407 - Proxy Authentication Required
HTTP 407 Proxy Authentication Required means the client must authenticate with a proxy before the request can proceed.
Last reviewed: February 10, 2026|Source-backed guidance under our editorial policy
Start Here
Use the closest compare guide, playbook, or adjacent error page to narrow the decision faster before you start changing production systems.
This page is part of the Error Reference library. Learn more about the project or report a correction.
What Does Proxy Authentication Required Mean?
A proxy in the request path is demanding authentication, so traffic is blocked before it can reach the target origin.
Common Causes
- -Outbound route passes through authenticated proxy, but client does not attach Proxy-Authorization credentials.
- -Proxy challenge requires NTLM or Kerberos scheme while client attempts Basic credentials for same route.
- -PAC or environment proxy settings route only some domains through restricted proxy realm, causing selective failures.
How to Fix Proxy Authentication Required
- 1Inspect
Proxy-Authenticatechallenge and supply validProxy-Authorizationcredentials for the required scheme. - 2Verify client proxy settings and credential source are applied to the exact outbound route.
- 3Retest through the same proxy path and confirm traffic reaches origin without additional proxy auth challenges.
Step-by-Step Diagnosis for Proxy Authentication Required
- 1Capture proxy challenge headers and identify required auth scheme/realm.
- 2Verify client runtime actually routes through the expected proxy and includes correct credentials.
- 3Check credential expiry, encoding format, and policy scope at proxy controller.
- 4Retest with controlled proxy credentials and validate origin receives the forwarded request.
Proxy Challenge and Credential Scheme Validation
- -Inspect
Proxy-Authenticatedetails (example: proxy requires NTLM/Kerberos while client sends Basic token). - -Validate credential formatting for proxy auth (example: malformed base64 credential in
Proxy-Authorizationheader).
Network Route and Proxy Policy Checks
- -Confirm outbound route is using intended proxy (example: PAC file sends only some domains through authenticated proxy).
- -Audit proxy policy changes (example: newly enforced auth realm on egress proxy breaks existing automation clients).
Implementation Examples
curl -i -X GET https://api.example.com/v1/resource --proxy http://proxy.example.net:3128
# Response:
# HTTP/1.1 407 Proxy Authentication Required
# {"error":"Proxy Authentication Required","code":"407"}const response = await fetch('https://api.example.com/v1/resource', {
method: 'GET',
headers: { 'Accept': 'application/json' }
});
if (response.status === 407) {
console.error('Handle 407 Proxy Authentication Required');
}import requests
response = requests.get(
'https://api.example.com/v1/resource',
headers={'Accept': 'application/json'}
)
if response.status_code == 407:
print('Handle 407 Proxy Authentication Required')Seen in Production
Corporate proxy credentials expire on CI runners
Frequency: common
Example: Build agents lose proxy auth token and outbound dependency fetches fail with 407.
Fix: Rotate proxy credentials automatically and verify runner startup includes valid proxy-auth bootstrap.
PAC file update routes additional domains through authenticated proxy
Frequency: rare
Example: Previously direct API traffic now requires proxy credentials; clients without update receive 407.
Fix: Version-control PAC changes and run connectivity regression tests for critical API domains.
Debugging Tools
- -Proxy access/auth logs by client identity
- -PAC/proxy configuration inspection tools
- -curl through proxy with verbose headers
- -Credential vault and rotation audit logs
How to Verify the Fix
- -Re-run affected requests and confirm 407 disappears while origin responses are returned.
- -Validate proxy authentication remains stable across credential refresh cycles.
- -Monitor proxy auth failure metrics to ensure no recurring challenge loops.
How to Prevent Recurrence
- -Automate proxy credential rotation and expiration monitoring in all environments.
- -Standardize proxy configuration (PAC, env vars, credential injection) across clients and CI agents.
- -Add health checks that validate proxy auth handshake before production job execution.
Pro Tip
- -launch a startup proxy-auth self-test that fails fast with actionable diagnostics instead of surfacing opaque 407 errors at runtime.
Official References
Provider Context
This guidance is specific to HTTP services. Always validate implementation details against official provider documentation before deploying to production.