The essential points from this guide -- each one is explained in detail below.
HTTP 407 means the proxy rejected your credentials -- verify username and password first.
URL-encode special characters in passwords (@ becomes %40, # becomes %23).
IP allowlist authentication fails silently if your ISP changes your IP address.
SOCKS5 authentication uses a different handshake than HTTP -- test each protocol separately.
Provider-specific username formats (user-country-us, user-session-abc123) must be exact.
Before debugging your code, confirm your credentials work at the protocol level. Run a basic curl command with verbose output:
curl -v -x http://USERNAME:PASSWORD@gw.knoxproxy.com:7000 \
https://httpbin.org/ipIf this succeeds, the issue is in your code or configuration. If it fails with HTTP 407, your credentials are wrong or your account has an issue. Check your provider dashboard to confirm your username, password, and that your account is active with available balance.
For SOCKS5, test separately:
curl -v --socks5 USERNAME:PASSWORD@gw.knoxproxy.com:7001 \
https://httpbin.org/ipThe most common cause of "credentials are correct but auth still fails" is special characters in the password. When credentials are embedded in a proxy URL (http://user:p@ss@host:port), the @ symbol in the password breaks the URL parser -- it thinks the password ends at the first @ and treats "ss" as the hostname.
URL-encode these characters in your password:
| Character | Encoded | |-----------|----------| | @ | %40 | | # | %23 | | : | %3A | | / | %2F | | ? | %3F | | & | %26 | | = | %3D | | + | %2B |
So a password of p@ss#123 becomes p%40ss%23123 in the proxy URL. In Python, use urllib.parse.quote(password, safe='') to encode automatically:
from urllib.parse import quote
password = 'p@ss#123'
proxy_url = f'http://user:{quote(password, safe="")}@gw.knoxproxy.com:7000'Some providers offer IP allowlist authentication as an alternative to username/password. You register your server's IP address, and any request from that IP is authenticated without credentials. This breaks when your outbound IP changes -- common with residential ISPs, cloud instances with dynamic IPs, or when your traffic routes through a corporate NAT gateway.
To check your current outbound IP:
curl https://httpbin.org/ipCompare this to the IP in your provider's allowlist. If they do not match, update the allowlist. For servers with dynamic IPs, username/password authentication is more reliable than IP allowlisting. KnoxProxy supports both methods -- use credentials for dynamic environments and IP allowlist for fixed infrastructure.
Most proxy providers encode targeting parameters in the username string. For KnoxProxy, the format includes country targeting and session control:
user-country-us # US exit IP
user-country-us-session-abc123 # Sticky session with US IP
user-country-de-city-berlin # Berlin, Germany exitA typo in any segment causes authentication failure. Common mistakes include using ISO3 country codes (usa) instead of ISO2 (us), misspelling parameter names (contry instead of country), and adding extra hyphens or spaces. Copy the exact format from your provider's documentation and build the username string programmatically rather than typing it manually.
Ready to put this into practice? Browse all proxy types
KnoxProxy Research Team · Technical Content
Network engineers and proxy infrastructure specialists with 10+ years in anti-bot systems, web scraping, and IP routing.
90.4M+ ethically sourced residential IPs across 195 countries. Start free -- no credit card required.