Proxy-AuthenticateProxy-Authenticate is the response header by which a proxy tells the client which authentication scheme to use when the proxy demands authentication. It is sent with a 407 Proxy Authentication Required response.
The value consists of the auth scheme (`Basic`, `Digest`, `Negotiate`, ...) and parameters like `realm` (e.g. `Proxy-Authenticate: Basic realm="Corporate Proxy"`).
This is the 'proxy version' of WWW-Authenticate (which pairs with 401 for server-resource auth). When a client must authenticate to the proxy itself to pass through it (a corporate gateway, a paid proxy), the proxy presents the required scheme and realm via this header alongside 407. The client then re-requests with matching credentials in the Proxy-Authorization header.
The key here is the layering between 401/WWW-Authenticate/Authorization (final-server auth) and 407/Proxy-Authenticate/Proxy-Authorization (proxy auth). The two are independent: even after passing proxy auth, the final server may again demand resource auth with a 401.
Proxy-Authenticate and Proxy-Authorization are hop-by-hop headers — consumed only between a specific proxy and client, not forwarded to the next hop. The Basic scheme only base64-encodes credentials (not encryption), so proxy auth too must happen over a TLS-protected connection to avoid exposing credentials.
Proxy-Authenticate: <scheme> [realm="<realm>"][, <param>]*e.g. Proxy-Authenticate: Basic realm="Corporate Proxy"