diff --git a/datadog_checks_base/datadog_checks/base/checks/openmetrics/mixins.py b/datadog_checks_base/datadog_checks/base/checks/openmetrics/mixins.py
index fd22469dc590d..fdf16ce015a92 100644
--- a/datadog_checks_base/datadog_checks/base/checks/openmetrics/mixins.py
+++ b/datadog_checks_base/datadog_checks/base/checks/openmetrics/mixins.py
@@ -348,12 +348,17 @@ def _get_setting(name, default):
         # INTERNAL FEATURE, might be removed in future versions
         config['_text_filter_blacklist'] = []
 
-        # Whether or not to use the service account bearer token for authentication
-        # if 'bearer_token_path' is not set, we use /var/run/secrets/kubernetes.io/serviceaccount/token
+        # Whether or not to use the service account bearer token for authentication.
+        # Can be explicitly set to true or false to send or not the bearer token.
+        # If set to the `tls_only` value, the bearer token will be sent only to https endpoints.
+        # If 'bearer_token_path' is not set, we use /var/run/secrets/kubernetes.io/serviceaccount/token
         # as a default path to get the token.
-        config['bearer_token_auth'] = is_affirmative(
-            instance.get('bearer_token_auth', default_instance.get('bearer_token_auth', False))
-        )
+        if instance.get('bearer_token_auth') == 'tls_only' or 'bearer_token_auth' not in instance and default_instance.get('bearer_token_auth') == 'tls_only':
+            config['bearer_token_auth'] = None
+        else:
+            config['bearer_token_auth'] = is_affirmative(
+                instance.get('bearer_token_auth', default_instance.get('bearer_token_auth'), False)
+            )
 
         # Can be used to get a service account bearer token from files
         # other than /var/run/secrets/kubernetes.io/serviceaccount/token
@@ -411,7 +416,10 @@ def get_http_handler(self, scraper_config):
 
         headers = http_handler.options['headers']
 
-        bearer_token = scraper_config['_bearer_token']
+        bearer_token_auth = scraper_config['bearer_token_auth']
+        bearer_token = None
+        if bearer_token_auth is True or (bearer_token_auth is None and prometheus_url.startswith("https://")):
+            bearer_token = scraper_config['_bearer_token']
         if bearer_token is not None:
             headers['Authorization'] = 'Bearer {}'.format(bearer_token)
 
diff --git a/datadog_checks_base/tests/base/checks/openmetrics/test_openmetrics_base_check.py b/datadog_checks_base/tests/base/checks/openmetrics/test_openmetrics_base_check.py
index f9136bb292db9..9aa44d6aa6e3f 100644
--- a/datadog_checks_base/tests/base/checks/openmetrics/test_openmetrics_base_check.py
+++ b/datadog_checks_base/tests/base/checks/openmetrics/test_openmetrics_base_check.py
@@ -198,3 +198,19 @@ def test_bearer_token_not_found():
     }
     with pytest.raises(IOError):
         OpenMetricsBaseCheck('prometheus_check', {}, {}, [instance])
+
+
+def test_bearer_token_auto_http():
+    endpoint = "http://localhost:12345/metrics"
+    instance = {'prometheus_url': endpoint, 'namespace': 'default_namespace', 'bearer_token_auth': 'tls_only'}
+    with patch.object(OpenMetricsBaseCheck, 'KUBERNETES_TOKEN_PATH', os.path.join(FIXTURE_PATH, 'default_token')):
+        check = OpenMetricsBaseCheck('prometheus_check', {}, {}, [instance])
+        assert check.get_scraper_config(instance)['_bearer_token'] == None
+
+
+def test_bearer_token_auto_https():
+    endpoint = "https://localhost:12345/metrics"
+    instance = {'prometheus_url': endpoint, 'namespace': 'default_namespace', 'bearer_token_auth': 'tls_only'}
+    with patch.object(OpenMetricsBaseCheck, 'KUBERNETES_TOKEN_PATH', os.path.join(FIXTURE_PATH, 'default_token')):
+        check = OpenMetricsBaseCheck('prometheus_check', {}, {}, [instance])
+        assert check.get_scraper_config(instance)['_bearer_token'] == 'my default token'