diff --git a/proxy/src/auth/backend/mod.rs b/proxy/src/auth/backend/mod.rs
index 079fc36501..c689bf4e69 100644
--- a/proxy/src/auth/backend/mod.rs
+++ b/proxy/src/auth/backend/mod.rs
@@ -32,7 +32,9 @@ use crate::stream::Stream;
 use crate::types::{EndpointCacheKey, EndpointId, RoleName};
 use crate::{scram, stream};
 
-pub enum Backend<'a> {
+/// The [crate::serverless] module can authenticate either using control-plane
+/// to get authentication state, or by using JWKs stored in the filesystem.
+pub enum ServerlessBackend<'a> {
     /// Cloud API (V2).
     ControlPlane(&'a ControlPlaneBackend),
     /// Local proxy uses configured auth credentials and does not wake compute
diff --git a/proxy/src/auth/mod.rs b/proxy/src/auth/mod.rs
index 7a373dd825..59a414b0d5 100644
--- a/proxy/src/auth/mod.rs
+++ b/proxy/src/auth/mod.rs
@@ -1,7 +1,7 @@
 //! Client authentication mechanisms.
 
 pub mod backend;
-pub use backend::Backend;
+pub use backend::ServerlessBackend;
 
 mod credentials;
 pub(crate) use credentials::{
diff --git a/proxy/src/bin/local_proxy.rs b/proxy/src/bin/local_proxy.rs
index 5862fa6c3d..f7f67a505d 100644
--- a/proxy/src/bin/local_proxy.rs
+++ b/proxy/src/bin/local_proxy.rs
@@ -203,7 +203,7 @@ async fn main() -> anyhow::Result<()> {
 
     let task = serverless::task_main(
         config,
-        auth::Backend::Local(auth_backend),
+        auth::ServerlessBackend::Local(auth_backend),
         http_listener,
         shutdown.clone(),
         Arc::new(CancellationHandlerMain::new(
diff --git a/proxy/src/bin/proxy.rs b/proxy/src/bin/proxy.rs
index b1d8367667..27e9b5f28c 100644
--- a/proxy/src/bin/proxy.rs
+++ b/proxy/src/bin/proxy.rs
@@ -468,7 +468,7 @@ async fn main() -> anyhow::Result<()> {
             if let Some(serverless_listener) = serverless_listener {
                 client_tasks.spawn(serverless::task_main(
                     config,
-                    auth::Backend::ControlPlane(auth_backend),
+                    auth::ServerlessBackend::ControlPlane(auth_backend),
                     serverless_listener,
                     cancellation_token.clone(),
                     cancellation_handler.clone(),
diff --git a/proxy/src/serverless/backend.rs b/proxy/src/serverless/backend.rs
index eea9ec7341..eae9865a42 100644
--- a/proxy/src/serverless/backend.rs
+++ b/proxy/src/serverless/backend.rs
@@ -41,7 +41,7 @@ pub(crate) struct PoolingBackend {
     pub(crate) pool: Arc<GlobalConnPool<tokio_postgres::Client>>,
 
     pub(crate) config: &'static ProxyConfig,
-    pub(crate) auth_backend: crate::auth::Backend<'static>,
+    pub(crate) auth_backend: crate::auth::ServerlessBackend<'static>,
     pub(crate) endpoint_rate_limiter: Arc<EndpointRateLimiter>,
 }
 
@@ -53,8 +53,8 @@ impl PoolingBackend {
         password: &[u8],
     ) -> Result<ComputeCredentials, AuthError> {
         let cplane = match self.auth_backend {
-            crate::auth::Backend::ControlPlane(cplane) => cplane,
-            crate::auth::Backend::Local(_local) => {
+            crate::auth::ServerlessBackend::ControlPlane(cplane) => cplane,
+            crate::auth::ServerlessBackend::Local(_local) => {
                 return Err(AuthError::bad_auth_method(
                     "password authentication not supported by local_proxy",
                 ))
@@ -122,7 +122,7 @@ impl PoolingBackend {
         jwt: String,
     ) -> Result<ComputeCredentials, AuthError> {
         match &self.auth_backend {
-            crate::auth::Backend::ControlPlane(console) => {
+            crate::auth::ServerlessBackend::ControlPlane(console) => {
                 self.config
                     .authentication_config
                     .jwks_cache
@@ -141,7 +141,7 @@ impl PoolingBackend {
                     keys: crate::auth::backend::ComputeCredentialKeys::None,
                 })
             }
-            crate::auth::Backend::Local(_) => {
+            crate::auth::ServerlessBackend::Local(_) => {
                 let keys = self
                     .config
                     .authentication_config
@@ -191,7 +191,7 @@ impl PoolingBackend {
         info!(%conn_id, "pool: opening a new connection '{conn_info}'");
 
         match &self.auth_backend {
-            crate::auth::Backend::ControlPlane(cplane) => {
+            crate::auth::ServerlessBackend::ControlPlane(cplane) => {
                 crate::proxy::connect_compute::connect_to_compute(
                     ctx,
                     &TokioMechanism {
@@ -207,7 +207,7 @@ impl PoolingBackend {
                 )
                 .await
             }
-            crate::auth::Backend::Local(local_proxy) => {
+            crate::auth::ServerlessBackend::Local(local_proxy) => {
                 crate::proxy::connect_compute::connect_to_compute(
                     ctx,
                     &TokioMechanism {
@@ -234,10 +234,10 @@ impl PoolingBackend {
         conn_info: ConnInfo,
     ) -> Result<http_conn_pool::Client<Send>, HttpConnError> {
         let cplane = match &self.auth_backend {
-            crate::auth::Backend::Local(_) => {
+            crate::auth::ServerlessBackend::Local(_) => {
                 panic!("connect to local_proxy should not be called if we are already local_proxy")
             }
-            crate::auth::Backend::ControlPlane(cplane) => cplane,
+            crate::auth::ServerlessBackend::ControlPlane(cplane) => cplane,
         };
 
         info!("pool: looking for an existing connection");
@@ -291,10 +291,10 @@ impl PoolingBackend {
         }
 
         let local_backend = match &self.auth_backend {
-            auth::Backend::ControlPlane(_) => {
+            auth::ServerlessBackend::ControlPlane(_) => {
                 unreachable!("only local_proxy can connect to local postgres")
             }
-            auth::Backend::Local(local) => local,
+            auth::ServerlessBackend::Local(local) => local,
         };
 
         if !self.local_pool.initialized(&conn_info) {
diff --git a/proxy/src/serverless/mod.rs b/proxy/src/serverless/mod.rs
index a302ce31c9..032151eb32 100644
--- a/proxy/src/serverless/mod.rs
+++ b/proxy/src/serverless/mod.rs
@@ -41,7 +41,7 @@ use tokio_util::task::TaskTracker;
 use tracing::{info, warn, Instrument};
 use utils::http::error::ApiError;
 
-use crate::auth::Backend;
+use crate::auth::ServerlessBackend;
 use crate::cancellation::CancellationHandlerMain;
 use crate::config::ProxyConfig;
 use crate::context::RequestMonitoring;
@@ -56,7 +56,7 @@ pub(crate) const SERVERLESS_DRIVER_SNI: &str = "api";
 
 pub async fn task_main(
     config: &'static ProxyConfig,
-    auth_backend: crate::auth::Backend<'static>,
+    auth_backend: crate::auth::ServerlessBackend<'static>,
     ws_listener: TcpListener,
     cancellation_token: CancellationToken,
     cancellation_handler: Arc<CancellationHandlerMain>,
@@ -383,7 +383,7 @@ async fn request_handler(
     if config.http_config.accept_websockets
         && framed_websockets::upgrade::is_upgrade_request(&request)
     {
-        let Backend::ControlPlane(auth_backend) = backend.auth_backend else {
+        let ServerlessBackend::ControlPlane(auth_backend) = backend.auth_backend else {
             return json_response(StatusCode::BAD_REQUEST, "query is not supported");
         };
 
diff --git a/proxy/src/serverless/sql_over_http.rs b/proxy/src/serverless/sql_over_http.rs
index 8e2d4c126a..1398a171e5 100644
--- a/proxy/src/serverless/sql_over_http.rs
+++ b/proxy/src/serverless/sql_over_http.rs
@@ -590,7 +590,10 @@ async fn handle_db_inner(
 
     let authenticate_and_connect = Box::pin(
         async {
-            let is_local_proxy = matches!(backend.auth_backend, crate::auth::Backend::Local(_));
+            let is_local_proxy = matches!(
+                backend.auth_backend,
+                crate::auth::ServerlessBackend::Local(_)
+            );
 
             let keys = match auth {
                 AuthData::Password(pw) => {