Commercial proxy services authenticate clients via two mechanisms: username/password credentials embedded in the proxy URL (`http://user:pass@host:port`), or IP allowlisting where only requests originating from pre-registered client IPs are permitted without credentials. Username/password authentication is more portable since it works from any IP; IP allowlisting is more secure but requires static egress IPs from the scraper's host.
Some proxy providers embed session and geo-targeting parameters in the username field: `username-session-abcd1234-country-us` routes the session through a US IP and maintains the same exit IP for the duration of the session. This username parameter syntax varies by provider but achieves session stickiness without separate API calls.
Proxy authentication failures return a 407 Proxy Authentication Required status, distinct from a 403 from the target site. Scrapers must handle 407 explicitly — typically by refreshing credentials or checking that the proxy pool configuration is correct.