diff --git a/BUILD b/BUILD
index d40e394cdbc..3b4f1c0c99b 100644
--- a/BUILD
+++ b/BUILD
@@ -1243,6 +1243,7 @@ grpc_cc_library(
         "gpr",
         "grpc++_base_unsecure",
         "grpc++_codegen_proto",
+        "grpc_core_credentials",
         "grpc_public_hdrs",
         "grpc_security_base",
         "grpc_unsecure",
@@ -4145,6 +4146,7 @@ grpc_cc_library(
         "config_vars",
         "gpr",
         "grpc_base",
+        "grpc_core_credentials",
         "grpc_credentials_util",
         "grpc_public_hdrs",
         "grpc_security_base",
diff --git a/grpc.def b/grpc.def
index e168d98ee6b..11f633d3d19 100644
--- a/grpc.def
+++ b/grpc.def
@@ -70,6 +70,9 @@ EXPORTS
     grpc_tls_credentials_options_set_crl_directory
     grpc_tls_credentials_options_set_verify_server_cert
     grpc_tls_credentials_options_set_send_client_ca_list
+    grpc_ssl_session_cache_create_lru
+    grpc_ssl_session_cache_destroy
+    grpc_ssl_session_cache_create_channel_arg
     grpc_insecure_credentials_create
     grpc_insecure_server_credentials_create
     grpc_xds_credentials_create
@@ -169,9 +172,6 @@ EXPORTS
     grpc_auth_context_add_property
     grpc_auth_context_add_cstring_property
     grpc_auth_context_set_peer_identity_property_name
-    grpc_ssl_session_cache_create_lru
-    grpc_ssl_session_cache_destroy
-    grpc_ssl_session_cache_create_channel_arg
     grpc_set_ssl_roots_override_callback
     grpc_max_auth_token_lifetime
     grpc_call_set_credentials
diff --git a/include/grpc/credentials.h b/include/grpc/credentials.h
index 60ab84314d9..2a2fcc4df5a 100644
--- a/include/grpc/credentials.h
+++ b/include/grpc/credentials.h
@@ -1053,6 +1053,27 @@ GRPCAPI void grpc_tls_credentials_options_set_verify_server_cert(
 GRPCAPI void grpc_tls_credentials_options_set_send_client_ca_list(
     grpc_tls_credentials_options* options, bool send_client_ca_list);
 
+/** --- SSL Session Cache. ---
+
+    A SSL session cache object represents a way to cache client sessions
+    between connections. Only ticket-based resumption is supported. */
+
+typedef struct grpc_ssl_session_cache grpc_ssl_session_cache;
+
+/** Create LRU cache for client-side SSL sessions with the given capacity.
+    If capacity is < 1, a default capacity is used instead. */
+GRPCAPI grpc_ssl_session_cache* grpc_ssl_session_cache_create_lru(
+    size_t capacity);
+
+/** Destroy SSL session cache. */
+GRPCAPI void grpc_ssl_session_cache_destroy(grpc_ssl_session_cache* cache);
+
+/** Create a channel arg with the given cache object. */
+GRPCAPI grpc_arg
+grpc_ssl_session_cache_create_channel_arg(grpc_ssl_session_cache* cache);
+
+/** --- insecure credentials --- */
+
 /**
  * EXPERIMENTAL API - Subject to change
  *
diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h
index a8777371b0b..cc935d43162 100644
--- a/include/grpc/grpc_security.h
+++ b/include/grpc/grpc_security.h
@@ -104,25 +104,6 @@ GRPCAPI void grpc_auth_context_add_cstring_property(grpc_auth_context* ctx,
 GRPCAPI int grpc_auth_context_set_peer_identity_property_name(
     grpc_auth_context* ctx, const char* name);
 
-/** --- SSL Session Cache. ---
-
-    A SSL session cache object represents a way to cache client sessions
-    between connections. Only ticket-based resumption is supported. */
-
-typedef struct grpc_ssl_session_cache grpc_ssl_session_cache;
-
-/** Create LRU cache for client-side SSL sessions with the given capacity.
-    If capacity is < 1, a default capacity is used instead. */
-GRPCAPI grpc_ssl_session_cache* grpc_ssl_session_cache_create_lru(
-    size_t capacity);
-
-/** Destroy SSL session cache. */
-GRPCAPI void grpc_ssl_session_cache_destroy(grpc_ssl_session_cache* cache);
-
-/** Create a channel arg with the given cache object. */
-GRPCAPI grpc_arg
-grpc_ssl_session_cache_create_channel_arg(grpc_ssl_session_cache* cache);
-
 /** Callback for getting the SSL roots override from the application.
    In case of success, *pem_roots_certs must be set to a NULL terminated string
    containing the list of PEM encoded root certificates. The ownership is passed
diff --git a/src/core/lib/security/security_connector/ssl_utils.cc b/src/core/lib/security/security_connector/ssl_utils.cc
index 24c57bc1df7..91d481f4cf3 100644
--- a/src/core/lib/security/security_connector/ssl_utils.cc
+++ b/src/core/lib/security/security_connector/ssl_utils.cc
@@ -31,6 +31,7 @@
 #include "absl/strings/str_cat.h"
 #include "absl/strings/str_split.h"
 
+#include <grpc/credentials.h>
 #include <grpc/grpc.h>
 #include <grpc/grpc_crl_provider.h>
 #include <grpc/impl/channel_arg_names.h>
diff --git a/src/ruby/ext/grpc/rb_grpc_imports.generated.c b/src/ruby/ext/grpc/rb_grpc_imports.generated.c
index 80d0811f007..2d2a883d45f 100644
--- a/src/ruby/ext/grpc/rb_grpc_imports.generated.c
+++ b/src/ruby/ext/grpc/rb_grpc_imports.generated.c
@@ -93,6 +93,9 @@ grpc_tls_credentials_options_set_cert_request_type_type grpc_tls_credentials_opt
 grpc_tls_credentials_options_set_crl_directory_type grpc_tls_credentials_options_set_crl_directory_import;
 grpc_tls_credentials_options_set_verify_server_cert_type grpc_tls_credentials_options_set_verify_server_cert_import;
 grpc_tls_credentials_options_set_send_client_ca_list_type grpc_tls_credentials_options_set_send_client_ca_list_import;
+grpc_ssl_session_cache_create_lru_type grpc_ssl_session_cache_create_lru_import;
+grpc_ssl_session_cache_destroy_type grpc_ssl_session_cache_destroy_import;
+grpc_ssl_session_cache_create_channel_arg_type grpc_ssl_session_cache_create_channel_arg_import;
 grpc_insecure_credentials_create_type grpc_insecure_credentials_create_import;
 grpc_insecure_server_credentials_create_type grpc_insecure_server_credentials_create_import;
 grpc_xds_credentials_create_type grpc_xds_credentials_create_import;
@@ -192,9 +195,6 @@ grpc_auth_context_release_type grpc_auth_context_release_import;
 grpc_auth_context_add_property_type grpc_auth_context_add_property_import;
 grpc_auth_context_add_cstring_property_type grpc_auth_context_add_cstring_property_import;
 grpc_auth_context_set_peer_identity_property_name_type grpc_auth_context_set_peer_identity_property_name_import;
-grpc_ssl_session_cache_create_lru_type grpc_ssl_session_cache_create_lru_import;
-grpc_ssl_session_cache_destroy_type grpc_ssl_session_cache_destroy_import;
-grpc_ssl_session_cache_create_channel_arg_type grpc_ssl_session_cache_create_channel_arg_import;
 grpc_set_ssl_roots_override_callback_type grpc_set_ssl_roots_override_callback_import;
 grpc_max_auth_token_lifetime_type grpc_max_auth_token_lifetime_import;
 grpc_call_set_credentials_type grpc_call_set_credentials_import;
@@ -383,6 +383,9 @@ void grpc_rb_load_imports(HMODULE library) {
   grpc_tls_credentials_options_set_crl_directory_import = (grpc_tls_credentials_options_set_crl_directory_type) GetProcAddress(library, "grpc_tls_credentials_options_set_crl_directory");
   grpc_tls_credentials_options_set_verify_server_cert_import = (grpc_tls_credentials_options_set_verify_server_cert_type) GetProcAddress(library, "grpc_tls_credentials_options_set_verify_server_cert");
   grpc_tls_credentials_options_set_send_client_ca_list_import = (grpc_tls_credentials_options_set_send_client_ca_list_type) GetProcAddress(library, "grpc_tls_credentials_options_set_send_client_ca_list");
+  grpc_ssl_session_cache_create_lru_import = (grpc_ssl_session_cache_create_lru_type) GetProcAddress(library, "grpc_ssl_session_cache_create_lru");
+  grpc_ssl_session_cache_destroy_import = (grpc_ssl_session_cache_destroy_type) GetProcAddress(library, "grpc_ssl_session_cache_destroy");
+  grpc_ssl_session_cache_create_channel_arg_import = (grpc_ssl_session_cache_create_channel_arg_type) GetProcAddress(library, "grpc_ssl_session_cache_create_channel_arg");
   grpc_insecure_credentials_create_import = (grpc_insecure_credentials_create_type) GetProcAddress(library, "grpc_insecure_credentials_create");
   grpc_insecure_server_credentials_create_import = (grpc_insecure_server_credentials_create_type) GetProcAddress(library, "grpc_insecure_server_credentials_create");
   grpc_xds_credentials_create_import = (grpc_xds_credentials_create_type) GetProcAddress(library, "grpc_xds_credentials_create");
@@ -482,9 +485,6 @@ void grpc_rb_load_imports(HMODULE library) {
   grpc_auth_context_add_property_import = (grpc_auth_context_add_property_type) GetProcAddress(library, "grpc_auth_context_add_property");
   grpc_auth_context_add_cstring_property_import = (grpc_auth_context_add_cstring_property_type) GetProcAddress(library, "grpc_auth_context_add_cstring_property");
   grpc_auth_context_set_peer_identity_property_name_import = (grpc_auth_context_set_peer_identity_property_name_type) GetProcAddress(library, "grpc_auth_context_set_peer_identity_property_name");
-  grpc_ssl_session_cache_create_lru_import = (grpc_ssl_session_cache_create_lru_type) GetProcAddress(library, "grpc_ssl_session_cache_create_lru");
-  grpc_ssl_session_cache_destroy_import = (grpc_ssl_session_cache_destroy_type) GetProcAddress(library, "grpc_ssl_session_cache_destroy");
-  grpc_ssl_session_cache_create_channel_arg_import = (grpc_ssl_session_cache_create_channel_arg_type) GetProcAddress(library, "grpc_ssl_session_cache_create_channel_arg");
   grpc_set_ssl_roots_override_callback_import = (grpc_set_ssl_roots_override_callback_type) GetProcAddress(library, "grpc_set_ssl_roots_override_callback");
   grpc_max_auth_token_lifetime_import = (grpc_max_auth_token_lifetime_type) GetProcAddress(library, "grpc_max_auth_token_lifetime");
   grpc_call_set_credentials_import = (grpc_call_set_credentials_type) GetProcAddress(library, "grpc_call_set_credentials");
diff --git a/src/ruby/ext/grpc/rb_grpc_imports.generated.h b/src/ruby/ext/grpc/rb_grpc_imports.generated.h
index ec3e4d4a8d3..4cf1d5ee804 100644
--- a/src/ruby/ext/grpc/rb_grpc_imports.generated.h
+++ b/src/ruby/ext/grpc/rb_grpc_imports.generated.h
@@ -255,6 +255,15 @@ extern grpc_tls_credentials_options_set_verify_server_cert_type grpc_tls_credent
 typedef void(*grpc_tls_credentials_options_set_send_client_ca_list_type)(grpc_tls_credentials_options* options, bool send_client_ca_list);
 extern grpc_tls_credentials_options_set_send_client_ca_list_type grpc_tls_credentials_options_set_send_client_ca_list_import;
 #define grpc_tls_credentials_options_set_send_client_ca_list grpc_tls_credentials_options_set_send_client_ca_list_import
+typedef grpc_ssl_session_cache*(*grpc_ssl_session_cache_create_lru_type)(size_t capacity);
+extern grpc_ssl_session_cache_create_lru_type grpc_ssl_session_cache_create_lru_import;
+#define grpc_ssl_session_cache_create_lru grpc_ssl_session_cache_create_lru_import
+typedef void(*grpc_ssl_session_cache_destroy_type)(grpc_ssl_session_cache* cache);
+extern grpc_ssl_session_cache_destroy_type grpc_ssl_session_cache_destroy_import;
+#define grpc_ssl_session_cache_destroy grpc_ssl_session_cache_destroy_import
+typedef grpc_arg(*grpc_ssl_session_cache_create_channel_arg_type)(grpc_ssl_session_cache* cache);
+extern grpc_ssl_session_cache_create_channel_arg_type grpc_ssl_session_cache_create_channel_arg_import;
+#define grpc_ssl_session_cache_create_channel_arg grpc_ssl_session_cache_create_channel_arg_import
 typedef grpc_channel_credentials*(*grpc_insecure_credentials_create_type)();
 extern grpc_insecure_credentials_create_type grpc_insecure_credentials_create_import;
 #define grpc_insecure_credentials_create grpc_insecure_credentials_create_import
@@ -552,15 +561,6 @@ extern grpc_auth_context_add_cstring_property_type grpc_auth_context_add_cstring
 typedef int(*grpc_auth_context_set_peer_identity_property_name_type)(grpc_auth_context* ctx, const char* name);
 extern grpc_auth_context_set_peer_identity_property_name_type grpc_auth_context_set_peer_identity_property_name_import;
 #define grpc_auth_context_set_peer_identity_property_name grpc_auth_context_set_peer_identity_property_name_import
-typedef grpc_ssl_session_cache*(*grpc_ssl_session_cache_create_lru_type)(size_t capacity);
-extern grpc_ssl_session_cache_create_lru_type grpc_ssl_session_cache_create_lru_import;
-#define grpc_ssl_session_cache_create_lru grpc_ssl_session_cache_create_lru_import
-typedef void(*grpc_ssl_session_cache_destroy_type)(grpc_ssl_session_cache* cache);
-extern grpc_ssl_session_cache_destroy_type grpc_ssl_session_cache_destroy_import;
-#define grpc_ssl_session_cache_destroy grpc_ssl_session_cache_destroy_import
-typedef grpc_arg(*grpc_ssl_session_cache_create_channel_arg_type)(grpc_ssl_session_cache* cache);
-extern grpc_ssl_session_cache_create_channel_arg_type grpc_ssl_session_cache_create_channel_arg_import;
-#define grpc_ssl_session_cache_create_channel_arg grpc_ssl_session_cache_create_channel_arg_import
 typedef void(*grpc_set_ssl_roots_override_callback_type)(grpc_ssl_roots_override_callback cb);
 extern grpc_set_ssl_roots_override_callback_type grpc_set_ssl_roots_override_callback_import;
 #define grpc_set_ssl_roots_override_callback grpc_set_ssl_roots_override_callback_import
diff --git a/test/cpp/end2end/ssl_credentials_test.cc b/test/cpp/end2end/ssl_credentials_test.cc
index a0b8d5c0dd2..82cba482ca0 100644
--- a/test/cpp/end2end/ssl_credentials_test.cc
+++ b/test/cpp/end2end/ssl_credentials_test.cc
@@ -22,6 +22,7 @@
 
 #include "absl/synchronization/notification.h"
 
+#include <grpc/credentials.h>
 #include <grpc/grpc_security.h>
 #include <grpcpp/channel.h>
 #include <grpcpp/client_context.h>