diff --git a/src/flows/doctor-health-contributions.ts b/src/flows/doctor-health-contributions.ts
index f741bd2e9da..34e5ab56246 100644
--- a/src/flows/doctor-health-contributions.ts
+++ b/src/flows/doctor-health-contributions.ts
@@ -123,7 +123,15 @@ async function runGatewayAuthHealth(ctx: DoctorHealthFlowContext): Promise<void>
     authConfig: ctx.cfg.gateway?.auth,
     tailscaleMode: ctx.cfg.gateway?.tailscale?.mode ?? "off",
   });
-  const needsToken = auth.mode !== "password" && (auth.mode !== "token" || !auth.token);
+  // Modes that don't need a token: password, none, trusted-proxy.
+  // This aligns with hasExplicitGatewayInstallAuthMode() in auth-install-policy.ts.
+  // Previously, only "password" and "token" (with a token present) were excluded,
+  // causing doctor --fix to overwrite trusted-proxy/none configs with token mode.
+  const needsToken =
+    auth.mode !== "password" &&
+    auth.mode !== "none" &&
+    auth.mode !== "trusted-proxy" &&
+    (auth.mode !== "token" || !auth.token);
   if (!needsToken) {
     return;
   }