diff --git a/java/google/registry/config/CredentialModule.java b/java/google/registry/config/CredentialModule.java
index b6ba7fa52..d299089bd 100644
--- a/java/google/registry/config/CredentialModule.java
+++ b/java/google/registry/config/CredentialModule.java
@@ -42,7 +42,7 @@ public abstract class CredentialModule {
   @Provides
   @Singleton
   public static GoogleCredential provideDefaultCredential(
-      @Config("credentialOauthScopes") ImmutableList<String> requiredScopes) {
+      @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes) {
     GoogleCredential credential;
     try {
       credential = GoogleCredential.getApplicationDefault();
@@ -60,7 +60,7 @@ public abstract class CredentialModule {
   @Provides
   @Singleton
   public static GoogleCredential provideJsonCredential(
-      @Config("credentialOauthScopes") ImmutableList<String> requiredScopes,
+      @Config("defaultCredentialOauthScopes") ImmutableList<String> requiredScopes,
       @Key("jsonCredential") String jsonCredential) {
     GoogleCredential credential;
     try {
@@ -89,7 +89,7 @@ public abstract class CredentialModule {
   @Provides
   @Singleton
   public static GoogleCredential provideDelegatedCredential(
-      @Config("credentialOauthScopes") ImmutableList<String> requiredScopes,
+      @Config("delegatedCredentialOauthScopes") ImmutableList<String> requiredScopes,
       @JsonCredential GoogleCredential googleCredential,
       @Config("gSuiteAdminAccountEmailAddress") String gSuiteAdminAccountEmailAddress) {
     return new GoogleCredential.Builder()
diff --git a/java/google/registry/config/RegistryConfig.java b/java/google/registry/config/RegistryConfig.java
index 528041770..3fabed129 100644
--- a/java/google/registry/config/RegistryConfig.java
+++ b/java/google/registry/config/RegistryConfig.java
@@ -1143,12 +1143,22 @@ public final class RegistryConfig {
       return ImmutableSet.copyOf(config.oAuth.allowedOauthClientIds);
     }
 
-    /** Provides the OAuth scopes required for accessing Google APIs. */
+    /**
+     * Provides the OAuth scopes required for accessing Google APIs using the default credential.
+     */
     @Provides
-    @Config("credentialOauthScopes")
-    public static ImmutableList<String> provideCredentialOauthScopes(
+    @Config("defaultCredentialOauthScopes")
+    public static ImmutableList<String> provideServiceAccountCredentialOauthScopes(
         RegistryConfigSettings config) {
-      return ImmutableList.copyOf(config.credentialOAuth.credentialOauthScopes);
+      return ImmutableList.copyOf(config.credentialOAuth.defaultCredentialOauthScopes);
+    }
+
+    /** Provides the OAuth scopes required for delegated admin access to G Suite domain. */
+    @Provides
+    @Config("delegatedCredentialOauthScopes")
+    public static ImmutableList<String> provideDelegatedCredentialOauthScopes(
+        RegistryConfigSettings config) {
+      return ImmutableList.copyOf(config.credentialOAuth.delegatedCredentialOauthScopes);
     }
 
     /**
diff --git a/java/google/registry/config/RegistryConfigSettings.java b/java/google/registry/config/RegistryConfigSettings.java
index c2045b510..35c64ff85 100644
--- a/java/google/registry/config/RegistryConfigSettings.java
+++ b/java/google/registry/config/RegistryConfigSettings.java
@@ -58,7 +58,8 @@ public class RegistryConfigSettings {
 
   /** Configuration options for accessing Google APIs. */
   public static class CredentialOAuth {
-    public List<String> credentialOauthScopes;
+    public List<String> defaultCredentialOauthScopes;
+    public List<String> delegatedCredentialOauthScopes;
   }
 
   /** Configuration options for the G Suite account used by Nomulus. */
diff --git a/java/google/registry/config/files/default-config.yaml b/java/google/registry/config/files/default-config.yaml
index 2ff11252b..7efc39452 100644
--- a/java/google/registry/config/files/default-config.yaml
+++ b/java/google/registry/config/files/default-config.yaml
@@ -177,17 +177,27 @@ oAuth:
   allowedOauthClientIds: []
 
 credentialOAuth:
-  # OAuth scopes required for accessing Google APIs.
-  credentialOauthScopes:
+  # OAuth scopes required for accessing Google APIs using the default
+  # credential.
+  defaultCredentialOauthScopes:
     # View and manage data in all Google Cloud APIs.
     - https://www.googleapis.com/auth/cloud-platform
     # View and manage files in Google Drive.
     - https://www.googleapis.com/auth/drive
+  # OAuth scopes required for delegated admin access to G Suite domain.
+  # Deployment of changes to this list must be coordinated with G Suite admin
+  # configuration, which can be managed in the admin console:
+  # - New scopes must be added to the G Suite domain configuration before the
+  #   release is deployed.
+  # - Removed scopes must remain on G Suite domain configuration until the
+  #   release is deployed.
+  delegatedCredentialOauthScopes:
     # View and manage groups on your domain in Directory API.
     - https://www.googleapis.com/auth/admin.directory.group
     # View and manage group settings in Group Settings API.
     - https://www.googleapis.com/auth/apps.groups.settings
 
+
 icannReporting:
   # URL we PUT monthly ICANN transactions reports to.
   icannTransactionsReportingUploadUrl: https://ry-api.icann.org/report/registrar-transactions