/java/google/registry/tools/RequestFactoryModuleTest.java
@@ -100,6 +100,7 @@ public class RequestFactoryModuleTest {
 
   @Test
   void test_provideHttpRequestFactory_remote_withIap() throws Exception {
+    when(credentialsBundle.getHttpRequestInitializer()).thenReturn(httpRequestInitializer);
     // Mock the request/response to/from the IAP server requesting an ID token
     UserCredentials mockUserCredentials = mock(UserCredentials.class);
     when(credentialsBundle.getGoogleCredentials()).thenReturn(mockUserCredentials);
@@ -123,9 +124,10 @@ public class RequestFactoryModuleTest {
           RequestFactoryModule.provideHttpRequestFactory(
               credentialsBundle, Optional.of("iapClientId"));
       HttpRequest request = factory.buildGetRequest(new GenericUrl("http://localhost"));
-      assertThat(request.getHeaders().getAuthorization()).isEqualTo("Bearer iapIdToken");
+      assertThat(request.getHeaders().get("Proxy-Authorization")).isEqualTo("Bearer iapIdToken");
       assertThat(request.getConnectTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
       assertThat(request.getReadTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
+      verify(httpRequestInitializer).initialize(request);
       verifyNoMoreInteractions(httpRequestInitializer);
     } finally {
       RegistryConfig.CONFIG_SETTINGS.get().gcpProject.isLocal = origIsLocal;