Use `Response.challenges()` to get the schemes and realms of any authentication challenges. When fulfilling a `Basic` challenge, use `Credentials.basic(username, password)` to encode the request header.

=== ":material-language-kotlin: Kotlin"
    ```kotlin

          call: Call,
          response: Response,
        ) {
          responses.offer(response.body.string())
        }
      }

    // Make the first request waiting until we get our auth challenge.
    val request = Request(server.url("/"))
    blockingAuthClient.newCall(request).enqueue(callback)
    val response1 = responses.take()
    assertThat(response1).isEqualTo("")

    val response = authenticator.onlyResponse()
    assertThat(
      response.request.url
        .toUrl()
        .path,
    ).isEqualTo("/private")
    assertThat(response.challenges()).isEqualTo(listOf(Challenge("Basic", "protected area")))
  }

  @Test
  fun customTokenAuthenticator() {
    server.enqueue(
      MockResponse(
        code = 401,

	public final fun matchesCertificate (Ljava/security/cert/X509Certificate;)Z
	public final fun matchesHostname (Ljava/lang/String;)Z
	public fun toString ()Ljava/lang/String;
}

public final class okhttp3/Challenge {
	public final fun -deprecated_authParams ()Ljava/util/Map;
	public final fun -deprecated_charset ()Ljava/nio/charset/Charset;
	public final fun -deprecated_realm ()Ljava/lang/String;

        .addHeader("Last-Modified: " + formatDate(-1, TimeUnit.HOURS))
        .addHeader("Expires: " + formatDate(1, TimeUnit.HOURS))
        .code(responseCode)
        .body("ABCDE")
        .addHeader("WWW-Authenticate: challenge")
    when (responseCode) {
      HttpURLConnection.HTTP_PROXY_AUTH -> {
        builder.addHeader("Proxy-Authenticate: Basic realm=\"protected area\"")
      }

      HttpURLConnection.HTTP_UNAUTHORIZED -> {

          assertThat(response.code).isEqualTo(HttpURLConnection.HTTP_PROXY_AUTH)
          assertThat(response.request.url.host).isEqualTo("android.com")
          val challenges = response.challenges()
          assertThat(challenges[0].scheme).isEqualTo("OkHttp-Preemptive")
          response.request
            .newBuilder()
            .header("Proxy-Authorization", credential)
            .build()

            return null; // Give up, we've already attempted to authenticate.
          }

          System.out.println("Authenticating for response: " + response);
          System.out.println("Challenges: " + response.challenges());
          String credential = Credentials.basic("jesse", "password1");
          return response.request().newBuilder()
              .header("Authorization", credential)
              .build();
        })

              return null // Give up, we've already attempted to authenticate.
            }

            println("Authenticating for response: $response")
            println("Challenges: ${response.challenges()}")
            val credential = Credentials.basic("jesse", "password1")
            return response.request
              .newBuilder()
              .header("Authorization", credential)
              .build()

      .newBuilder()
      .addHeader(header, credential)
      .build()
  }

  private fun schemeMatches(response: Response): Boolean {
    if (scheme == null) return true
    return response.challenges().any { it.scheme.equals(scheme, ignoreCase = true) }
  }

A single HTTP call may require follow-up requests to be made to handle authentication challenges, redirects, and HTTP-layer timeouts. In such cases multiple connections, requests, and responses may be attempted. Follow-ups are another reason a single call may trigger multiple events of the same type.