Reference

Schema version for this Enterprise Studio configuration file.

Identifies the file as an Enterprise Studio configuration.

neo4j-enterprise-studio-config

Neo4j deployment URI of the tools asset database (for example neo4j://localhost:7687).

Name of the database used for tool asset storage.

Service-account authentication method the server uses to connect to the asset storage DBMS. Configure exactly one method block: basic, oidc, or none.

When oidc is set, Enterprise Studio obtains a bearer token from an external identity provider via the OAuth 2.0 client-credentials grant and uses it to authenticate to the storage database. The oidc sub-block fields below configure the IdP request, and the Neo4j DBMS must be configured with a matching OIDC provider that trusts the IdP.

Specify none as an empty block (none: {}) to connect without authentication.

Service account username for the asset storage connection.

Service account password for the asset storage connection.

OAuth 2.0 token endpoint of the identity provider, used when the oidc method is configured. Must use the https scheme. For Microsoft Entra ID this is https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token; for Keycloak it is https://<host>/realms/<realm>/protocol/openid-connect/token.

OAuth 2.0 client ID of the service principal that Enterprise Studio authenticates as. Required when the oidc method is configured.

OAuth 2.0 client secret of the service principal. Required when the oidc method is configured. Typically supplied via the environment variable so it isn’t stored on disk.

List of OAuth 2.0 scopes requested when fetching the token. Provider-specific; for Microsoft Entra ID set this to [api://<neo4j-app-id>/.default]. Optional - some providers (for example Keycloak in client-credentials mode) don’t require any scopes.

When overriding with an environment variable, supply the value as a JSON array, for example ["openid"].

End-user Neo4j deployments shown in the Enterprise Studio connection form.

Display name shown to users in the UI for this deployment.

Neo4j deployment URI of the main database used by the server.

When directClientQuery.enabled is false, the URI must use the http or https scheme, since Enterprise Studio proxies all queries over HTTP. When directClientQuery.enabled is true, the URI can use any Neo4j protocol scheme (for example bolt, bolt+s, neo4j, neo4j+s, http, or https).

Whether the browser client queries the main database directly instead of routing queries through the Enterprise Studio server.

true or false.

Browser-reachable Neo4j URI of the main database, used when directClientQuery.enabled is true. May differ from neo4jDeployments.<deployment-id>.uri, which is reachable from the server.

Whether end users can sign in to this deployment with username/password (basic) authentication.

true or false.

Whether end users can sign in to this deployment with single sign-on through an OIDC identity provider.

true or false.

Role mapping that grants Enterprise Studio roles to Neo4j database users and roles.

In _config.yaml\_, define roleMapping as a YAML list; each entry has a role (studioAdmin or studioCreator) and a members list, where each member has a kind (databaseUser or databaseRole) and a name.

When overriding with an environment variable, set NES_neo4jDeployments_<deployment-id>_authorization_roleMapping to the full roleMapping array as a JSON string. There are no separate environment variables for individual members or role values.

When omitted, the role mapping defaults to granting studioAdmin to the Neo4j admin role (databaseRole:admin).

Whether the Dashboards tool is shown in the Enterprise Studio UI.

true or false.

Whether the Bloom tool is shown in the Enterprise Studio UI.

true or false.

Whether the Query tool is shown in the Enterprise Studio UI.

true or false.

Filesystem path to the Enterprise license file.

HTTP port the Enterprise Studio server listens on.

Whether the Enterprise Studio web listener serves HTTPS on server.port. When false, the server uses plain HTTP. When true, configure server.https.certificates and place certificate files on disk; see Security → TLS. Outbound trust to Neo4j is configured separately; see Binary deployment.

Enterprise Studio reads HTTPS settings only at startup; restart the server after changes.

true or false.

Whether map tiles are served by the Enterprise Studio server for use by the Dashboards map visualization. By default, the Neo4j PMTiles provider tiles.neo4j.io/current/planet.pmtiles is used. Set to false to disable maps entirely; this is recommended for air-gapped deployments without outbound internet access where no self-hosted tile provider is configured.

true or false

Tile data format of the custom provider. Required when customTilesProvider is configured.

raster or pmtiles

Edge length, in pixels, of one raster tile (usually 256, or 512 for high-density "@2x" tiles). Only valid when format.type is raster.

URL of the upstream tile provider, proxied through the Enterprise Studio server. For raster format, the URL must contain the placeholder template {z}/{x}/{y}. For pmtiles format, it must be a single-file URL with no placeholders.

Set exactly one of upstream.http or upstream.file.

Map of HTTP headers forwarded to the upstream provider on every request — used for API keys or bearer tokens the provider requires.

When overriding with an environment variable, set the value to a JSON object, for example {"X-API-Key":"…​"}.

Absolute filesystem path to a single PMTiles file served by the proxy. Only valid for pmtiles format. Set exactly one of upstream.http or upstream.file.

Value sent in the Access-Control-Allow-Origin response header for the reverse-proxied /map-tiles requests. Set to a specific origin (for example, https://studio.example.com) to restrict tile access to your own domain when the tile provider requires it.

Attribution label rendered in the map. Required for compliance with most tile providers' terms of service.

URL linked from the attribution label rendered in the map.

Content-Security-Policy header value for static assets served by the server. If omitted, a default policy is applied automatically. Set to an empty string ("") to disable the header entirely.

The default policy shown below is applied when this setting is omitted.

default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com/; img-src 'self' data: blob:; media-src 'self' data: blob:; connect-src 'self' ws: wss: http: https:; worker-src 'self' blob:; child-src 'self' blob:; form-action 'none'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'

Log level for general server logs.

One of debug, info, warn, or error.

Log output format; json is recommended for production.

One of json or pretty.

Whether query profiling is enabled for the Storage API.

true or false.

Whether per-request access logs for the Storage API are enabled.

true or false.

Directory for TLS certificate files when server.https.enabled is true, relative to the installation home unless an absolute path is set.

Private key filename within server.https.certificates.baseDirectory. Must be an unencrypted PKCS#8 PEM file (BEGIN PRIVATE KEY).

Public certificate filename within server.https.certificates.baseDirectory.