diff --git a/.librarian/state.yaml b/.librarian/state.yaml
index 199662649..015a86fdf 100644
--- a/.librarian/state.yaml
+++ b/.librarian/state.yaml
@@ -1,7 +1,7 @@
 image: us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator@sha256:b8058df4c45e9a6e07f6b4d65b458d0d059241dd34c814f151c8bf6b89211209
 libraries:
   - id: google-auth
-    version: 2.47.0
+    version: 2.49.0-dev0
     last_generated_commit: 102d9f92ac6ed649a61efd9b208e4d1de278e9bb
     apis: []
     source_roots:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index b5663e510..e52c938d8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,25 @@
 
 [1]: https://pypi.org/project/google-auth/#history
 
+## [2.49.0-dev0](https://github.com/googleapis/google-auth-library-python/compare/v2.47.0...v2.49.0-dev0) (2026-01-26)
+
+
+### Features
+
+* add cryptography as required dependency (#1929) ([52558ae2881b1e6555f6f5c0d76365c15807ead9](https://github.com/googleapis/google-auth-library-python/commit/52558ae2881b1e6555f6f5c0d76365c15807ead9))
+* Support the mTLS IAM domain for Certificate based Access (#1938) ([8dcf91a1b05c85fbbd0bcee78d66e498099102ab](https://github.com/googleapis/google-auth-library-python/commit/8dcf91a1b05c85fbbd0bcee78d66e498099102ab))
+* add configurable GCE Metadata Server retries (#1488) ([454b441b478ec62bbf1a6ad5bceb6c7cbbfd0c37](https://github.com/googleapis/google-auth-library-python/commit/454b441b478ec62bbf1a6ad5bceb6c7cbbfd0c37))
+* honor `NO_GCE_CHECK` environment variable (#1610) ([383c9827536d9376e8248370ce4c2b83e468d027](https://github.com/googleapis/google-auth-library-python/commit/383c9827536d9376e8248370ce4c2b83e468d027))
+
+
+### Bug Fixes
+
+* resolve circular imports (#1942) ([25c1b064545702cbef087cfcd15fbbb6ef1af74f](https://github.com/googleapis/google-auth-library-python/commit/25c1b064545702cbef087cfcd15fbbb6ef1af74f))
+* removes `content-header` from AWS IMDS get request (#1934) ([97bfea9e02ede953fc8ee154e0deed3a3cfc6dcc](https://github.com/googleapis/google-auth-library-python/commit/97bfea9e02ede953fc8ee154e0deed3a3cfc6dcc))
+* detect correct auth when ADC env var is set but empty (#1374) ([bfc07e1050bd0aa86fa3b08cdf70c9b68b5fe6a2](https://github.com/googleapis/google-auth-library-python/commit/bfc07e1050bd0aa86fa3b08cdf70c9b68b5fe6a2))
+* replace deprecated utcfromtimestamp (#1799) ([e431f20cf73ccac71926a23ec454468cea92e053](https://github.com/googleapis/google-auth-library-python/commit/e431f20cf73ccac71926a23ec454468cea92e053))
+* Use `user_verification=preferred` for ReAuth WebAuthn challenge (#1798) ([3f88a24089c4ee6822d510de0db210b54260d873](https://github.com/googleapis/google-auth-library-python/commit/3f88a24089c4ee6822d510de0db210b54260d873))
+
 ## [2.47.0](https://github.com/googleapis/google-auth-library-python/compare/v2.46.0...v2.47.0) (2026-01-06)
 
 
diff --git a/google/auth/crypt/rsa.py b/google/auth/crypt/rsa.py
index 4b2fb39ff..639be9069 100644
--- a/google/auth/crypt/rsa.py
+++ b/google/auth/crypt/rsa.py
@@ -24,7 +24,6 @@
 
 from google.auth import _helpers
 from google.auth.crypt import _cryptography_rsa
-from google.auth.crypt import _python_rsa
 from google.auth.crypt import base
 
 RSA_KEY_MODULE_PREFIX = "rsa.key"
@@ -37,6 +36,7 @@ class RSAVerifier(base.Verifier):
         public_key (Union["rsa.key.PublicKey", cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey]):
             The public key used to verify signatures.
     Raises:
+        ImportError: if called with an rsa.key.PublicKey, when the rsa library is not installed
         ValueError: if an unrecognized public key is provided
     """
 
@@ -45,6 +45,8 @@ def __init__(self, public_key):
         if isinstance(public_key, RSAPublicKey):
             impl_lib = _cryptography_rsa
         elif module_str.startswith(RSA_KEY_MODULE_PREFIX):
+            from google.auth.crypt import _python_rsa
+
             impl_lib = _python_rsa
         else:
             raise ValueError(f"unrecognized public key type: {type(public_key)}")
@@ -85,6 +87,7 @@ class RSASigner(base.Signer, base.FromServiceAccountMixin):
             public key or certificate.
 
     Raises:
+        ImportError: if called with an rsa.key.PrivateKey, when the rsa library is not installed
         ValueError: if an unrecognized public key is provided
     """
 
@@ -93,6 +96,8 @@ def __init__(self, private_key, key_id=None):
         if isinstance(private_key, RSAPrivateKey):
             impl_lib = _cryptography_rsa
         elif module_str.startswith(RSA_KEY_MODULE_PREFIX):
+            from google.auth.crypt import _python_rsa
+
             impl_lib = _python_rsa
         else:
             raise ValueError(f"unrecognized private key type: {type(private_key)}")
diff --git a/google/auth/version.py b/google/auth/version.py
index 03b96ced7..8300c23ce 100644
--- a/google/auth/version.py
+++ b/google/auth/version.py
@@ -12,4 +12,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-__version__ = "2.47.0"
+__version__ = "2.49.0-dev0"
diff --git a/setup.py b/setup.py
index ba9e214b1..718a6e585 100644
--- a/setup.py
+++ b/setup.py
@@ -25,9 +25,6 @@
 DEPENDENCIES = (
     "pyasn1-modules>=0.2.1",
     cryptography_base_require,
-    # TODO: remove rsa from dependencies in next release (replaced with cryptography)i
-    # https://github.com/googleapis/google-auth-library-python/issues/1810
-    "rsa>=3.1.4,<5",
 )
 
 requests_extra_require = ["requests >= 2.20.0, < 3.0.0"]
@@ -73,6 +70,9 @@
     # TODO(https://github.com/googleapis/google-auth-library-python/issues/1722): `test_aiohttp_requests` depend on
     # aiohttp < 3.10.0 which is a bug. Investigate and remove the pinned aiohttp version.
     "aiohttp < 3.10.0",
+    # rsa library was removed as a dependency, but we still have some code paths that support it
+    # TODO: remove dependency when google.auth.crypt._python_rsa is removed
+    "rsa>=3.1.4,<5",
 ]
 
 extras = {
diff --git a/testing/constraints-3.7.txt b/testing/constraints-3.7.txt
index 52ad3af91..d9655a360 100644
--- a/testing/constraints-3.7.txt
+++ b/testing/constraints-3.7.txt
@@ -7,7 +7,6 @@
 # Then this file should have foo==1.14.0
 pyasn1-modules==0.2.1
 setuptools==40.3.0
-rsa==3.1.4
 aiohttp==3.6.2
 requests==2.20.0
 pyjwt==2.0
\ No newline at end of file
diff --git a/tests/crypt/test_rsa.py b/tests/crypt/test_rsa.py
index 6f7aa2691..6ed822ad9 100644
--- a/tests/crypt/test_rsa.py
+++ b/tests/crypt/test_rsa.py
@@ -18,7 +18,7 @@
 from cryptography.hazmat import backends
 from cryptography.hazmat.primitives import serialization
 import pytest
-import rsa as rsa_lib
+import rsa as rsa_lib  # type: ignore
 
 from google.auth.crypt import _cryptography_rsa
 from google.auth.crypt import _python_rsa