diff --git a/crates/uv-auth/src/middleware.rs b/crates/uv-auth/src/middleware.rs
index e57f7bf8d..ab03d4b56 100644
--- a/crates/uv-auth/src/middleware.rs
+++ b/crates/uv-auth/src/middleware.rs
@@ -10,6 +10,7 @@ use tracing::{debug, trace, warn};
 
 use uv_preview::{Preview, PreviewFeatures};
 use uv_redacted::DisplaySafeUrl;
+use uv_static::EnvVars;
 use uv_warnings::owo_colors::OwoColorize;
 
 use crate::credentials::Authentication;
@@ -352,11 +353,15 @@ impl Middleware for AuthMiddleware {
             .is_some_and(|token_store| token_store.is_known_url(request.url()));
 
         let must_authenticate = self.only_authenticated
-            || match auth_policy {
-                AuthPolicy::Auto => is_known_url,
-                AuthPolicy::Always => true,
-                AuthPolicy::Never => false,
-            };
+            || (match auth_policy {
+                    AuthPolicy::Auto => is_known_url,
+                    AuthPolicy::Always => true,
+                    AuthPolicy::Never => false,
+                }
+                // Dependabot intercepts HTTP requests and injects credentials, which means that we
+                // cannot eagerly enforce an `AuthPolicy` as we don't know whether credentials will be
+                // added outside of uv.
+                && !std::env::var(EnvVars::DEPENDABOT).is_ok_and(|value| value == "true"));
 
         let (mut retry_request, response) = if !must_authenticate {
             let url = tracing_url(&request, credentials.as_deref());
diff --git a/crates/uv-static/src/env_vars.rs b/crates/uv-static/src/env_vars.rs
index 1f9cf3d21..db1024431 100644
--- a/crates/uv-static/src/env_vars.rs
+++ b/crates/uv-static/src/env_vars.rs
@@ -662,6 +662,10 @@ impl EnvVars {
     #[attr_added_in("0.8.18")]
     pub const CONDA_ROOT: &'static str = "_CONDA_ROOT";
 
+    /// Used to determine if we're running in Dependabot.
+    #[attr_added_in("next release")]
+    pub const DEPENDABOT: &'static str = "DEPENDABOT";
+
     /// If set to `1` before a virtual environment is activated, then the
     /// virtual environment name will not be prepended to the terminal prompt.
     #[attr_added_in("0.0.5")]
diff --git a/docs/reference/environment.md b/docs/reference/environment.md
index a228ec127..bb1a3272d 100644
--- a/docs/reference/environment.md
+++ b/docs/reference/environment.md
@@ -791,6 +791,11 @@ Used to determine the name of the active Conda environment.
 
 Used to detect the path of an active Conda environment.
 
+### `DEPENDABOT`
+<small class="added-in">added in `next release`</small>
+
+Used to determine if we're running in Dependabot.
+
 ### `FISH_VERSION`
 <small class="added-in">added in `0.1.28`</small>