diff --git a/envoy/config/filter/http/ext_authz/v2/ext_authz.proto b/envoy/config/filter/http/ext_authz/v2/ext_authz.proto
index 2f5423af..3c84ce03 100644
--- a/envoy/config/filter/http/ext_authz/v2/ext_authz.proto
+++ b/envoy/config/filter/http/ext_authz/v2/ext_authz.proto
@@ -40,6 +40,12 @@ message ExtAuthz {
   // Note that errors can be *always* tracked in the :ref:`stats
   // <config_http_filters_ext_authz_stats>`.
   bool failure_mode_allow = 2;
+
+  // Sets the package version the the gRPC service should use. This is particularly
+  // useful when transitioning from alpha to release versions assuming that both definitions are
+  // semantically compatible. Deprecation note: This field is deprecated and should only be used for
+  // version upgrade. See release notes for more details.
+  bool use_alpha = 4 [deprecated = true];
 }
 
 // HttpService is used for raw HTTP communication between the filter and the authorization service.
diff --git a/envoy/service/auth/v2/BUILD b/envoy/service/auth/v2/BUILD
index 5faba48a..193ef7f7 100644
--- a/envoy/service/auth/v2/BUILD
+++ b/envoy/service/auth/v2/BUILD
@@ -18,6 +18,7 @@ api_proto_library_internal(
         "external_auth.proto",
     ],
     has_services = 1,
+    visibility = ["//visibility:public"],
     deps = [
         ":attribute_context",
         "//envoy/api/v2/core:base",
diff --git a/envoy/service/auth/v2alpha/BUILD b/envoy/service/auth/v2alpha/BUILD
new file mode 100644
index 00000000..3f08afe6
--- /dev/null
+++ b/envoy/service/auth/v2alpha/BUILD
@@ -0,0 +1,12 @@
+load("//bazel:api_build_system.bzl", "api_go_proto_library", "api_proto_library_internal")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library_internal(
+    name = "external_auth",
+    srcs = [
+        "external_auth.proto",
+    ],
+    has_services = 1,
+    deps = ["//envoy/service/auth/v2:external_auth"],
+)
diff --git a/envoy/service/auth/v2alpha/external_auth.proto b/envoy/service/auth/v2alpha/external_auth.proto
new file mode 100644
index 00000000..bdf0d2e4
--- /dev/null
+++ b/envoy/service/auth/v2alpha/external_auth.proto
@@ -0,0 +1,25 @@
+syntax = "proto3";
+
+package envoy.service.auth.v2alpha;
+
+option go_package = "v2alpha";
+
+option java_multiple_files = true;
+option java_generic_services = true;
+option java_outer_classname = "CertsProto";
+option java_package = "io.envoyproxy.envoy.service.auth.v2alpha";
+
+import "envoy/service/auth/v2/external_auth.proto";
+
+// [#protodoc-title: Authorization Service ]
+
+// The authorization service request messages used by external authorization :ref:`network filter
+// <config_network_filters_ext_authz>` and :ref:`HTTP filter <config_http_filters_ext_authz>`.
+
+// A generic interface for performing authorization check on incoming
+// requests to a networked service.
+service Authorization {
+  // Performs authorization check based on the attributes associated with the
+  // incoming request, and returns status `OK` or not `OK`.
+  rpc Check(v2.CheckRequest) returns (v2.CheckResponse);
+}