The Fix
Upgrade to version 0.14.3 or later.
Based on closed encode/httpx issue #1234 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -112,28 +112,34 @@ def auth_flow(self, request: Request) -> typing.Generator[Request, Response, Non
if response.status_code != 401 or "www-authenticate" not in response.headers:
- # If the response is not a 401 WWW-Authenticate, then we don't
+ # If the response is not a 401 then we don't
# need to build an authenticated request.
repro.py
import httpx
import requests
from requests.auth import HTTPDigestAuth
url = "http://190.156.226.164:8083/cgi-bin/guest/Video.cgi?media=MJPEG&channel=0"
def test_requests():
auth = HTTPDigestAuth("admin", "admin")
req = requests.get(url, auth=auth, stream=True)
print(req.status_code)
req.close()
def test_httpx():
auth = httpx.DigestAuth("admin", "admin")
with httpx.stream("GET", url, auth=auth) as r:
print(r.status_code)
if __name__ == '__main__':
test_requests()
test_httpx()
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 0.14.3 or later.\nWhen NOT to use: Do not use this fix if the server does not support multiple WWW-Authenticate headers.\n\n
Why This Fix Works in Production
- Trigger: Auth fails for responses that include multiple WWW-Authenticate headers.
- Mechanism: httpx fails to handle multiple WWW-Authenticate headers correctly during Digest authentication
- Why the fix works: Handle multiple WWW-Authenticate headers correctly in DigestAuth. (first fixed release: 0.14.3).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- httpx fails to handle multiple WWW-Authenticate headers correctly during Digest authentication
- Production symptom (often without a traceback): Auth fails for responses that include multiple WWW-Authenticate headers.
Proof / Evidence
- GitHub issue: #1234
- Fix PR: https://github.com/encode/httpx/pull/1240
- First fixed release: 0.14.3
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.49
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“@beruhan Hi, a fix hanlding mulitiple auth headers has been merged, can you try to install from the master branch and confirm if the issue…”
“Hello! * You're using a rather old-ish HTTPX version (0.11.1)”
“Somehow I'd completely missed that this issue is specific to the case when the server sends *two* WWW-Authenticate headers in the response”
“Perhaps a server-side implementation that's treating the Authentication header in a case sensitive way, and so is failing to authenticate correctly?”
Failure Signature (Search String)
- Auth fails for responses that include multiple WWW-Authenticate headers.
- Your client does not have permission to get URL /cgi-bin/guest/Video.cgi?media=MJPEG&channel=0 from this server.
Copy-friendly signature
signature.txt
Failure Signature
-----------------
Auth fails for responses that include multiple WWW-Authenticate headers.
Your client does not have permission to get URL /cgi-bin/guest/Video.cgi?media=MJPEG&channel=0 from this server.
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
Auth fails for responses that include multiple WWW-Authenticate headers.
Your client does not have permission to get URL /cgi-bin/guest/Video.cgi?media=MJPEG&channel=0 from this server.
Minimal Reproduction
repro.py
import httpx
import requests
from requests.auth import HTTPDigestAuth
url = "http://190.156.226.164:8083/cgi-bin/guest/Video.cgi?media=MJPEG&channel=0"
def test_requests():
auth = HTTPDigestAuth("admin", "admin")
req = requests.get(url, auth=auth, stream=True)
print(req.status_code)
req.close()
def test_httpx():
auth = httpx.DigestAuth("admin", "admin")
with httpx.stream("GET", url, auth=auth) as r:
print(r.status_code)
if __name__ == '__main__':
test_requests()
test_httpx()
What Broke
HTTP 401 Unauthorized responses occur when using Digest authentication with multiple WWW-Authenticate headers.
Why It Broke
httpx fails to handle multiple WWW-Authenticate headers correctly during Digest authentication
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
Upgrade to version 0.14.3 or later.
When NOT to use: Do not use this fix if the server does not support multiple WWW-Authenticate headers.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/encode/httpx/pull/1240
First fixed release: 0.14.3
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- Do not use this fix if the server does not support multiple WWW-Authenticate headers.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
Version Compatibility Table
| Version | Status |
|---|---|
| 0.14.3 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.