diff --git a/google/api/auth.proto b/google/api/auth.proto
index 7c5d6166..1b187cb4 100644
--- a/google/api/auth.proto
+++ b/google/api/auth.proto
@@ -1,4 +1,4 @@
-// Copyright 2019 Google LLC.
+// Copyright 2020 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -11,7 +11,6 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-//
 
 syntax = "proto3";
 
@@ -72,6 +71,27 @@ message AuthenticationRule {
   repeated AuthRequirement requirements = 7;
 }
 
+// Specifies a location to extract JWT from an API request.
+message JwtLocation {
+  oneof in {
+    // Specifies HTTP header name to extract JWT token.
+    string header = 1;
+
+    // Specifies URL query parameter name to extract JWT token.
+    string query = 2;
+  }
+
+  // The value prefix. The value format is "value_prefix{token}"
+  // Only applies to "in" header type. Must be empty for "in" query type.
+  // If not empty, the header value has to match (case sensitive) this prefix.
+  // If not matched, JWT will not be extracted. If matched, JWT will be
+  // extracted after the prefix is removed.
+  //
+  // For example, for "Authorization: Bearer {JWT}",
+  // value_prefix="Bearer " with a space at the end.
+  string value_prefix = 3;
+}
+
 // Configuration for an authentication provider, including support for
 // [JSON Web Token
 // (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32).
@@ -122,6 +142,25 @@ message AuthProvider {
   // Redirect URL if JWT token is required but not present or is expired.
   // Implement authorizationUrl of securityDefinitions in OpenAPI spec.
   string authorization_url = 5;
+
+  // Defines the locations to extract the JWT.
+  //
+  // JWT locations can be either from HTTP headers or URL query parameters.
+  // The rule is that the first match wins. The checking order is: checking
+  // all headers first, then URL query parameters.
+  //
+  // If not specified,  default to use following 3 locations:
+  //    1) Authorization: Bearer
+  //    2) x-goog-iap-jwt-assertion
+  //    3) access_token query parameter
+  //
+  // Default locations can be specified as followings:
+  //    jwt_locations:
+  //    - header: Authorization
+  //      value_prefix: "Bearer "
+  //    - header: x-goog-iap-jwt-assertion
+  //    - query: access_token
+  repeated JwtLocation jwt_locations = 6;
 }
 
 // OAuth scopes are a way to define data and permissions on data. For example,