Thank you all for the suggestions, here’s what I did.

First of all, I wrapped things in HTTP::Request so it’s easier to manage — in particular, this also means that the $req->uri is a URI, which too is easier to manage. It’s also easier to construct a HEAD request to the same place this way, which is needed.

Second, I tried to find where in the LWP ecosystem do we authenticate, which of course is the non-documented (and not really public) module LWP::Authen::Digest.

Which of course takes (somewhat) sanitised WWW-Authenticate data (which, as it turns out from reading the source, is a somewhat unstandard header). For this, one has to use HTTP::Headers::Util qw(split_header_words) and a fine tr///.

The rest is fairly easy, just have to emulate some structures for the auth_header function that don’t exist in AnyEvent::HTTP.