VoIP Troubleshooting Guide

SIP 407 Proxy Authentication Required

6 min read  ·  Updated April 2026

SIP 407 is the proxy equivalent of 401 Unauthorized. Instead of the registrar challenging your credentials, a SIP proxy in the call path is demanding authentication before it will forward your INVITE or REGISTER. Here's how to diagnose and fix it.

In this guide
01What does SIP 407 mean? 02407 vs 401 — key differences 03Common causes 04How to diagnose 05How to fix SIP 407

1. What does SIP 407 Proxy Authentication Required mean?

SIP 407 Proxy Authentication Required is defined in RFC 3261 Section 21.4.27. It means an intermediate SIP proxy — not the final destination — requires authentication before it will forward your request. The proxy responds with a Proxy-Authenticate header containing a digest challenge, and your UA must resend the request with a Proxy-Authorization header containing the digest response.

INVITE sip:[email protected] SIP/2.0 SIP/2.0 407 Proxy Authentication Required Proxy-Authenticate: Digest realm="proxy.example.com", nonce="abc123..." INVITE sip:[email protected] SIP/2.0 Proxy-Authorization: Digest username="alice", realm="proxy.example.com", response="..." SIP/2.0 100 Trying

2. SIP 407 vs 401 — key differences

401 Unauthorized comes from the final destination — the registrar or UAS. It uses WWW-Authenticate in the challenge and requires Authorization in the response.

407 Proxy Authentication Required comes from an intermediate proxy. It uses Proxy-Authenticate in the challenge and requires Proxy-Authorization in the response.

A call can require both — the proxy challenges first (407), then after passing the proxy, the registrar challenges (401). Your UA must handle both independently with separate credential sets if the realm differs.

One important difference: 407 responses to INVITE must be acknowledged with an ACK, just like a 200 OK. Failure to send the ACK causes a dialog leak on the proxy.

3. Common causes of SIP 407

Cause 01
Phone not configured for proxy authentication
The phone or softclient doesn't have proxy credentials configured — only registrar credentials. When the outbound proxy issues a 407, the phone doesn't know how to respond and the call fails. Check your SIP client for a separate "outbound proxy username/password" field.
Cause 02
Wrong proxy realm in credentials
The proxy realm in the 407 challenge doesn't match what your UA has stored. Check the Proxy-Authenticate realm value against your proxy credential configuration. The realm must match exactly — it's case sensitive.
Cause 03
Asterisk or FreeSWITCH missing proxy auth handling
Some PBX configurations handle 401 from the registrar but don't handle 407 from the proxy. In Asterisk chan_sip, set outboundproxy with credentials. In PJSIP, configure an auth object and associate it with your endpoint or AOR.
Cause 04
Loop — proxy challenging its own challenge response
Misconfigured proxy logic causes the proxy to keep issuing 407 challenges even after receiving valid Proxy-Authorization. Usually a configuration bug in the proxy's auth module. Check proxy logs for authentication decision logic.

4. How to diagnose SIP 407

In your SIP trace, look for the challenge/response cycle:

  1. INVITE → 407 (contains Proxy-Authenticate header) — note the realm
  2. ACK (for the 407)
  3. Second INVITE with Proxy-Authorization header
  4. 100 Trying (proxy accepted and forwarded)

If the second INVITE is never sent, your UA doesn't support proxy auth. If the second INVITE is sent but another 407 comes back, either the credentials are wrong or the proxy has a logic issue.

5. How to fix SIP 407

Configure proxy credentials on your UA: Most SIP phones and softphones have a separate field for outbound proxy authentication. Set the username, password, and realm to match your proxy's requirements.

Asterisk PJSIP: Create an [auth] section with auth_type=userpass and associate it with your endpoint using outbound_auth=.

FreeSWITCH: In the gateway configuration, add <param name="proxy-auth" value="true"/> and set the corresponding credentials.

If you're seeing 407 loops: Check your proxy's authentication module configuration. Verify it's not re-challenging already-authenticated requests. Enable verbose proxy logging to trace the authentication decision.

Frequently asked questions

What is SIP 407 Proxy Authentication Required?

SIP 407 means an intermediate SIP proxy requires authentication before forwarding your request. Unlike 401 which comes from the registrar, 407 comes from a proxy in the call path. You must resend the request with a Proxy-Authorization header containing your proxy credentials.

What is the difference between SIP 407 and 401?

SIP 401 comes from the final destination (registrar/UAS) and uses WWW-Authenticate. SIP 407 comes from an intermediate proxy and uses Proxy-Authenticate. A call can trigger both — the proxy challenges first with 407, then the registrar with 401.

How do I fix SIP 407 in Asterisk?

In Asterisk PJSIP, create an auth object with your proxy credentials and associate it with your endpoint using outbound_auth=. In chan_sip, configure the outboundproxy with credentials. Make sure the realm in your auth configuration matches the realm in the Proxy-Authenticate challenge.

Getting SIP 407 proxy auth failures?

Paste your SIP trace into SIPSymposium. The analyzer identifies the proxy challenge, checks credential exchange, and tells you exactly what credentials are missing or misconfigured.

Analyze my trace Create free account
Related guides
Registration
SIP registration failed & SIP server not found
Response Codes
SIP 408 Request Timeout — causes, diagnosis & fix
Platform
Asterisk SIP debugging — complete troubleshooting guide
Platform
Kamailio SIP troubleshooting guide