diff --git a/shared/envoy/bootstrap.yaml b/shared/envoy/bootstrap.yaml
index 0807649b..67411308 100644
--- a/shared/envoy/bootstrap.yaml
+++ b/shared/envoy/bootstrap.yaml
@@ -1,6 +1,7 @@
 # Envoy bootstrap configuration for xDS-managed proxy
 # This config connects to a control plane for dynamic configuration management
-# Requires: INST_NAME, METRO_NAME, XDS_SERVER, XDS_JWT environment variables
+# Requires: INST_NAME, METRO_NAME, XDS_SERVER, and KERNEL_INSTANCE_JWT
+# environment variables
 
 # Node identity sent to xDS server for configuration targeting, authenticated by JWT
 node:
@@ -21,7 +22,7 @@ dynamic_resources:
       # Send JWT authentication for all xDS requests
       initial_metadata:
       - key: "authorization"
-        value: "Bearer {XDS_JWT}"
+        value: "Bearer {KERNEL_INSTANCE_JWT}"
   
   # Listener Discovery Service and Cluster Discovery Service use ADS
   lds_config:
diff --git a/shared/envoy/init-envoy.sh b/shared/envoy/init-envoy.sh
index 2fd34b89..c27a3f25 100644
--- a/shared/envoy/init-envoy.sh
+++ b/shared/envoy/init-envoy.sh
@@ -2,8 +2,12 @@
 
 set -o pipefail -o errexit -o nounset
 
+# The browser instance JWT is the sole token contract for xDS and host-local
+# services in the image runtime.
+INSTANCE_JWT="${KERNEL_INSTANCE_JWT:-}"
+
 # Check for required environment variables, to see if envoy is enabled
-if [[ -z "${INST_NAME:-}" || -z "${METRO_NAME:-}" || -z "${XDS_SERVER:-}" || -z "${XDS_JWT:-}" ]]; then
+if [[ -z "${INST_NAME:-}" || -z "${METRO_NAME:-}" || -z "${XDS_SERVER:-}" || -z "${INSTANCE_JWT:-}" ]]; then
   echo "[envoy-init] Required environment variables not set. Skipping Envoy initialization."
   exit 0
 fi
@@ -55,15 +59,15 @@ else
 fi
 
 # Render template with provided environment variables
-echo "[envoy-init] Rendering template with INST_NAME=${INST_NAME}, METRO_NAME=${METRO_NAME}, XDS_SERVER=${XDS_SERVER}, XDS_JWT=***"
+echo "[envoy-init] Rendering template with INST_NAME=${INST_NAME}, METRO_NAME=${METRO_NAME}, XDS_SERVER=${XDS_SERVER}, KERNEL_INSTANCE_JWT=***"
 inst_esc=$(printf '%s' "$INST_NAME" | sed -e 's/[\/&]/\\&/g')
 metro_esc=$(printf '%s' "$METRO_NAME" | sed -e 's/[\/&]/\\&/g')
 xds_esc=$(printf '%s' "$XDS_SERVER" | sed -e 's/[\/&]/\\&/g')
-jwt_esc=$(printf '%s' "$XDS_JWT" | sed -e 's/[\/&]/\\&/g')
+jwt_esc=$(printf '%s' "$INSTANCE_JWT" | sed -e 's/[\/&]/\\&/g')
 sed -e "s|{INST_NAME}|$inst_esc|g" \
     -e "s|{METRO_NAME}|$metro_esc|g" \
     -e "s|{XDS_SERVER}|$xds_esc|g" \
-    -e "s|{XDS_JWT}|$jwt_esc|g" \
+    -e "s|{KERNEL_INSTANCE_JWT}|$jwt_esc|g" \
     /etc/envoy/templates/bootstrap.yaml > /etc/envoy/bootstrap.yaml
 
 echo "[envoy-init] Starting Envoy via supervisord"