Error reference HTTP status

How to fix 407 Proxy Authentication Required

A 407 response comes from your proxy server, not the website you are trying to reach. It means the proxy received your request but could not authenticate you — the credentials were missing, malformed, or wrong. The fix is almost always on the client side: correct the username and password, encode them properly, or update your IP whitelist.

407 Proxy Authentication Required

What 407 Proxy Authentication Required means

HTTP 407 is the proxy-level twin of 401 Unauthorized. When a client sends a request through a proxy that requires authentication, the proxy expects a Proxy-Authorization header containing valid credentials. If that header is missing or carries credentials the proxy does not recognize, the proxy answers 407 and includes a Proxy-Authenticate header describing the scheme it expects (usually Basic).

The key diagnostic point: a 407 is generated before your request ever reaches the target site. The destination server, its firewall, and its rate limits are irrelevant here. Whatever URL you requested, the same 407 would come back, because the proxy refuses to forward anything until authentication succeeds.

That makes 407 one of the easier errors to fix — the entire problem space is your proxy credentials, how your client transmits them, and (if you authenticate by IP allowlist instead of a password) which IP address your request originates from.

407 Proxy Authentication Required

How to fix a 407 error, step by step

Work through these checks in order — the first three resolve the vast majority of 407s.

  1. Re-copy the username and password directly from your proxy dashboard. A single stray space, a truncated paste, or a swapped user/pass order will produce a 407 on every request.
  2. URL-encode special characters. If your password contains @, :, /, or #, a URL like http://user:p@ss@host:port parses incorrectly. Encode @ as %40, : as %3A, and so on.
  3. Confirm the proxy URL format: http://username:password@host:port. Some tools want separate fields for host, port, user, and password instead of one URL — do not mix the two styles.
  4. If you rotated or regenerated your API key or proxy password recently, every stored copy of the old value is now invalid. Update credentials in every script, container, and tool that uses the proxy.
  5. If you authenticate by IP whitelist, verify your current public IP (curl https://api.ipify.org) is actually on the allowlist. Home and office IPs change, and cloud jobs may egress from different addresses than you expect.
  6. Check that credentials are sent on HTTPS requests too. For HTTPS, the client authenticates during CONNECT tunnel setup — some libraries need the proxy configured for both http and https schemes or they silently omit the header.
  7. Verify host and port. Pointing at the wrong port or a stale hostname can land you on a listener your credentials are not valid for.
  8. Rule out an intermediate proxy. Corporate networks and some VPN clients inject their own authenticating proxy — the 407 may be coming from it, not from the proxy you configured.
407 Proxy Authentication Required

Why 407 is always a proxy configuration problem

Unlike most HTTP errors, a 407 tells you exactly which hop failed: the proxy itself. That is useful when you are debugging a scraping stack with several moving parts — you can stop investigating the target site, TLS settings, and request headers, and focus purely on how credentials travel from your code to the proxy.

On ProxyOmega, the proxy password is your dashboard API key, and targeting flags like -country-us and -session-<id> are appended to the username. Because the username carries both identity and routing, keep the base username intact and modify only the suffixes — and remember that regenerating the API key invalidates the old password everywhere at once. If you would rather not manage passwords in code at all, IP whitelisting authenticates by source address instead.

Password = API key

ProxyOmega ports authenticate with your dashboard API key as the password. If you regenerate the key, every script still holding the old value starts returning 407 immediately — update credentials everywhere at once, or switch long-lived deployments to IP whitelisting so there is no password to go stale.

IP whitelist instead of credentials

If your scrapers run from servers with stable IPs, add those IPs to your whitelist and drop username/password handling entirely. No credentials in code means no encoding bugs, no secrets leaking into logs, and no 407s from stale passwords. Just remember to update the list when your infrastructure IPs change.

One port, three protocols

Every ProxyOmega port speaks HTTP, HTTPS, and SOCKS5 on the same port with the same credentials — residential.proxyomega.com:10000, for example. If 407 appears over one protocol but not another, your credentials are valid and the failing client is mangling them; compare its exact proxy string against a working curl call.

407 Proxy Authentication Required

A correctly authenticated request in Python

This example sets the proxy for both http and https schemes so credentials are sent on the CONNECT tunnel as well, and URL-encodes the password defensively so special characters cannot corrupt the proxy URL.

import requests
from urllib.parse import quote

username = "USERNAME-country-us"          # targeting flags ride on the username
password = quote("YOUR_API_KEY", safe="")  # encode any special characters

proxy = f"http://{username}:{password}@residential.proxyomega.com:10000"
proxies = {"http": proxy, "https": proxy}  # both schemes, or CONNECT auth is skipped

r = requests.get("https://api.ipify.org?format=json", proxies=proxies, timeout=30)
r.raise_for_status()   # a 407 would raise here with the proxy's response
print(r.json())
FAQ

Frequently asked questions

Is a 407 error caused by the website I'm scraping?
No. A 407 is generated by the proxy before your request is forwarded anywhere, so the target site does not see the request at all. If you get 407 on every URL, ignore the destination entirely and audit your proxy credentials, the proxy URL format, and your whitelist configuration.
Why do I get 407 only on HTTPS requests?
For HTTPS, clients authenticate during the CONNECT tunnel handshake rather than on each request. Some libraries only attach proxy credentials to plain-HTTP traffic unless the proxy is configured for the https scheme too. Set the same authenticated proxy URL for both schemes and the CONNECT request will carry your credentials.
My credentials are correct — why am I still getting 407?
The usual culprits are unencoded special characters in the password, a regenerated API key your code has not picked up, an IP-whitelist account receiving requests from a non-whitelisted address, or an intermediate corporate proxy injecting its own 407. Test with curl using the exact same proxy string to isolate the failing layer.
Does 407 mean my proxy subscription expired?
It can — an expired or suspended plan typically stops authenticating, which surfaces as 407. Check your dashboard for plan status first. If the plan is active, the problem is on the client side: credentials, encoding, or whitelist. A quick curl test against residential.proxyomega.com:10000 settles it in seconds.

Proxies that authenticate the way you expect Start routing today.

Password or IP whitelist auth, HTTP, HTTPS, and SOCKS5 on every port, and country targeting straight from the username.

ProxyOmega ProxyOmega

90M+ ethically-sourced IPs across 200+ countries and 30,000+ cities. Residential, mobile, ISP and IPv6 proxies for scraping and AI agents.

GDPRCCPA
Product
Premium Unlimited Budget Unlimited Residential / ISP Mobile IPv6 Chrome Extension
Solutions
Web scraping AI agents Price monitoring SERP & SEO Integrations All use cases
Resources
Glossary Error codes Free tools Proxies by platform Locations
Company
About Blog Docs Reseller program Affiliate Contact Sign in
© 2026 ProxyOmega Ltd. All rights reserved.