Learn HTTP 407 Proxy Authentication Required — What It Means & How to Fix

Q: What is the difference between 407 and 401?

401 Unauthorized is the destination server requiring authentication. 407 Proxy Authentication Required is the proxy server requiring authentication before it will forward the request. The key difference is who is challenging the client: the target server (401) or the intermediate proxy (407). The headers also differ — 407 uses Proxy-Authenticate and Proxy-Authorization instead of WWW-Authenticate and Authorization.

Q: Can a 407 appear even if I'm not using a proxy?

If you are not explicitly configured to use a proxy, a 407 error usually indicates that your network is using a transparent proxy — a proxy that intercepts traffic without requiring client configuration. This is common in corporate networks, hotels, and public Wi-Fi. Check with your network administrator or try connecting from a different network to isolate the issue.

Fix These Errors

HTTP 407 Proxy Authentication Required — What It Means & How to Fix

DodaTech Updated Jun 20, 2026 4 min read

HTTP 407 Proxy Authentication Required means the request must be authenticated through a proxy server — the client must present valid proxy credentials.

What It Means

The HTTP 407 Proxy Authentication Required status code is similar to 401 Unauthorized, but specifically for proxy-level authentication. When a client’s request reaches a proxy server (forward proxy or reverse proxy), and that proxy requires authentication before forwarding the request to the destination, the proxy returns 407.

The response includes a Proxy-Authenticate header specifying the authentication scheme required. Common schemes include:

Basic — username and password sent in plain text (Base64 encoded)
Digest — challenge-response with hashed credentials
NTLM — Windows-integrated authentication
Negotiate — Kerberos-based authentication

The client must respond by re-sending the request with a Proxy-Authorization header containing the appropriate credentials. Unlike 401 where the destination server challenges the client, 407 is the proxy itself challenging the client — the destination server may never even see the request.

When It’s Sent

Corporate proxy — a company’s forward proxy requires authentication for internet access
Authenticated CDN — a CDN or reverse proxy requires authentication before forwarding to the origin
ISP proxy — some internet service providers authenticate users through proxy credentials
Parental control proxy — a filtering proxy that requires authentication to bypass restrictions
API gateway — a gateway proxy that authenticates all incoming requests before routing

Real Example

curl -v --proxy http://proxy.example.com:3128 \
  https://api.example.com/data

Expected response:

> GET https://api.example.com/data HTTP/1.1
> Host: api.example.com
>
< HTTP/1.1 407 Proxy Authentication Required
< Proxy-Authenticate: Basic realm="Corporate Proxy"
< Content-Length: 0
<

To authenticate, add the proxy credentials:

curl -v --proxy http://proxy.example.com:3128 \
  --proxy-user "username:password" \
  https://api.example.com/data

Expected authenticated response:

> GET https://api.example.com/data HTTP/1.1
> Host: api.example.com
> Proxy-Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
>
< HTTP/1.1 200 OK
< Content-Type: application/json
< Content-Length: 45
<
{"message":"Authenticated successfully via proxy"}

How to Debug

Client-Side

Check proxy configuration — verify the proxy URL, port, and authentication credentials
Test without the proxy — bypass the proxy to confirm the issue is proxy-related, not destination-related
Verify credentials — check for typos, expired passwords, or changed authentication schemes
Check proxy settings in your OS — system-wide proxy settings may override application settings
Use environment variables — many tools respect HTTP_PROXY, HTTPS_PROXY, and NO_PROXY

Server-Side

Check proxy logs — look for authentication failures and rejected requests
Verify proxy authentication backend — ensure the LDAP, Active Directory, or local user database is accessible
Test with a known-good credential — confirm the authentication system is working
Review realm configuration — the Proxy-Authenticate realm should match expected values
Check proxy access controls — verify the proxy is configured to allow the requested destination

curl

# Test proxy without authentication
curl -v --proxy http://proxy:3128 https://example.com

# Test with authentication
curl -v --proxy http://proxy:3128 \
  --proxy-user "user:pass" https://example.com

# Use environment variables (more secure for scripts)
export HTTP_PROXY="http://user:pass@proxy:3128"
export HTTPS_PROXY="http://user:pass@proxy:3128"
curl -v https://example.com

Browser

Go to browser proxy settings (Chrome: Settings → System → Open proxy settings)
Enter the proxy address and port
If the proxy requires authentication, the browser will prompt for credentials
Check for proxy configuration scripts (PAC files) that may be set by your organization

Common Causes

Scenario	What Happens	Why It Matters
Corporate proxy	Company requires proxy auth for internet access	All outbound HTTP traffic must go through the proxy
Missing credentials	Client doesn’t send `Proxy-Authorization` header	Request is rejected at the proxy before reaching the destination
Wrong authentication scheme	Client uses Basic but proxy requires Digest	Match the scheme specified in `Proxy-Authenticate` header
Expired password	Active Directory password changed	Update proxy credentials in the application configuration
Misconfigured PAC file	Proxy auto-config script points to wrong proxy	Browser or application cannot reach the correct proxy

FAQ

What is the difference between 407 and 401?

401 Unauthorized is the destination server requiring authentication. 407 Proxy Authentication Required is the proxy server requiring authentication before it will forward the request. The key difference is who is challenging the client: the target server (401) or the intermediate proxy (407). The headers also differ — 407 uses Proxy-Authenticate and Proxy-Authorization instead of WWW-Authenticate and Authorization.

How do I configure applications to use an authenticated proxy?

Most applications and libraries support proxy authentication through environment variables: HTTP_PROXY=http://user:pass@proxy:port, HTTPS_PROXY=http://user:pass@proxy:port. Some applications have separate proxy configuration fields. For browsers, proxy credentials are typically stored in the OS keychain or entered on first proxy challenge.

Can a 407 appear even if I'm not using a proxy?

If you are not explicitly configured to use a proxy, a 407 error usually indicates that your network is using a transparent proxy — a proxy that intercepts traffic without requiring client configuration. This is common in corporate networks, hotels, and public Wi-Fi. Check with your network administrator or try connecting from a different network to isolate the issue.

Related Codes

HTTP 401 Unauthorized — destination server requires authentication
HTTP 403 Forbidden — authenticated but not authorized to access the resource
HTTP 502 Bad Gateway — proxy cannot reach the upstream server
HTTP 504 Gateway Timeout — proxy timed out waiting for the upstream server

Previous HTTP 406 Not Acceptable — What It Means & How to Fix Next HTTP 411 Length Required — What It Means & How to Fix

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro

Home Browse Fix These Errors