HTTP 407 Proxy Authentication Required

Q: What does HTTP 407 mean?

HTTP 407 Proxy Authentication Required means an intermediate proxy server between the client and the target server requires authentication before it will forward the request. The proxy returns 407 with a Proxy-Authenticate header specifying the authentication scheme required.

Q: What is the difference between 407 and 401?

401 Unauthorized is sent by the origin server and requires credentials for the resource via the WWW-Authenticate header. 407 is sent by a proxy and requires proxy credentials via the Proxy-Authenticate header. A client can receive both in sequence: 407 from the proxy first, then 401 from the origin once the proxy lets the request through.

Q: How do I fix a 407 error?

Provide valid proxy credentials using the Proxy-Authorization header. The format mirrors Authorization: the value should match the scheme specified in the Proxy-Authenticate response header. In enterprise environments, credentials are typically configured in the HTTP client, browser, or system proxy settings.

Q: Does 407 affect SEO crawlers?

Yes. If Googlebot or other crawlers are routing through a proxy that requires authentication, they will receive 407 and cannot index the content. Search engine crawlers do not authenticate with proxies. Ensure your public web content is directly accessible without proxy authentication.

HTTP 407 Proxy Authentication Required is the proxy-specific analog of 401 Unauthorized. It is returned by a proxy server — not the origin — when the client must authenticate with the proxy before the request can be forwarded.

407 is most commonly encountered in enterprise and corporate network environments where outbound internet traffic is routed through an authenticated forward proxy for security, logging, or content filtering purposes.

Quick reference

Code	407
Name	Proxy Authentication Required
Category	4xx Client Errors
Specification	RFC 9110 §15.5.8
IANA status	Assigned
Client behavior	Provide proxy credentials via the Proxy-Authorization header using the scheme specified in the Proxy-Authenticate response header.
Caching	Not cached. Proxy authentication state must be established per connection.
In-depth guide	HTTP 407 proxy authentication guide →

What it means

When a request passes through a proxy server, the proxy can challenge the client for credentials before forwarding the request to the origin. The proxy sends a 407 response with a Proxy-Authenticate header specifying the authentication scheme (Basic, Digest, NTLM, Negotiate, etc.). The client must then resend the request with a Proxy-Authorization header containing valid credentials.

This is distinct from the 401 Unauthorized flow, which authenticates with the origin server using WWW-Authenticate and Authorization headers. Both can apply to the same request: the client may need to authenticate with the proxy (407 → Proxy-Authorization) and then separately authenticate with the origin server (401 → Authorization).

Forward proxy vs. reverse proxy

407 is specific to forward proxies — intermediaries that clients send requests through to reach external servers. A reverse proxy (like Nginx or Cloudflare in front of an origin server) does not return 407; it would return 401 or 403 for authentication requirements, since from the client's perspective it is the server. Enterprise HTTPS inspection proxies, corporate internet gateways, and network access control systems are the primary sources of 407 in practice.

Common causes

Enterprise forward proxy requiring authentication

The most common cause. Corporate IT departments deploy authenticated proxies to control and log outbound internet access. Clients connecting from within the corporate network must provide proxy credentials or be denied. Applications deployed inside the corporate network (CI/CD systems, automated jobs, scripts) frequently encounter 407 when trying to reach external services.

Missing proxy configuration in application or tool

An application or command-line tool does not have proxy credentials configured. HTTP client libraries (curl, requests, fetch) require explicit proxy configuration via environment variables (HTTP_PROXY, HTTPS_PROXY) or in-code configuration. Many tools respect these environment variables automatically; others require explicit configuration.

Expired or incorrect proxy credentials

Valid proxy credentials exist but have expired or been rotated. This commonly occurs after password changes in enterprise Active Directory environments where proxy authentication is tied to domain credentials.

Proxy auth bypass for specific destinations

Some proxy configurations require authentication only for certain destinations (e.g., external internet traffic but not internal intranet traffic). An application routing requests through the proxy for destinations that should be direct-connected may receive 407 unexpectedly.

How to fix a 407 error

Identify the proxy. Confirm which proxy server returned the 407. The response should include proxy identification. In corporate environments, the IT department can provide the proxy hostname and port.
Configure proxy credentials. Set the Proxy-Authorization header with credentials matching the scheme in Proxy-Authenticate. For Basic authentication: Proxy-Authorization: Basic base64(username:password). Most HTTP clients have native proxy credential support.
Use environment variables. Many applications and tools respect HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables. Set these to http://username:password@proxy-host:port for transparent proxy authentication in scripts and automated tools.
Check for NTLM or Kerberos requirements. Enterprise Microsoft proxies often use NTLM or Negotiate (Kerberos) authentication, which requires specific client support. Not all HTTP clients support NTLM proxy authentication out of the box.
Request proxy bypass for the destination. If the destination should not require proxy authentication (e.g., an internal service), request a proxy bypass rule from your network team via NO_PROXY or the proxy's access control list.

407 vs 401 vs 403

Code	Who sends it	Authentication type	Header pair
407	Proxy server	Proxy credentials	Proxy-Authenticate / Proxy-Authorization
401	Origin server	Resource credentials	WWW-Authenticate / Authorization
403	Origin or proxy	None — access denied regardless of credentials	N/A

FAQ

What does HTTP 407 mean?

HTTP 407 means an intermediate proxy server requires authentication before it will forward the request. The proxy sends a Proxy-Authenticate header specifying what credentials it requires.

What is the difference between 407 and 401?

401 is sent by the origin server and requires credentials for the resource. 407 is sent by a proxy and requires proxy credentials. Both can apply to the same request in sequence.

How do I fix a 407 error?

Provide proxy credentials via the Proxy-Authorization header, or configure proxy credentials in your HTTP client using HTTP_PROXY/HTTPS_PROXY environment variables.

Does 407 affect SEO crawlers?

Yes. Search engine crawlers do not authenticate with proxies. If a proxy returns 407 to Googlebot, the content behind it will not be indexed. Ensure public web content is accessible without proxy authentication.

Related resources

On this site: HTTP 407 proxy authentication guide · HTTP 401 Unauthorized · HTTP 403 Forbidden · HTTP 406 Not Acceptable · All 4xx client errors

Comparisons: 401 vs 407

Standards: RFC 9110 §15.5.8 · IANA Registry · MDN Web Docs: 407