diff --git a/jobs/golangapiserver/spec b/jobs/golangapiserver/spec
index f828e86c1d..32804760ad 100644
--- a/jobs/golangapiserver/spec
+++ b/jobs/golangapiserver/spec
@@ -68,7 +68,7 @@ properties:
     default: ''
   autoscaler.apiserver.broker.default_credential_type:
     description: "The default credential type generated to authenticate with the custom metrics API. if no credential type is explicitly set.\nAllowed values:\n - binding-secret\n - x509\nIf credential-type \"binding-secret\" is set, then username and password are generated by the broker. \nIf credential-type \"x509\" is set, only instance identity credentials may be used.\n"
-    default: 'binding-secret'
+    default: 'x509'
   autoscaler.apiserver.broker.server.catalog:
     description: ""
   autoscaler.apiserver.broker.server.dashboard_redirect_uri:
diff --git a/spec/jobs/golangapiserver/apiserver_spec.rb b/spec/jobs/golangapiserver/apiserver_spec.rb
index adeed8de4a..9f34f4ac60 100644
--- a/spec/jobs/golangapiserver/apiserver_spec.rb
+++ b/spec/jobs/golangapiserver/apiserver_spec.rb
@@ -252,8 +252,8 @@
     end
 
     context "default_credential_type for custom metrics" do
-      it "has a value of binding-secret by default" do
-        expect(rendered_template).to include({"default_credential_type" => "binding-secret"})
+      it "has a value of x509 by default" do
+        expect(rendered_template).to include({"default_credential_type" => "x509"})
       end
     end
   end
diff --git a/src/acceptance/app/custom_metric_test.go b/src/acceptance/app/custom_metric_test.go
index 3b9410e5c1..491e39d6b1 100644
--- a/src/acceptance/app/custom_metric_test.go
+++ b/src/acceptance/app/custom_metric_test.go
@@ -26,14 +26,20 @@ var _ = Describe("AutoScaler custom metrics", func() {
 	AfterEach(AppAfterEach)
 
 	Describe("custom metrics policy for same app", func() {
-		BeforeEach(func() {
-			policy = GenerateDynamicScaleOutAndInPolicy(1, 2, "test_metric", 500, 500)
+		/*
+			Going forward, custom metrics submission should be possible via mTLS route only.This test can be removed in future if credential-type is set to X509 permanently.
+			Added test for rollback cases where custom metrics are still sent via basic auth route.
+		*/
+		JustBeforeEach(func() {
 			instanceName = CreatePolicy(cfg, appToScaleName, appToScaleGUID, policy)
 			StartApp(appToScaleName, cfg.CfPushTimeoutDuration())
 		})
-		// This test will fail if credential-type is set to X509 in autoscaler broker.
-		// Therefore, only mtls connection will be supported for custom metrics in future
 		Context("when scaling by custom metrics", func() {
+			BeforeEach(func() {
+				credentialType := "binding-secret"
+				policy = GeneratePolicyWithCredentialType(
+					1, 2, "test_metric", 500, 500, &credentialType)
+			})
 			It("should scale out and scale in", Label(acceptance.LabelSmokeTests), func() {
 				By("Scale out to 2 instances")
 				scaleOut := sendMetricToAutoscaler(cfg, appToScaleGUID, appToScaleName, 550, false)
@@ -48,11 +54,13 @@ var _ = Describe("AutoScaler custom metrics", func() {
 					WithTimeout(5 * time.Minute).
 					WithPolling(15 * time.Second).
 					Should(Equal(1))
-
 			})
 		})
 
 		Context("when scaling by custom metrics via mtls", func() {
+			BeforeEach(func() {
+				policy = GenerateDynamicScaleOutAndInPolicy(1, 2, "test_metric", 500, 500)
+			})
 			It("should scale out and scale in", Label(acceptance.LabelSmokeTests), func() {
 				By("Scale out to 2 instances")
 				scaleOut := sendMetricToAutoscaler(cfg, appToScaleGUID, appToScaleName, 550, true)
diff --git a/src/acceptance/app/lead_times_test.go b/src/acceptance/app/lead_times_test.go
index f833ee348c..62e972333f 100644
--- a/src/acceptance/app/lead_times_test.go
+++ b/src/acceptance/app/lead_times_test.go
@@ -29,8 +29,8 @@ var _ = Describe("Autoscaler lead times for scaling", func() {
 			coolDown := TestCoolDownSeconds * time.Second
 			scalingTimewindow := 130 * time.Second // be friendly and allow some time for "internal autoscaler processes" (metric polling interval etc.) to take place before actual scaling happens
 
-			sendMetricForScaleOutAndReturnNumInstancesFunc := sendMetricToAutoscaler(cfg, appToScaleGUID, appToScaleName, 510, false)
-			sendMetricForScaleInAndReturnNumInstancesFunc := sendMetricToAutoscaler(cfg, appToScaleGUID, appToScaleName, 490, false)
+			sendMetricForScaleOutAndReturnNumInstancesFunc := sendMetricToAutoscaler(cfg, appToScaleGUID, appToScaleName, 510, true)
+			sendMetricForScaleInAndReturnNumInstancesFunc := sendMetricToAutoscaler(cfg, appToScaleGUID, appToScaleName, 490, true)
 
 			By("checking that no scaling out happens before breach_duration_secs have passed")
 			Consistently(sendMetricForScaleOutAndReturnNumInstancesFunc).
diff --git a/src/acceptance/helpers/helpers.go b/src/acceptance/helpers/helpers.go
index ee3c2bc9f4..0efcb6b851 100644
--- a/src/acceptance/helpers/helpers.go
+++ b/src/acceptance/helpers/helpers.go
@@ -59,10 +59,11 @@ func (b *BindingConfig) SetCustomMetricsStrategy(allowFrom string) {
 }
 
 type ScalingPolicy struct {
-	InstanceMin  int               `json:"instance_min_count"`
-	InstanceMax  int               `json:"instance_max_count"`
-	ScalingRules []*ScalingRule    `json:"scaling_rules,omitempty"`
-	Schedules    *ScalingSchedules `json:"schedules,omitempty"`
+	InstanceMin    int               `json:"instance_min_count"`
+	InstanceMax    int               `json:"instance_max_count"`
+	ScalingRules   []*ScalingRule    `json:"scaling_rules,omitempty"`
+	Schedules      *ScalingSchedules `json:"schedules,omitempty"`
+	CredentialType *string           `json:"credential-type,omitempty"`
 }
 
 type ScalingPolicyWithExtraFields struct {
@@ -272,6 +273,15 @@ func GenerateDynamicScaleOutAndInPolicy(instanceMin, instanceMax int, metricName
 	return string(marshaled)
 }
 
+func GeneratePolicyWithCredentialType(instanceMin, instanceMax int, metricName string, scaleInWhenBelowThreshold int64, scaleOutWhenGreaterOrEqualThreshold int64, credentialType *string) string {
+	policyWithCredentialType := buildScaleOutScaleInPolicy(instanceMin, instanceMax, metricName, scaleInWhenBelowThreshold, scaleOutWhenGreaterOrEqualThreshold)
+	policyWithCredentialType.CredentialType = credentialType
+	marshaled, err := MarshalWithoutHTMLEscape(policyWithCredentialType)
+	Expect(err).NotTo(HaveOccurred())
+
+	return string(marshaled)
+}
+
 func buildScaleOutScaleInPolicy(instanceMin int, instanceMax int, metricName string, scaleInWhenBelowThreshold int64, scaleOutWhenGreaterOrEqualThreshold int64) ScalingPolicy {
 	scalingOutRule := ScalingRule{
 		MetricType:            metricName,