diff --git a/config/openshift/kustomization.yaml b/config/openshift/kustomization.yaml
index 923e838b3..11f79311a 100644
--- a/config/openshift/kustomization.yaml
+++ b/config/openshift/kustomization.yaml
@@ -4,6 +4,8 @@ kind: Kustomization
 resources:
 - ../default
 - cluster-monitoring-view-binding.yaml
+- metrics-reader-token.yaml
+- prometheus-metrics-auth-binding.yaml
 
 patches:
 - path: configmap-patch.yaml
@@ -22,5 +24,9 @@ patches:
   target:
     kind: Deployment
     name: controller-manager
+- path: monitor-auth-patch.yaml
+  target:
+    kind: ServiceMonitor
+    name: controller-manager-metrics-monitor
 
 namespace: workload-variant-autoscaler-system
diff --git a/config/openshift/metrics-reader-token.yaml b/config/openshift/metrics-reader-token.yaml
new file mode 100644
index 000000000..7c06ec480
--- /dev/null
+++ b/config/openshift/metrics-reader-token.yaml
@@ -0,0 +1,11 @@
+# Long-lived SA token for Prometheus to authenticate to the WVA metrics endpoint.
+# Required on OpenShift because user-workload-monitoring Prometheus rejects
+# bearerTokenFile for security. The ServiceMonitor is patched (via
+# monitor-auth-patch.yaml) to reference this Secret instead.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: workload-variant-autoscaler-metrics-reader-token
+  annotations:
+    kubernetes.io/service-account.name: workload-variant-autoscaler-controller-manager
+type: kubernetes.io/service-account-token
diff --git a/config/openshift/monitor-auth-patch.yaml b/config/openshift/monitor-auth-patch.yaml
new file mode 100644
index 000000000..d1fb92311
--- /dev/null
+++ b/config/openshift/monitor-auth-patch.yaml
@@ -0,0 +1,20 @@
+# Replace bearerTokenFile with authorization.credentials for OpenShift
+# user-workload-monitoring compatibility. The user-workload Prometheus Operator
+# rejects bearerTokenFile ("it accesses file system via bearer token file which
+# Prometheus specification prohibits").
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: controller-manager-metrics-monitor
+spec:
+  endpoints:
+  - port: https
+    path: /metrics
+    interval: 10s
+    scheme: https
+    tlsConfig:
+      insecureSkipVerify: true
+    authorization:
+      credentials:
+        name: workload-variant-autoscaler-metrics-reader-token
+        key: token
diff --git a/config/openshift/prometheus-metrics-auth-binding.yaml b/config/openshift/prometheus-metrics-auth-binding.yaml
new file mode 100644
index 000000000..52300870d
--- /dev/null
+++ b/config/openshift/prometheus-metrics-auth-binding.yaml
@@ -0,0 +1,14 @@
+# Grant the OpenShift user-workload-monitoring Prometheus SA permission to
+# authenticate to the WVA metrics endpoint (tokenreviews + subjectaccessreviews).
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: workload-variant-autoscaler-ocp-prometheus-metrics-auth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: workload-variant-autoscaler-metrics-auth-role
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: openshift-user-workload-monitoring