Proxy-Authorization
Request header Auth

Overview

Proxy-Authorization is the request header a client uses to authenticate itself to an intermediate proxy, carrying credentials. It is sent in response to the proxy's 407 and Proxy-Authenticate demand.

The value is the auth scheme plus matching credentials (e.g. `Proxy-Authorization: Basic dXNlcjpwYXNzd29yZA==`).

Details

The flow is a standard authentication challenge-response: the client requests through the proxy → the proxy presents a scheme via `407 Proxy Authentication Required` and `Proxy-Authenticate` → the client re-requests with credentials in Proxy-Authorization → the proxy validates and forwards the request to the final server. Because this header targets the proxy, it is entirely separate from Authorization, which is for final-server resource auth.

This header is also a hop-by-hop header. On successful auth the proxy consumes it and must not forward it to the next hop (the final server), so the server never learns which proxy credentials the client used. By contrast, Authorization is an end-to-end header that travels to the server.

For security, the Basic scheme merely base64-encodes `user:password` without encryption, so on a plaintext connection the credentials are fully exposed. Proxy auth too must run over TLS, and take care not to leave credentials in URLs or logs.

Syntax

Proxy-Authorization: <scheme> <credentials>

e.g. Proxy-Authorization: Basic dXNlcjpwYXNzd29yZA==

Notes

Related headers

Related status codes

Specification