diff --git a/git_cl.py b/git_cl.py
index 949baffcdc..e116abf6c4 100755
--- a/git_cl.py
+++ b/git_cl.py
@@ -3902,7 +3902,7 @@ def CMDcreds_check(parser, args):
     """Checks credentials and suggests changes."""
     _, _ = parser.parse_args(args)
 
-    if newauth.Enabled():
+    if newauth.SwitchedOn():
         cl = Changelist()
         try:
             remote_url = cl.GetRemoteUrl()
diff --git a/newauth.py b/newauth.py
index 5a8cf788c5..dd918dc09b 100644
--- a/newauth.py
+++ b/newauth.py
@@ -13,7 +13,7 @@ import scm
 
 def Enabled() -> bool:
     """Returns True if new auth stack is enabled."""
-    if not EnabledInConfig():
+    if not SwitchedOn():
         return False
     if _HasGitcookies():
         _PrintGitcookiesWarning()
@@ -21,6 +21,23 @@ def Enabled() -> bool:
     return True
 
 
+def SwitchedOn() -> bool:
+    """Returns True if new auth stack is "switched on".
+
+    Note that this does not necessarily mean that new auth is enabled.
+    In particular, we still disable new auth if a .gitcookies file is
+    present, to protect bots that haven't been migrated yet.
+    """
+    if Default():
+        return not ExplicitlyDisabled()
+    return ExplicitlyEnabled()
+
+
+def Default() -> bool:
+    "Returns default enablement status for new auth stack."
+    return False
+
+
 def _HasGitcookies() -> bool:
     """Returns True if user has gitcookies file."""
     return os.path.exists(os.path.expanduser('~/.gitcookies'))
@@ -48,8 +65,8 @@ https://issues.chromium.org/issues/new?component=1456702&template=2076315
 ''')
 
 
-def EnabledInConfig() -> bool:
-    """Returns True if new auth stack is enabled.
+def ExplicitlyEnabled() -> bool:
+    """Returns True if new auth stack is explicitly enabled.
 
     Directly checks config and doesn't do gitcookie check.
     """