Authentication and authorization

Authentication and authorization are enabled by default in Neo4j (refer to Operations Manual → Authentication and authorization). With authentication and authorization enabled, requests to the HTTP API must be authorized using the username and password of a valid user.

1. Missing authorization

If an Authorization header is not supplied, the server will reply with an error.

Example request

  • POST http://localhost:7474/db/neo4j/tx/commit

  • Accept: application/json;charset=UTF-8

  • Content-Type: application/json

{
  "statements": [
    {
      "statement": "CREATE (n:MyLabel) RETURN n"
    }
  ]
}

Example response

  • 401: Unauthorized

  • Content-Type: application/json;charset=utf-8

  • WWW-Authenticate: Basic realm="Neo4j"

{
  "errors" : [ {
    "code" : "Neo.ClientError.Security.Unauthorized",
    "message" : "No authentication header supplied."
  } ]
}

If authentication and authorization have been disabled, HTTP API requests can be sent without an Authorization header.

2. Incorrect authentication

If an incorrect username or password is provided, the server replies with an error.

Example request

  • POST http://localhost:7474/db/neo4j/tx/commit

  • Accept: application/json;charset=UTF-8

  • Authorization: Basic bmVvNGo6aW5jb3JyZWN0

  • Content-Type: application/json

{
  "statements": [
    {
      "statement": "CREATE (n:MyLabel) RETURN n"
    }
  ]
}

Example response

  • 401: Unauthorized

  • Content-Type: application/json;charset=utf-8

  • WWW-Authenticate: Basic realm="Neo4j"

{
  "errors" : [ {
    "code" : "Neo.ClientError.Security.Unauthorized",
    "message" : "Invalid username or password."
  } ]
}

3. Authentication failure on open transactions

A Neo.ClientError.Security.Unauthorized error will typically imply a transaction rollback. However, due to the way authentication is processed in the HTTP server, the transaction will remain open.