diff --git a/extension/apikeyauthextension/authenticator.go b/extension/apikeyauthextension/authenticator.go
index 52ea5c0d7..929224039 100644
--- a/extension/apikeyauthextension/authenticator.go
+++ b/extension/apikeyauthextension/authenticator.go
@@ -281,12 +281,19 @@ func (a *authenticator) Authenticate(ctx context.Context, headers map[string][]s
 
 	hasPrivileges, username, err := a.hasPrivileges(ctx, authHeaderValue)
 	if err != nil {
-		if elasticsearchErr, ok := err.(*types.ElasticsearchError); ok {
-			if elasticsearchErr.Status == http.StatusUnauthorized || elasticsearchErr.Status == http.StatusForbidden {
+		var elasticsearchErr *types.ElasticsearchError
+		if errors.As(err, &elasticsearchErr) {
+			switch elasticsearchErr.Status {
+			case http.StatusUnauthorized, http.StatusForbidden:
 				return ctx, status.Error(codes.Unauthenticated, err.Error())
+			default:
+				return ctx, status.Errorf(codes.Internal, "error checking privileges for API Key %q: %v", id, err)
 			}
 		}
-		return ctx, status.Errorf(codes.Unauthenticated, "error checking privileges for API Key %q: %v", id, err)
+		return ctx, errorWithDetails(codes.Unavailable, fmt.Sprintf("retryable server error for API Key %q: %v", id, err), map[string]string{
+			"component": "apikeyauthextension",
+			"api_key":   id,
+		})
 	}
 	if !hasPrivileges {
 		cacheEntry := &cacheEntry{
diff --git a/extension/apikeyauthextension/authenticator_test.go b/extension/apikeyauthextension/authenticator_test.go
index 2aaafafe5..ee81008d8 100644
--- a/extension/apikeyauthextension/authenticator_test.go
+++ b/extension/apikeyauthextension/authenticator_test.go
@@ -77,7 +77,7 @@ func TestAuthenticator(t *testing.T) {
 				},
 				Status: 400,
 			}),
-			expectedErr: `rpc error: code = Unauthenticated desc = error checking privileges for API Key "id": status: 400, failed: [a_type], reason: a_reason`,
+			expectedErr: `rpc error: code = Internal desc = error checking privileges for API Key "id": status: 400, failed: [a_type], reason: a_reason`,
 		},
 		"auth_error": {
 			handler: newCannedErrorHandler(types.ElasticsearchError{
@@ -92,6 +92,13 @@ func TestAuthenticator(t *testing.T) {
 			}),
 			expectedErr: `rpc error: code = Unauthenticated desc = status: 401, failed: [auth_reason], reason: auth_reason`,
 		},
+		"proxy_502_error": {
+			handler: func(w http.ResponseWriter, r *http.Request) {
+				// Simulate proxy returning 502 when ES is unreachable - empty response body
+				w.WriteHeader(http.StatusBadGateway)
+			},
+			expectedErr: `rpc error: code = Unavailable desc = retryable server error "id": EOF`,
+		},
 		"missing_privileges": {
 			handler:     newCannedHasPrivilegesHandler(hasprivileges.Response{HasAllRequested: false}),
 			expectedErr: `rpc error: code = PermissionDenied desc = API Key "id" unauthorized`,