SIP 401 Unauthorized vs 407 Proxy Authentication Required
SIP 401 and 407 both require authentication, but from different entities. A 401 is issued by the UAS (the endpoint or registrar), while a 407 is issued by a SIP proxy. The client must respond with different headers depending on which challenge it received.
Descrição
The request requires user authentication. The response includes a WWW-Authenticate header with a challenge for the realm.
Quando você o vê
When making a request that requires Digest authentication. Common for REGISTER and INVITE requests to authenticated SIP trunks.
Como corrigir
Resend the request with proper Authorization header containing valid credentials (Digest authentication).
Descrição
The client must first authenticate with the proxy. The proxy returns a Proxy-Authenticate header with a challenge.
Quando você o vê
When a SIP proxy requires authentication before forwarding the request. Similar to 401 but for proxy servers.
Como corrigir
Resend the request with a Proxy-Authorization header containing valid credentials for the proxy.
Diferenças principais
401 is challenged by the UAS (registrar, endpoint); 407 is challenged by a SIP proxy in the signaling path.
401 requires an Authorization header in the retry; 407 requires a Proxy-Authorization header.
401 uses WWW-Authenticate to issue the challenge; 407 uses Proxy-Authenticate.
In a multi-hop SIP topology, a request may need to authenticate at both proxy (407) and endpoint (401) levels.
Both use Digest authentication with nonces, but the header names and target entities differ.
Quando usar qual
A SIP registrar returns 401 when a UA tries to REGISTER without credentials. A SIP proxy returns 407 when it needs to authenticate the caller before forwarding the request. SIP clients must handle both challenges and respond with the correct Authorization or Proxy-Authorization header.