requests supports Basic Authentication and HTTP Digest Authentication by default. There are also a number of third-party libraries for authentication with:

The requests_toolbelt.auth provides extra authentication features in addition to those. It provides the following authentication classes:


The AuthHandler is a way of using a single session with multiple websites that require authentication. If you know what websites require a certain kind of authentication and what your credentials are.

Take for example a session that needs to authenticate to GitHub’s API and GitLab’s API, you would set up and use your AuthHandler like so:

import requests
from requests_toolbelt.auth.handler import AuthHandler

def gitlab_auth(request):
    request.headers['PRIVATE-TOKEN'] = 'asecrettoken'

handler = AuthHandler({
    '': ('sigmavirus24', 'apassword'),
    '': gitlab_auth,

session = requests.Session()
session.auth = handler
r = session.get('')
# assert r.ok
r2 = session.get('')
# assert r2.ok


You must provide both the scheme and domain for authentication. The AuthHandler class will check both the scheme and host to ensure your data is not accidentally exposed.

class requests_toolbelt.auth.handler.AuthHandler(strategies)

The AuthHandler object takes a dictionary of domains paired with authentication strategies and will use this to determine which credentials to use when making a request. For example, you could do the following:

from requests import HTTPDigestAuth
from requests_toolbelt.auth.handler import AuthHandler

import requests

auth = AuthHandler({
    '': ('sigmavirus24', 'fakepassword'),
    '': HTTPDigestAuth('username', 'password')

r = requests.get('', auth=auth)
# => <Response [200]>
r = requests.get('', auth=auth)
# => <Response [200]>

s = requests.Session()
s.auth = auth
r = s.get('')
# => <Response [200]>


requests.auth.HTTPDigestAuth is not yet thread-safe. If you use AuthHandler across multiple threads you should instantiate a new AuthHandler for each thread with a new HTTPDigestAuth instance for each thread.

add_strategy(domain, strategy)

Add a new domain and authentication strategy.

  • domain (str) – The domain you wish to match against. For example: ''
  • strategy (str) – The authentication strategy you wish to use for that domain. For example: ('username', 'password') or requests.HTTPDigestAuth('username', 'password')
a = AuthHandler({})
a.add_strategy('', ('username', 'password'))

Retrieve the authentication strategy for a specified URL.

Parameters:url (str) – The full URL you will be making a request against. For example, ''
Returns:Callable that adds authentication to a request.
import requests
a = AuthHandler({'', ('foo', 'bar')})
strategy = a.get_strategy_for('')
assert isinstance(strategy, requests.auth.HTTPBasicAuth)

Remove the domain and strategy from the collection of strategies.

Parameters:domain (str) – The domain you wish remove. For example, ''.
a = AuthHandler({'', ('foo', 'bar')})
assert a.strategies == {}


The GuessAuth authentication class automatically detects whether to use basic auth or digest auth:

import requests
from requests_toolbelt.auth import GuessAuth

             auth=GuessAuth('user', 'passwd'))
             auth=GuessAuth('user', 'passwd'))

Detection of the auth type is done via the WWW-Authenticate header sent by the server. This requires an additional request in case of basic auth, as usually basic auth is sent preemptively. If the server didn’t explicitly require authentication, no credentials are sent.

class requests_toolbelt.auth.guess.GuessAuth(username, password)

Guesses the auth type by the WWW-Authentication header.


The HTTPProxyDigestAuth use digest authentication between the client and the proxy.

import requests
from requests_toolbelt.auth.http_proxy_digest import HTTPProxyDigestAuth

proxies = {
    "http": "http://PROXYSERVER:PROXYPORT",
    "https": "https://PROXYSERVER:PROXYPORT",
url = ""
auth = HTTPProxyDigestAuth("USERNAME", "PASSWORD")
requests.get(url, proxies=proxies, auth=auth)

Program would raise error if the username or password is rejected by the proxy.

class requests_toolbelt.auth.http_proxy_digest.HTTPProxyDigestAuth(*args, **kwargs)

HTTP digest authentication between proxy

Parameters:stale_rejects (int) – The number of rejects indicate that: the client may wish to simply retry the request with a new encrypted response, without reprompting the user for a new username and password. i.e., retry build_digest_header