Proxy-Authenticate

The HTTP Proxy-Authenticate response header indicates which Authentication scheme the proxy server requires before granting access to the requested resource.

Usage

When a client sends a request through a proxy server requiring credentials, the proxy responds with a 407 status code and includes the Proxy-Authenticate header. This header tells the client which authentication scheme to use and provides any parameters needed to construct the credentials.

After receiving the challenge, the client resubmits the request with a Proxy-Authorization header containing the appropriate credentials. The proxy validates the credentials and, on success, forwards the request to the destination server.

The Proxy-Authenticate header operates at the proxy level. The equivalent header for origin server authentication is WWW-Authenticate, which triggers a 401 response instead of a 407.

Multiple Proxy-Authenticate headers in a single response indicate the proxy accepts more than one scheme. The client selects the strongest scheme both sides support.

Directives

scheme

The scheme value identifies the authentication method. Common values are Basic, Digest, Bearer, and Negotiate. The full list of registered schemes is maintained by IANA.

realm

The realm parameter is an optional string describing the protection space. Clients typically display the realm value in the credential prompt. When omitted, the client defaults to showing the proxy hostname.

Scheme-specific parameters

Each authentication scheme defines additional parameters. The Digest scheme includes nonce, qop, algorithm, and opaque. The Bearer scheme includes scope and error. These parameters appear after the scheme name in the header value.

Example

A proxy requiring Basic authentication returns a challenge with a descriptive realm. The realm value tells the user which credentials are expected.

Proxy-Authenticate: Basic realm="Corporate Proxy"

A proxy supporting the Digest scheme includes a server- generated nonce to prevent replay attacks.

Proxy-Authenticate: Digest realm="proxy@example.re", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", qop="auth"

A proxy offering multiple authentication schemes lists each one on a separate line. The client picks the strongest supported option.

Proxy-Authenticate: Negotiate
Proxy-Authenticate: Basic realm="Internal Network"

Takeaway

The HTTP Proxy-Authenticate response header challenges the client to provide credentials for a proxy server, pairing with the Proxy-Authorization request header to complete the proxy authentication exchange.

See also

• RFC 9110: HTTP Semantics - Proxy-Authenticate
• Proxy-Authorization
• WWW-Authenticate
• 407
• Authentication
• HTTP headers