diff --git a/sdk/auth/token_adding_interceptor.go b/sdk/auth/token_adding_interceptor.go
index 18a438c8f1..1add0c7c11 100644
--- a/sdk/auth/token_adding_interceptor.go
+++ b/sdk/auth/token_adding_interceptor.go
@@ -25,6 +25,8 @@ const (
 	JTILength = 14
 )
 
+// Deprecated: NewTokenAddingInterceptor is deprecated, use NewTokenAddingInterceptorWithClient instead. A http client
+// can be constructed using httputil.SafeHTTPClientWithTLSConfig, but should be reused as much as possible.
 func NewTokenAddingInterceptor(t AccessTokenSource, c *tls.Config) TokenAddingInterceptor {
 	return NewTokenAddingInterceptorWithClient(t, httputil.SafeHTTPClientWithTLSConfig(c))
 }
diff --git a/sdk/auth/token_adding_interceptor_test.go b/sdk/auth/token_adding_interceptor_test.go
index 307ae1c4ae..4b074edfa7 100644
--- a/sdk/auth/token_adding_interceptor_test.go
+++ b/sdk/auth/token_adding_interceptor_test.go
@@ -18,6 +18,7 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jws"
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/opentdf/platform/protocol/go/kas"
+	"github.com/opentdf/platform/sdk/httputil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
@@ -42,9 +43,9 @@ func TestAddingTokensToOutgoingRequest(t *testing.T) {
 		accessToken: "thisisafakeaccesstoken",
 	}
 	server := FakeAccessServiceServer{}
-	oo := NewTokenAddingInterceptor(&ts, &tls.Config{
+	oo := NewTokenAddingInterceptorWithClient(&ts, httputil.SafeHTTPClientWithTLSConfig(&tls.Config{
 		MinVersion: tls.VersionTLS12,
-	})
+	}))
 
 	client, stop := runServer(&server, oo)
 	defer stop()
@@ -97,9 +98,9 @@ func TestAddingTokensToOutgoingRequest(t *testing.T) {
 func Test_InvalidCredentials_DoesNotSendMessage(t *testing.T) {
 	ts := FakeTokenSource{key: nil, accessToken: ""}
 	server := FakeAccessServiceServer{}
-	oo := NewTokenAddingInterceptor(&ts, &tls.Config{
+	oo := NewTokenAddingInterceptorWithClient(&ts, httputil.SafeHTTPClientWithTLSConfig(&tls.Config{
 		MinVersion: tls.VersionTLS12,
-	})
+	}))
 
 	client, stop := runServer(&server, oo)
 	defer stop()
diff --git a/service/internal/auth/authn_test.go b/service/internal/auth/authn_test.go
index b28d011f24..83e78663c6 100644
--- a/service/internal/auth/authn_test.go
+++ b/service/internal/auth/authn_test.go
@@ -29,6 +29,7 @@ import (
 	"github.com/opentdf/platform/protocol/go/kas"
 	"github.com/opentdf/platform/protocol/go/kas/kasconnect"
 	sdkauth "github.com/opentdf/platform/sdk/auth"
+	"github.com/opentdf/platform/sdk/httputil"
 	"github.com/opentdf/platform/service/internal/server/memhttp"
 	"github.com/opentdf/platform/service/logger"
 	ctxAuth "github.com/opentdf/platform/service/pkg/auth"
@@ -458,12 +459,12 @@ func (s *AuthSuite) TestDPoPEndToEnd_GRPC() {
 	server := memhttp.New(mux)
 	defer server.Close()
 
-	addingInterceptor := sdkauth.NewTokenAddingInterceptor(&FakeTokenSource{
+	addingInterceptor := sdkauth.NewTokenAddingInterceptorWithClient(&FakeTokenSource{
 		key:         dpopKey,
 		accessToken: string(signedTok),
-	}, &tls.Config{
+	}, httputil.SafeHTTPClientWithTLSConfig(&tls.Config{
 		MinVersion: tls.VersionTLS12,
-	})
+	}))
 
 	conn, _ := grpc.NewClient("passthrough://bufconn", grpc.WithContextDialer(func(ctx context.Context, _ string) (net.Conn, error) {
 		return server.Listener.DialContext(ctx, "tcp", "http://localhost:8080")
@@ -519,19 +520,19 @@ func (s *AuthSuite) TestDPoPEndToEnd_HTTP() {
 
 	req, err := http.NewRequest(http.MethodGet, server.URL+"/attributes", nil)
 
-	addingInterceptor := sdkauth.NewTokenAddingInterceptor(&FakeTokenSource{
+	addingInterceptor := sdkauth.NewTokenAddingInterceptorWithClient(&FakeTokenSource{
 		key:         dpopKey,
 		accessToken: string(signedTok),
-	}, &tls.Config{
+	}, httputil.SafeHTTPClientWithTLSConfig(&tls.Config{
 		MinVersion: tls.VersionTLS12,
-	})
+	}))
 	s.Require().NoError(err)
 	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", signedTok))
 	dpopTok, err := addingInterceptor.GetDPoPToken(server.URL+"/attributes", "GET", string(signedTok))
 	s.Require().NoError(err)
 	req.Header.Set("DPoP", dpopTok)
 
-	client := http.Client{}
+	client := httputil.SafeHTTPClient() // use safe client to help validate the client
 	_, err = client.Do(req)
 	s.Require().NoError(err)
 	var dpopKeyFromRequest jwk.Key
diff --git a/service/pkg/server/start.go b/service/pkg/server/start.go
index 9247ea49c6..ced31f5282 100644
--- a/service/pkg/server/start.go
+++ b/service/pkg/server/start.go
@@ -17,6 +17,7 @@ import (
 	"github.com/opentdf/platform/sdk"
 	sdkauth "github.com/opentdf/platform/sdk/auth"
 	"github.com/opentdf/platform/sdk/auth/oauth"
+	"github.com/opentdf/platform/sdk/httputil"
 	"github.com/opentdf/platform/service/internal/auth"
 	"github.com/opentdf/platform/service/internal/config"
 	"github.com/opentdf/platform/service/internal/server"
@@ -231,7 +232,8 @@ func Start(f ...StartOptions) error {
 					return fmt.Errorf("error creating ERS tokensource: %w", err)
 				}
 
-				interceptor := sdkauth.NewTokenAddingInterceptor(ts, tlsConfig)
+				interceptor := sdkauth.NewTokenAddingInterceptorWithClient(ts,
+					httputil.SafeHTTPClientWithTLSConfig(tlsConfig))
 
 				ersDialOptions = append(ersDialOptions, grpc.WithChainUnaryInterceptor(interceptor.AddCredentials))
 			}