Proxy-Authenticate header
Baseline Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since July 2015.
The HTTPProxy-Authenticateresponse header defines theauthentication method (orchallenge) that should be used to gain access to a resource behind aproxy server.It is sent in a407 Proxy Authentication Required response so a client can identify itself to a proxy that requires authentication.
| Header type | Response header |
|---|
Syntax
Proxy-Authenticate: <challenge>, …The value is a comma-separated list of challenges, where a<challenge> is comprised of an<auth-scheme>, followed by an optional<token68> or a comma-separated list of<auth-params>:
challenge = <auth-scheme> <auth-param>, …, <auth-paramN>challenge = <auth-scheme> <token68>
For example:
Proxy-Authenticate: <auth-scheme>Proxy-Authenticate: <auth-scheme> token68Proxy-Authenticate: <auth-scheme> auth-param1=param-token1Proxy-Authenticate: <auth-scheme> auth-param1=param-token1, …, auth-paramN=param-tokenNThe presence of atoken68 or authentication parameters depends on the selected<auth-scheme>.For example,Basic authentication requires a<realm>, and allows for optional use ofcharset key, but does not support atoken68:
Proxy-Authenticate: Basic realm="Dev", charset="UTF-8"Directives
<auth-scheme>A case-insensitive token indicating theAuthentication scheme used.Some of the more common types are
Basic,Digest,NegotiateandAWS4-HMAC-SHA256.IANA maintains alist of authentication schemes, but there are other schemes offered by host services.<auth-param>OptionalAn authentication parameter whose format depends on the
<auth-scheme>.<realm>is described below as it's a common authentication parameter among many auth schemes.<realm>OptionalThe string
realmfollowed by=and a quoted string describing a protected area, for examplerealm="staging environment".A realm allows a server to partition the areas it protects (if supported by a scheme that allows such partitioning).Some clients show this value to the user to inform them about which particular credentials are required — though most browsers stopped doing so to counter phishing.The only reliably supported character set for this value isus-ascii.If no realm is specified, clients often display a formatted hostname instead.
<token68>OptionalA token that may be useful for some schemes.The token allows the 66 unreserved URI characters plus a few others.It can hold abase64, base64url, base32, or base16 (hex) encoding, with or without padding, but excluding whitespace.The
token68alternative to auth-param lists is supported for consistency with legacy authentication schemes.
Generally, you will need to check the relevant specifications for the authentication parameters needed for each<auth-scheme>.
Note:SeeWWW-Authenticate for more details on authentication parameters.
Examples
Proxy-Authenticate Basic auth
The following response indicates a Basic auth scheme is required with a realm:
Proxy-Authenticate: Basic realm="Staging server"Specifications
| Specification |
|---|
| HTTP Semantics # field.proxy-authenticate |