diff --git a/test/start-additional-kas/action.yaml b/test/start-additional-kas/action.yaml
index 41692969c3..2bd07cf59a 100644
--- a/test/start-additional-kas/action.yaml
+++ b/test/start-additional-kas/action.yaml
@@ -34,6 +34,14 @@ inputs:
     default: "text"
     description: 'Log format type (text, json)'
     required: false
+  dpop-challenge-enabled:
+    default: "false"
+    description: 'Whether to enable the DPoP nonce challenge flow (sets server.auth.dpop.require_nonce: true)'
+    required: false
+  dpop-enforce-required:
+    default: "false"
+    description: 'Whether to enforce DPoP-bound access tokens (sets server.auth.dpop.enforce: true)'
+    required: false
 
 outputs:
   log-file:
@@ -54,6 +62,8 @@ runs:
         ROOT_KEY: ${{ inputs.root-key }}
         LOG_LEVEL: ${{ inputs.log-level }}
         LOG_TYPE: ${{ inputs.log-type }}
+        DPOP_CHALLENGE_ENABLED: ${{ inputs.dpop-challenge-enabled }}
+        DPOP_ENFORCE_REQUIRED: ${{ inputs.dpop-enforce-required }}
       run: |
         # Validate kas-port (must be a valid port number 1-65535)
         if [[ ! "${KAS_PORT}" =~ ^[0-9]+$ ]] || (( KAS_PORT < 1 || KAS_PORT > 65535 )); then
@@ -122,6 +132,26 @@ runs:
             exit 1
             ;;
         esac
+
+        # Validate dpop-challenge-enabled (must be true or false)
+        case "${DPOP_CHALLENGE_ENABLED}" in
+          true|false)
+            ;;
+          *)
+            echo "Error: dpop-challenge-enabled must be 'true' or 'false'."
+            exit 1
+            ;;
+        esac
+
+        # Validate dpop-enforce-required (must be true or false)
+        case "${DPOP_ENFORCE_REQUIRED}" in
+          true|false)
+            ;;
+          *)
+            echo "Error: dpop-enforce-required must be 'true' or 'false'."
+            exit 1
+            ;;
+        esac
     - name: Set log file path
       id: log-path
       shell: bash
@@ -143,6 +173,8 @@ runs:
         ROOT_KEY: ${{ inputs.root-key }}
         LOG_LEVEL: ${{ inputs.log-level }}
         LOG_TYPE: ${{ inputs.log-type }}
+        DPOP_CHALLENGE_ENABLED: ${{ inputs.dpop-challenge-enabled }}
+        DPOP_ENFORCE_REQUIRED: ${{ inputs.dpop-enforce-required }}
       with:
         run: |
           # Disable PQC if key files weren't generated by the platform
@@ -164,6 +196,8 @@ runs:
             | del(.services.kas.root_key)
             | (.logger.level = env(LOG_LEVEL))
             | (.logger.type = env(LOG_TYPE))
+            | (.server.auth.dpop.require_nonce = (env(DPOP_CHALLENGE_ENABLED) == "true"))
+            | with(select(env(DPOP_ENFORCE_REQUIRED) == "true"); .server.auth.dpop.enforce = true)
             | (.sdk_config = {"client_id":"opentdf","client_secret":"secret","core":{"endpoint":"http://localhost:8080","plaintext":true}})
           ' opentdf-dev.yaml > opentdf-${KAS_NAME}.yaml
           if [ "${KEY_MANAGEMENT}" == "true" ]; then
diff --git a/test/start-up-with-containers/action.yaml b/test/start-up-with-containers/action.yaml
index 33ccd5cec7..0a773fbe03 100644
--- a/test/start-up-with-containers/action.yaml
+++ b/test/start-up-with-containers/action.yaml
@@ -35,6 +35,10 @@ inputs:
     default: "false"
     description: 'Whether to enable the DPoP nonce challenge flow (sets server.auth.dpop.require_nonce: true)'
     required: false
+  dpop-enforce-required:
+    default: "false"
+    description: 'Whether to enforce DPoP-bound access tokens (sets server.auth.dpop.enforce: true)'
+    required: false
 
 outputs:
   platform-working-dir:
@@ -58,6 +62,7 @@ runs:
         LOG_TYPE: ${{ inputs.log-type }}
         PROVISION_POLICY_FIXTURES: ${{ inputs.provision-policy-fixtures }}
         DPOP_CHALLENGE_ENABLED: ${{ inputs.dpop-challenge-enabled }}
+        DPOP_ENFORCE_REQUIRED: ${{ inputs.dpop-enforce-required }}
       run: |
         # Validate platform-ref (must contain only safe characters for a git ref)
         if [[ ! "${PLATFORM_REF}" =~ ^[a-zA-Z0-9._/-]+$ ]]; then
@@ -130,6 +135,16 @@ runs:
             exit 1
             ;;
         esac
+
+        # Validate dpop-enforce-required (must be true or false)
+        case "${DPOP_ENFORCE_REQUIRED}" in
+          true|false)
+            ;;
+          *)
+            echo "Error: dpop-enforce-required must be 'true' or 'false'."
+            exit 1
+            ;;
+        esac
     - name: Check out platform
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
@@ -281,6 +296,12 @@ runs:
       run: |
         yq e '.server.auth.dpop.require_nonce = true' -i opentdf.yaml
       working-directory: otdf-test-platform
+    - name: Enable DPoP enforcement
+      shell: bash
+      if: ${{ inputs.dpop-enforce-required == 'true' }}
+      run: |
+        yq e '.server.auth.dpop.enforce = true' -i opentdf.yaml
+      working-directory: otdf-test-platform
     - name: Overlay DPoP-capable Keycloak (26.2)
       # The default docker-compose pins Keycloak 25 so downstream consumers stay on
       # it; DPoP testing needs Keycloak 26.2 plus the admin-fine-grained-authz:v1