figured this out, I was hitting a web application and my base URL had a single slash on the end of the URL. In my stream, I also had a single slash before the path so there was a double slash in the URL. This web application did a redirect to a single slash but downgraded your request to HTTP. Python request’s library strips out the Authorization header automatically to prevent SSL stripping attacks -- this one was fun to figure out heh