How to Fix 407 Proxy Authentication Required Error

The HTTP 407 Proxy Authentication Required status code means your proxy server received your request but requires valid authentication credentials before it will forward the traffic. Unlike a 401 Unauthorized error (which comes from the destination server), a 407 specifically indicates that the proxy sitting between you and the target is demanding authentication.

This error is common across all proxy types including HTTP, HTTPS, and SOCKS5 proxies. It affects browsers, command-line tools, programming libraries, and any application that routes traffic through an authenticated proxy.

How 407 Authentication Works

When a proxy server requires authentication, it follows this sequence:

Your client sends a request to the proxy
The proxy returns a 407 Proxy Authentication Required response with a Proxy-Authenticate header
The header specifies the authentication scheme (Basic, Digest, NTLM, or Negotiate)
Your client must resend the request with a Proxy-Authorization header containing valid credentials

If the credentials are missing, incorrect, or in the wrong format, the proxy continues to return 407 errors. Understanding this flow is essential for debugging, because the fix depends on which step is failing.

Common Causes

1. Missing Credentials

The simplest cause: your application is not sending authentication credentials with the proxy request. This often happens when:

You configured the proxy host and port but forgot the username and password
Environment variables include the proxy URL without credentials
A configuration file was updated and credentials were accidentally removed

2. Incorrect Username or Password

Credentials may be wrong due to:

Typos in the username or password
Using credentials from a different proxy provider or plan
Password rotation that was not propagated to all systems
Special characters in the password that need URL encoding

3. Wrong Authentication Scheme

The proxy expects one authentication method (e.g., NTLM) but your client is sending another (e.g., Basic). This is common in corporate environments where proxies use Windows-integrated authentication.

4. Expired or Revoked Credentials

Your proxy provider may have revoked your credentials due to:

Subscription expiration
Terms of service violation
Account suspension
Scheduled credential rotation

5. IP-Based Authentication Mismatch

If your proxy uses IP whitelisting instead of or in addition to username/password authentication, connecting from a non-whitelisted IP will trigger a 407 or connection refused error.

Fixing 407 in Browsers

Chrome and Edge

Chrome and Edge use the operating system’s proxy settings. When encountering a 407 error, these browsers typically display a dialog box asking for proxy credentials. If the dialog does not appear or credentials are not accepted:

Open Settings > Network & Internet > Proxy
Verify the proxy address and port
Clear saved proxy credentials from the Windows Credential Manager (Control Panel > User Accounts > Credential Manager)
Restart the browser and try again

Firefox

Firefox manages its own proxy settings independently of the OS:

Navigate to Settings > General > Network Settings
Click “Settings” next to the connection configuration
Verify the proxy address, port, and check “Prompt for authentication”
Clear any saved proxy passwords in Settings > Privacy & Security > Saved Logins

Fixing 407 in cURL

cURL requires explicit proxy credentials using the -U flag or embedded in the proxy URL:

# Method 1: Using -U flag
curl -x http://proxy.example.com:8080 -U username:password https://httpbin.org/ip

# Method 2: Credentials in URL
curl -x http://username:password@proxy.example.com:8080 https://httpbin.org/ip

# Method 3: Using environment variable
export https_proxy=http://username:password@proxy.example.com:8080
curl https://httpbin.org/ip

If your password contains special characters, URL-encode them:

Character	Encoded
@	%40
:	%3A
#	%23
!	%21
$	%24

For example, a password of p@ss:word becomes p%40ss%3Aword.

Fixing 407 in Python

Python’s requests library accepts proxy credentials in the proxy URL:

import requests

proxies = {
    "http": "http://username:password@proxy.example.com:8080",
    "https": "http://username:password@proxy.example.com:8080",
}

response = requests.get("https://httpbin.org/ip", proxies=proxies)
print(response.json())

For NTLM authentication (common in enterprise environments), use the requests-ntlm package:

from requests_ntlm import HttpNtlmAuth

session = requests.Session()
session.proxies = {"http": "http://proxy.example.com:8080"}
session.auth = HttpNtlmAuth("DOMAIN\\username", "password")

Fixing 407 in Node.js

const axios = require('axios');

const response = await axios.get('https://httpbin.org/ip', {
  proxy: {
    host: 'proxy.example.com',
    port: 8080,
    auth: {
      username: 'user',
      password: 'pass'
    }
  }
});

Fixing 407 in Enterprise Environments

Corporate proxies often use NTLM or Kerberos authentication tied to Active Directory. These environments require special handling:

Using CNTLM as a Local Proxy

CNTLM acts as a local proxy that handles NTLM authentication on your behalf:

Install CNTLM
Configure /etc/cntlm.conf with your domain credentials and upstream proxy
Point your applications to localhost:3128 (CNTLM’s default port)
CNTLM forwards requests to the corporate proxy with proper NTLM authentication

Username    your_username
Domain      CORP
Password    your_password
Proxy       corpproxy.internal:8080
Listen      3128

Using Px Proxy

Px is a similar tool that uses Windows credentials automatically without storing passwords in configuration files.

Debugging 407 Errors

When the cause is not immediately obvious, use these diagnostic approaches:

Inspect the Proxy-Authenticate Header

The Proxy-Authenticate header in the 407 response tells you which authentication scheme the proxy expects:

curl -v -x http://proxy.example.com:8080 https://httpbin.org/ip 2>&1 | grep -i proxy-authenticate

Common values:

Basic – Base64-encoded username:password
Digest – Hash-based challenge-response
NTLM – Windows NT LAN Manager
Negotiate – SPNEGO (Kerberos or NTLM)

Your client must support the scheme the proxy requires. If you are unfamiliar with these authentication methods, the proxy glossary provides definitions for each one.

Check Proxy Provider Dashboard

Your subscription is active
Your usage has not exceeded plan limits
Your credentials have not been rotated
Your IP is whitelisted (if using IP-based auth)

Test with Minimal Configuration

Strip away all application complexity and test with a basic cURL command. If cURL succeeds with the same credentials, the problem is in your application’s proxy implementation.

Switching to IP-Based Authentication

If you repeatedly encounter 407 errors due to credential management issues, consider switching to IP-based authentication where your proxy provider supports it. With IP whitelisting, you authorize your public IP address in the provider dashboard, and no username/password is required.

This approach works well for mobile proxies used from servers with static IPs. However, it is less suitable for dynamic IP connections where your address changes frequently.

Security Considerations

When handling proxy credentials:

Never hardcode credentials in source code that may be committed to version control
Use environment variables or secret management systems (Vault, AWS Secrets Manager)
Rotate credentials regularly and update all systems that reference them
Use HTTPS proxy connections when possible to prevent credential interception
Audit credential access to know which systems and users have proxy credentials

Conclusion

The 407 Proxy Authentication Required error is almost always a credential issue. Start by verifying the username, password, and authentication scheme. Check for special characters that need URL encoding. In enterprise environments, consider using a local authentication proxy like CNTLM. Once resolved, use the proxy testing checklist to verify that authentication works consistently across all your applications and environments.