HTTP

407 - Proxy Authentication Required

HTTP 407 Proxy Authentication Required means the client must authenticate with a proxy before the request can proceed.

Last reviewed: February 10, 2026|Editorial standard: source-backed technical guidance

What Does Proxy Authentication Required Mean?

A proxy in the request path is demanding authentication, so traffic is blocked before it can reach the target origin.

Common Causes

-Outbound route passes through authenticated proxy, but client does not attach Proxy-Authorization credentials.
-Proxy challenge requires NTLM or Kerberos scheme while client attempts Basic credentials for same route.
-PAC or environment proxy settings route only some domains through restricted proxy realm, causing selective failures.

How to Fix Proxy Authentication Required

1Inspect Proxy-Authenticate challenge and supply valid Proxy-Authorization credentials for the required scheme.
2Verify client proxy settings and credential source are applied to the exact outbound route.
3Retest through the same proxy path and confirm traffic reaches origin without additional proxy auth challenges.

Step-by-Step Diagnosis for Proxy Authentication Required

1Capture proxy challenge headers and identify required auth scheme/realm.
2Verify client runtime actually routes through the expected proxy and includes correct credentials.
3Check credential expiry, encoding format, and policy scope at proxy controller.
4Retest with controlled proxy credentials and validate origin receives the forwarded request.

Proxy Challenge and Credential Scheme Validation

-Inspect Proxy-Authenticate details (example: proxy requires NTLM/Kerberos while client sends Basic token).
-Validate credential formatting for proxy auth (example: malformed base64 credential in Proxy-Authorization header).

Network Route and Proxy Policy Checks

-Confirm outbound route is using intended proxy (example: PAC file sends only some domains through authenticated proxy).
-Audit proxy policy changes (example: newly enforced auth realm on egress proxy breaks existing automation clients).

Implementation Examples

Reproduce HTTP 407 Proxy Authentication Requiredcurl

curl -i -X GET https://api.example.com/v1/resource --proxy http://proxy.example.net:3128
# Response:
# HTTP/1.1 407 Proxy Authentication Required
# {"error":"Proxy Authentication Required","code":"407"}

Handle 407 in JavaScriptjavascript

const response = await fetch('https://api.example.com/v1/resource', {
  method: 'GET',
  headers: { 'Accept': 'application/json' }
});
if (response.status === 407) {
  console.error('Handle 407 Proxy Authentication Required');
}

Handle 407 in Pythonpython

import requests

response = requests.get(
    'https://api.example.com/v1/resource',
    headers={'Accept': 'application/json'}
)
if response.status_code == 407:
    print('Handle 407 Proxy Authentication Required')

How to Verify the Fix

-Re-run affected requests and confirm 407 disappears while origin responses are returned.
-Validate proxy authentication remains stable across credential refresh cycles.
-Monitor proxy auth failure metrics to ensure no recurring challenge loops.

How to Prevent Recurrence

-Automate proxy credential rotation and expiration monitoring in all environments.
-Standardize proxy configuration (PAC, env vars, credential injection) across clients and CI agents.
-Add health checks that validate proxy auth handshake before production job execution.

Pro Tip

-launch a startup proxy-auth self-test that fails fast with actionable diagnostics instead of surfacing opaque 407 errors at runtime.

Decision Support

Compare Guide

401 Unauthorized vs 403 Forbidden: Auth vs Access Denied

Fix 401 Unauthorized vs 403 Forbidden by separating authentication failures from authorization denials, then apply the right login or permission fix fast.

Playbook

Auth Incident Playbook (401 / UNAUTHENTICATED)

Use this playbook to separate missing, expired, or invalid identity proof from authorization and transport failures, and apply credential-source-correct fixes safely.

Official References

Provider Context

This guidance is specific to HTTP services. Always validate implementation details against official provider documentation before deploying to production.

Common Causes

-Outbound route passes through authenticated proxy, but client does not attach Proxy-Authorization credentials.

-Proxy challenge requires NTLM or Kerberos scheme while client attempts Basic credentials for same route.

-PAC or environment proxy settings route only some domains through restricted proxy realm, causing selective failures.

How to Fix Proxy Authentication Required

1Inspect Proxy-Authenticate challenge and supply valid Proxy-Authorization credentials for the required scheme.

2Verify client proxy settings and credential source are applied to the exact outbound route.

3Retest through the same proxy path and confirm traffic reaches origin without additional proxy auth challenges.

Step-by-Step Diagnosis for Proxy Authentication Required

1Capture proxy challenge headers and identify required auth scheme/realm.

2Verify client runtime actually routes through the expected proxy and includes correct credentials.

3Check credential expiry, encoding format, and policy scope at proxy controller.

4Retest with controlled proxy credentials and validate origin receives the forwarded request.

Proxy Challenge and Credential Scheme Validation

-Inspect Proxy-Authenticate details (example: proxy requires NTLM/Kerberos while client sends Basic token).
-Validate credential formatting for proxy auth (example: malformed base64 credential in Proxy-Authorization header).

Network Route and Proxy Policy Checks

-Confirm outbound route is using intended proxy (example: PAC file sends only some domains through authenticated proxy).
-Audit proxy policy changes (example: newly enforced auth realm on egress proxy breaks existing automation clients).

Implementation Examples

Reproduce HTTP 407 Proxy Authentication Requiredcurl

curl -i -X GET https://api.example.com/v1/resource --proxy http://proxy.example.net:3128
# Response:
# HTTP/1.1 407 Proxy Authentication Required
# {"error":"Proxy Authentication Required","code":"407"}

Handle 407 in JavaScriptjavascript

const response = await fetch('https://api.example.com/v1/resource', {
  method: 'GET',
  headers: { 'Accept': 'application/json' }
});
if (response.status === 407) {
  console.error('Handle 407 Proxy Authentication Required');
}

Handle 407 in Pythonpython

import requests

response = requests.get(
    'https://api.example.com/v1/resource',
    headers={'Accept': 'application/json'}
)
if response.status_code == 407:
    print('Handle 407 Proxy Authentication Required')

What Does Proxy Authentication Required Mean?

Common Causes

How to Fix Proxy Authentication Required

Step-by-Step Diagnosis for Proxy Authentication Required

Proxy Challenge and Credential Scheme Validation

Network Route and Proxy Policy Checks

Implementation Examples

How to Verify the Fix

How to Prevent Recurrence

Pro Tip

Related Errors

Decision Support

401 Unauthorized vs 403 Forbidden: Auth vs Access Denied

Auth Incident Playbook (401 / UNAUTHENTICATED)

Official References

Provider Context

What Does Proxy Authentication Required Mean?

Common Causes

How to Fix Proxy Authentication Required

Step-by-Step Diagnosis for Proxy Authentication Required

Proxy Challenge and Credential Scheme Validation

Network Route and Proxy Policy Checks

Implementation Examples

How to Verify the Fix

How to Prevent Recurrence

Pro Tip

Related Errors

Decision Support

401 Unauthorized vs 403 Forbidden: Auth vs Access Denied

Auth Incident Playbook (401 / UNAUTHENTICATED)

Official References

Provider Context