diff --git a/alts/src/main/java/io/grpc/alts/AltsChannelCredentials.java b/alts/src/main/java/io/grpc/alts/AltsChannelCredentials.java
index ca304c96070..0bb96378ccf 100644
--- a/alts/src/main/java/io/grpc/alts/AltsChannelCredentials.java
+++ b/alts/src/main/java/io/grpc/alts/AltsChannelCredentials.java
@@ -52,6 +52,7 @@ public static Builder newBuilder() {
     return new Builder();
   }
 
+  @ExperimentalApi("https://github.com/grpc/grpc-java/issues/4151")
   public static final class Builder {
     private final ImmutableList.Builder<String> targetServiceAccountsBuilder =
         ImmutableList.builder();
@@ -131,7 +132,7 @@ public int getDefaultPort() {
 
   private static final AsciiString SCHEME = AsciiString.of("https");
 
-  private static final class FailingProtocolNegotiator implements ProtocolNegotiator {
+  static final class FailingProtocolNegotiator implements ProtocolNegotiator {
     private final Status status;
 
     public FailingProtocolNegotiator(Status status) {
diff --git a/alts/src/main/java/io/grpc/alts/AltsServerBuilder.java b/alts/src/main/java/io/grpc/alts/AltsServerBuilder.java
index f23e6612f9e..108b294e215 100644
--- a/alts/src/main/java/io/grpc/alts/AltsServerBuilder.java
+++ b/alts/src/main/java/io/grpc/alts/AltsServerBuilder.java
@@ -17,32 +17,21 @@
 package io.grpc.alts;
 
 import io.grpc.BindableService;
-import io.grpc.Channel;
 import io.grpc.CompressorRegistry;
 import io.grpc.DecompressorRegistry;
 import io.grpc.ExperimentalApi;
 import io.grpc.HandlerRegistry;
-import io.grpc.Metadata;
 import io.grpc.Server;
 import io.grpc.ServerBuilder;
-import io.grpc.ServerCall;
-import io.grpc.ServerCall.Listener;
-import io.grpc.ServerCallHandler;
 import io.grpc.ServerInterceptor;
 import io.grpc.ServerServiceDefinition;
 import io.grpc.ServerStreamTracer;
 import io.grpc.ServerTransportFilter;
-import io.grpc.Status;
-import io.grpc.alts.internal.AltsProtocolNegotiator;
-import io.grpc.internal.ObjectPool;
-import io.grpc.internal.SharedResourcePool;
 import io.grpc.netty.NettyServerBuilder;
 import java.io.File;
 import java.net.InetSocketAddress;
 import java.util.concurrent.Executor;
 import java.util.concurrent.TimeUnit;
-import java.util.logging.Level;
-import java.util.logging.Logger;
 
 /**
  * gRPC secure server builder used for ALTS. This class adds on the necessary ALTS support to create
@@ -50,12 +39,9 @@
  */
 @ExperimentalApi("https://github.com/grpc/grpc-java/issues/4151")
 public final class AltsServerBuilder extends ServerBuilder<AltsServerBuilder> {
-
-  private static final Logger logger = Logger.getLogger(AltsServerBuilder.class.getName());
   private final NettyServerBuilder delegate;
-  private ObjectPool<Channel> handshakerChannelPool =
-      SharedResourcePool.forResource(HandshakerServiceChannel.SHARED_HANDSHAKER_CHANNEL);
-  private boolean enableUntrustedAlts;
+  private final AltsServerCredentials.Builder credentialsBuilder =
+      new AltsServerCredentials.Builder();
 
   private AltsServerBuilder(NettyServerBuilder nettyDelegate) {
     this.delegate = nettyDelegate;
@@ -72,17 +58,13 @@ public static AltsServerBuilder forPort(int port) {
    * is running on Google Cloud Platform.
    */
   public AltsServerBuilder enableUntrustedAltsForTesting() {
-    enableUntrustedAlts = true;
+    credentialsBuilder.enableUntrustedAltsForTesting();
     return this;
   }
 
   /** Sets a new handshaker service address for testing. */
   public AltsServerBuilder setHandshakerAddressForTesting(String handshakerAddress) {
-    // Instead of using the default shared channel to the handshaker service, create a separate
-    // resource to the test address.
-    handshakerChannelPool =
-        SharedResourcePool.forResource(
-            HandshakerServiceChannel.getHandshakerChannelForTesting(handshakerAddress));
+    credentialsBuilder.setHandshakerAddressForTesting(handshakerAddress);
     return this;
   }
 
@@ -172,40 +154,7 @@ public AltsServerBuilder intercept(ServerInterceptor interceptor) {
   /** {@inheritDoc} */
   @Override
   public Server build() {
-    if (!CheckGcpEnvironment.isOnGcp()) {
-      if (enableUntrustedAlts) {
-        logger.log(
-            Level.WARNING,
-            "Untrusted ALTS mode is enabled and we cannot guarantee the trustworthiness of the "
-                + "ALTS handshaker service");
-      } else {
-        Status status =
-            Status.INTERNAL.withDescription("ALTS is only allowed to run on Google Cloud Platform");
-        delegate.intercept(new FailingServerInterceptor(status));
-      }
-    }
-
-    delegate.protocolNegotiator(
-        AltsProtocolNegotiator.serverAltsProtocolNegotiator(handshakerChannelPool));
+    delegate.protocolNegotiator(credentialsBuilder.buildProtocolNegotiator());
     return delegate.build();
   }
-
-  /** An implementation of {@link ServerInterceptor} that fails each call. */
-  static final class FailingServerInterceptor implements ServerInterceptor {
-
-    private final Status status;
-
-    public FailingServerInterceptor(Status status) {
-      this.status = status;
-    }
-
-    @Override
-    public <ReqT, RespT> Listener<ReqT> interceptCall(
-        ServerCall<ReqT, RespT> serverCall,
-        Metadata metadata,
-        ServerCallHandler<ReqT, RespT> nextHandler) {
-      serverCall.close(status, new Metadata());
-      return new Listener<ReqT>() {};
-    }
-  }
 }
diff --git a/alts/src/main/java/io/grpc/alts/AltsServerCredentials.java b/alts/src/main/java/io/grpc/alts/AltsServerCredentials.java
new file mode 100644
index 00000000000..65a350daadd
--- /dev/null
+++ b/alts/src/main/java/io/grpc/alts/AltsServerCredentials.java
@@ -0,0 +1,95 @@
+/*
+ * Copyright 2018 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.alts;
+
+import io.grpc.Channel;
+import io.grpc.ExperimentalApi;
+import io.grpc.ServerCredentials;
+import io.grpc.Status;
+import io.grpc.alts.internal.AltsProtocolNegotiator;
+import io.grpc.internal.ObjectPool;
+import io.grpc.internal.SharedResourcePool;
+import io.grpc.netty.InternalNettyServerCredentials;
+import io.grpc.netty.InternalProtocolNegotiator;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * gRPC secure server builder used for ALTS. This class adds on the necessary ALTS support to create
+ * a production server on Google Cloud Platform.
+ */
+@ExperimentalApi("https://github.com/grpc/grpc-java/issues/7621")
+public final class AltsServerCredentials {
+  private static final Logger logger = Logger.getLogger(AltsServerCredentials.class.getName());
+
+  private AltsServerCredentials() {}
+
+  public static ServerCredentials create() {
+    return newBuilder().build();
+  }
+
+  public static Builder newBuilder() {
+    return new Builder();
+  }
+
+  @ExperimentalApi("https://github.com/grpc/grpc-java/issues/7621")
+  public static final class Builder {
+    private ObjectPool<Channel> handshakerChannelPool =
+        SharedResourcePool.forResource(HandshakerServiceChannel.SHARED_HANDSHAKER_CHANNEL);
+    private boolean enableUntrustedAlts;
+
+    /**
+     * Enables untrusted ALTS for testing. If this function is called, we will not check whether
+     * ALTS is running on Google Cloud Platform.
+     */
+    public Builder enableUntrustedAltsForTesting() {
+      enableUntrustedAlts = true;
+      return this;
+    }
+
+    /** Sets a new handshaker service address for testing. */
+    public Builder setHandshakerAddressForTesting(String handshakerAddress) {
+      // Instead of using the default shared channel to the handshaker service, create a separate
+      // resource to the test address.
+      handshakerChannelPool =
+          SharedResourcePool.forResource(
+              HandshakerServiceChannel.getHandshakerChannelForTesting(handshakerAddress));
+      return this;
+    }
+
+    public ServerCredentials build() {
+      return InternalNettyServerCredentials.create(buildProtocolNegotiator());
+    }
+
+    InternalProtocolNegotiator.ProtocolNegotiator buildProtocolNegotiator() {
+      if (!CheckGcpEnvironment.isOnGcp()) {
+        if (enableUntrustedAlts) {
+          logger.log(
+              Level.WARNING,
+              "Untrusted ALTS mode is enabled and we cannot guarantee the trustworthiness of the "
+                  + "ALTS handshaker service");
+        } else {
+          Status status = Status.INTERNAL.withDescription(
+              "ALTS is only allowed to run on Google Cloud Platform");
+          return new AltsChannelCredentials.FailingProtocolNegotiator(status);
+        }
+      }
+
+      return AltsProtocolNegotiator.serverAltsProtocolNegotiator(handshakerChannelPool);
+    }
+  }
+}