diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go
index 102497633e09..9720ffb341de 100644
--- a/internal/xds/translator/extauth.go
+++ b/internal/xds/translator/extauth.go
@@ -147,9 +147,13 @@ func httpService(http *ir.HTTPExtAuthService) *extauthv3.HttpService {
 	var (
 		uri              string
 		headersToBackend []*matcherv3.StringMatcher
-		service          = new(extauthv3.HttpService)
+		service          *extauthv3.HttpService
 	)
 
+	service = &extauthv3.HttpService{
+		PathPrefix: http.Path,
+	}
+
 	u := url.URL{
 		// scheme should be decided by the TLS setting, but we don't have that info now.
 		// It's safe to set it to http because the ext auth filter doesn't use the
diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml
index e85a6d3b8548..083a4a6f3f1d 100644
--- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml
@@ -39,6 +39,7 @@
                   patterns:
                   - exact: header1
                   - exact: header2
+              pathPrefix: /auth
               serverUri:
                 cluster: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend
                 timeout: 10s