diff --git a/interop/client/client.go b/interop/client/client.go
index da6bc2d2..d9a8159c 100644
--- a/interop/client/client.go
+++ b/interop/client/client.go
@@ -25,6 +25,7 @@ import (
 
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/alts"
 	"google.golang.org/grpc/credentials/oauth"
 	"google.golang.org/grpc/grpclog"
 	"google.golang.org/grpc/interop"
@@ -34,7 +35,8 @@ import (
 
 var (
 	caFile                = flag.String("ca_file", "", "The file containning the CA root cert file")
-	useTLS                = flag.Bool("use_tls", false, "Connection uses TLS if true, else plain TCP")
+	useTLS                = flag.Bool("use_tls", false, "Connection uses TLS if true")
+	useALTS               = flag.Bool("use_alts", false, "Connection uses ALTS if true (this option can only be used on GCP)")
 	testCA                = flag.Bool("use_test_ca", false, "Whether to replace platform root CAs with test CA as the CA root")
 	serviceAccountKeyFile = flag.String("service_account_key_file", "", "Path to service account json key file")
 	oauthScope            = flag.String("oauth_scope", "", "The scope for OAuth2 tokens")
@@ -66,6 +68,9 @@ var (
 
 func main() {
 	flag.Parse()
+	if *useTLS && *useALTS {
+		grpclog.Fatalf("use_tls and use_alts cannot be both set to true")
+	}
 	serverAddr := net.JoinHostPort(*serverHost, strconv.Itoa(*serverPort))
 	var opts []grpc.DialOption
 	if *useTLS {
@@ -104,6 +109,9 @@ func main() {
 		} else if *testCase == "oauth2_auth_token" {
 			opts = append(opts, grpc.WithPerRPCCredentials(oauth.NewOauthAccess(interop.GetToken(*serviceAccountKeyFile, *oauthScope))))
 		}
+	} else if *useALTS {
+		altsTC := alts.NewClient(nil)
+		opts = append(opts, grpc.WithTransportCredentials(altsTC))
 	} else {
 		opts = append(opts, grpc.WithInsecure())
 	}
diff --git a/interop/server/server.go b/interop/server/server.go
index b833c76f..9e5139ba 100644
--- a/interop/server/server.go
+++ b/interop/server/server.go
@@ -25,6 +25,7 @@ import (
 
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/alts"
 	"google.golang.org/grpc/grpclog"
 	"google.golang.org/grpc/interop"
 	testpb "google.golang.org/grpc/interop/grpc_testing"
@@ -33,6 +34,7 @@ import (
 
 var (
 	useTLS   = flag.Bool("use_tls", false, "Connection uses TLS if true, else plain TCP")
+	useALTS  = flag.Bool("use_alts", false, "Connection uses ALTS if true (this option can only be used on GCP)")
 	certFile = flag.String("tls_cert_file", "", "The TLS cert file")
 	keyFile  = flag.String("tls_key_file", "", "The TLS key file")
 	port     = flag.Int("port", 10000, "The server port")
@@ -40,6 +42,9 @@ var (
 
 func main() {
 	flag.Parse()
+	if *useTLS && *useALTS {
+		grpclog.Fatalf("use_tls and use_alts cannot be both set to true")
+	}
 	p := strconv.Itoa(*port)
 	lis, err := net.Listen("tcp", ":"+p)
 	if err != nil {
@@ -57,7 +62,10 @@ func main() {
 		if err != nil {
 			grpclog.Fatalf("Failed to generate credentials %v", err)
 		}
-		opts = []grpc.ServerOption{grpc.Creds(creds)}
+		opts = append(opts, grpc.Creds(creds))
+	} else if *useALTS {
+		altsTC := alts.NewServer()
+		opts = append(opts, grpc.Creds(altsTC))
 	}
 	server := grpc.NewServer(opts...)
 	testpb.RegisterTestServiceServer(server, interop.NewTestServer())