diff --git a/auth/grpctransport/directpath.go b/auth/grpctransport/directpath.go
index 8696df1487fc..d781c3e49a99 100644
--- a/auth/grpctransport/directpath.go
+++ b/auth/grpctransport/directpath.go
@@ -66,12 +66,12 @@ func isTokenProviderDirectPathCompatible(tp auth.TokenProvider, o *Options) bool
 	if tok == nil {
 		return false
 	}
-	if o.InternalOptions != nil && o.InternalOptions.EnableNonDefaultSAForDirectPath {
-		return true
-	}
 	if tok.MetadataString("auth.google.tokenSource") != "compute-metadata" {
 		return false
 	}
+	if o.InternalOptions != nil && o.InternalOptions.EnableNonDefaultSAForDirectPath {
+		return true
+	}
 	if tok.MetadataString("auth.google.serviceAccount") != "default" {
 		return false
 	}
diff --git a/auth/grpctransport/directpath_test.go b/auth/grpctransport/directpath_test.go
index 66d78f65a5ad..fd5271468b11 100644
--- a/auth/grpctransport/directpath_test.go
+++ b/auth/grpctransport/directpath_test.go
@@ -41,7 +41,11 @@ func TestIsTokenProviderDirectPathCompatible(t *testing.T) {
 		},
 		{
 			name: "EnableNonDefaultSAForDirectPath",
-			tp:   &staticTP{tok: &auth.Token{Value: "fakeToken"}},
+			tp: &staticTP{
+				tok: token(map[string]interface{}{
+					"auth.google.tokenSource": "compute-metadata",
+				}),
+			},
 			opts: &Options{
 				InternalOptions: &InternalOptions{
 					EnableNonDefaultSAForDirectPath: true,
@@ -49,6 +53,16 @@ func TestIsTokenProviderDirectPathCompatible(t *testing.T) {
 			},
 			want: true,
 		},
+		{
+			name: "EnableNonDefaultSAForDirectPathButNotCompute",
+			tp:   &staticTP{},
+			opts: &Options{
+				InternalOptions: &InternalOptions{
+					EnableNonDefaultSAForDirectPath: true,
+				},
+			},
+			want: false,
+		},
 		{
 			name: "non-compute token source",
 			tp:   &staticTP{tok: token(map[string]interface{}{"auth.google.tokenSource": "NOT-compute-metadata"})},