diff --git a/config/options.go b/config/options.go
index d2b972c58..345d0e914 100644
--- a/config/options.go
+++ b/config/options.go
@@ -1509,8 +1509,6 @@ func (o *Options) ApplySettings(ctx context.Context, certsIndex *cryptutil.Certi
 	if settings.IdpAccessTokenAllowedAudiences != nil {
 		values := slices.Clone(settings.IdpAccessTokenAllowedAudiences.Values)
 		o.IDPAccessTokenAllowedAudiences = &values
-	} else {
-		o.IDPAccessTokenAllowedAudiences = nil
 	}
 	setSlice(&o.AuthorizeURLStrings, settings.AuthorizeServiceUrls)
 	set(&o.AuthorizeInternalURLString, settings.AuthorizeInternalServiceUrl)
@@ -1520,7 +1518,7 @@ func (o *Options) ApplySettings(ctx context.Context, certsIndex *cryptutil.Certi
 	set(&o.SigningKey, settings.SigningKey)
 	setMap(&o.SetResponseHeaders, settings.SetResponseHeaders)
 	setMap(&o.JWTClaimsHeaders, settings.JwtClaimsHeaders)
-	o.BearerTokenFormat = BearerTokenFormatFromPB(settings.BearerTokenFormat)
+	setOptional(&o.BearerTokenFormat, BearerTokenFormatFromPB(settings.BearerTokenFormat))
 	if len(settings.JwtGroupsFilter) > 0 {
 		o.JWTGroupsFilter = NewJWTGroupsFilter(settings.JwtGroupsFilter)
 	}
diff --git a/config/options_test.go b/config/options_test.go
index 06e7f24ba..90b21bcbd 100644
--- a/config/options_test.go
+++ b/config/options_test.go
@@ -924,6 +924,8 @@ func TestOptions_GetAllRouteableHTTPHosts(t *testing.T) {
 }
 
 func TestOptions_ApplySettings(t *testing.T) {
+	t.Parallel()
+
 	ctx, clearTimeout := context.WithTimeout(context.Background(), time.Second)
 	defer clearTimeout()
 
@@ -1003,6 +1005,34 @@ func TestOptions_ApplySettings(t *testing.T) {
 		})
 		assert.Equal(t, JWTIssuerFormatHostOnly, options.JWTIssuerFormat)
 	})
+
+	t.Run("bearer_token_format", func(t *testing.T) {
+		t.Parallel()
+
+		options := NewDefaultOptions()
+		assert.Nil(t, options.BearerTokenFormat)
+		options.ApplySettings(ctx, nil, &configpb.Settings{
+			BearerTokenFormat: configpb.BearerTokenFormat_BEARER_TOKEN_FORMAT_DEFAULT.Enum(),
+		})
+		assert.Equal(t, ptr(BearerTokenFormatDefault), options.BearerTokenFormat)
+
+		options.ApplySettings(ctx, nil, &configpb.Settings{})
+		assert.Equal(t, ptr(BearerTokenFormatDefault), options.BearerTokenFormat, "should preserve existing bearer token format")
+	})
+
+	t.Run("idp_access_token_allowed_audiences", func(t *testing.T) {
+		t.Parallel()
+
+		options := NewDefaultOptions()
+		assert.Nil(t, options.IDPAccessTokenAllowedAudiences)
+		options.ApplySettings(ctx, nil, &configpb.Settings{
+			IdpAccessTokenAllowedAudiences: &configpb.Settings_StringList{Values: []string{"x", "y", "z"}},
+		})
+		assert.Equal(t, ptr([]string{"x", "y", "z"}), options.IDPAccessTokenAllowedAudiences)
+		options.ApplySettings(ctx, nil, &configpb.Settings{})
+		assert.Equal(t, ptr([]string{"x", "y", "z"}), options.IDPAccessTokenAllowedAudiences,
+			"should preserve idp access token allowed audiences")
+	})
 }
 
 func TestOptions_GetSetResponseHeaders(t *testing.T) {
@@ -1762,3 +1792,7 @@ func must[T any](t T, err error) T {
 	}
 	return t
 }
+
+func ptr[T any](v T) *T {
+	return &v
+}