diff --git a/transport/http/dial.go b/transport/http/dial.go
index 7e322a17c68..4c340aac8f6 100644
--- a/transport/http/dial.go
+++ b/transport/http/dial.go
@@ -11,6 +11,7 @@ import (
 	"context"
 	"crypto/tls"
 	"errors"
+	"fmt"
 	"net"
 	"net/http"
 	"time"
@@ -88,6 +89,13 @@ func newTransport(ctx context.Context, base http.RoundTripper, settings *interna
 		if err != nil {
 			return nil, err
 		}
+		credsUniverseDomain, err := creds.GetUniverseDomain()
+		if err != nil {
+			return nil, err
+		}
+		if settings.GetUniverseDomain() != credsUniverseDomain {
+			return nil, errUniverseNotMatch(settings.GetUniverseDomain(), credsUniverseDomain)
+		}
 		paramTransport.quotaProject = internal.GetQuotaProject(creds, settings.QuotaProject)
 		ts := creds.TokenSource
 		if settings.ImpersonationConfig == nil && settings.TokenSource != nil {
@@ -101,6 +109,15 @@ func newTransport(ctx context.Context, base http.RoundTripper, settings *interna
 	return trans, nil
 }
 
+func errUniverseNotMatch(settingsUD, credsUD string) error {
+	return fmt.Errorf(
+		"the configured universe domain (%q) does not match the universe "+
+			"domain found in the credentials (%q). If you haven't configured "+
+			"WithUniverseDomain explicitly, googleapis.com is the default",
+		settingsUD,
+		credsUD)
+}
+
 func newSettings(opts []option.ClientOption) (*internal.DialSettings, error) {
 	var o internal.DialSettings
 	for _, opt := range opts {
diff --git a/transport/http/dial_test.go b/transport/http/dial_test.go
index 9eafa558588..27e1e416bcf 100644
--- a/transport/http/dial_test.go
+++ b/transport/http/dial_test.go
@@ -11,6 +11,8 @@ import (
 
 	"go.opencensus.io/plugin/ochttp"
 	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
+	"google.golang.org/api/option"
 )
 
 func TestNewClient(t *testing.T) {
@@ -37,3 +39,17 @@ func TestNewClient(t *testing.T) {
 		t.Fatalf("got %s, want: %s", got, want)
 	}
 }
+
+func TestNewClient_MismatchedUniverseDomainCreds(t *testing.T) {
+	rootTokenScope := "https://www.googleapis.com/auth/cloud-platform"
+	universeDomain := "example.com"
+	universeDomainDefault := "googleapis.com"
+	creds := &google.Credentials{} // universeDomainDefault
+	wantErr := errUniverseNotMatch(universeDomain, universeDomainDefault)
+	_, _, err := NewClient(context.Background(), option.WithUniverseDomain(universeDomain),
+		option.WithCredentials(creds), option.WithScopes(rootTokenScope))
+
+	if err.Error() != wantErr.Error() {
+		t.Fatalf("got: %v, want: %v", err, wantErr)
+	}
+}