Authentication and authorization

Authentication and authorization are enabled by default in Neo4j (refer to Operations Manual → Authentication and authorization). With authentication and authorization enabled, requests to the HTTP API must be authorized using the username and password of a valid user.

Missing authorization

If an Authorization header is not supplied, the server will reply with an error.

Example request

POST http://localhost:7474/db/neo4j/tx/commit
Accept: application/json;charset=UTF-8
Content-Type: application/json

{
  "statements": [
    {
      "statement": "CREATE (n:MyLabel) RETURN n"
    }
  ]
}

Example response

401: Unauthorized
Content-Type: application/json;charset=utf-8
WWW-Authenticate: Basic realm="Neo4j"

{
  "errors" : [ {
    "code" : "Neo.ClientError.Security.Unauthorized",
    "message" : "No authentication header supplied."
  } ]
}

If authentication and authorization have been disabled, HTTP API requests can be sent without an Authorization header.

Incorrect authentication

If an incorrect username or password is provided, the server replies with an error.

Example request

POST http://localhost:7474/db/neo4j/tx/commit
Accept: application/json;charset=UTF-8
Authorization: Basic bmVvNGo6aW5jb3JyZWN0
Content-Type: application/json

{
  "statements": [
    {
      "statement": "CREATE (n:MyLabel) RETURN n"
    }
  ]
}

Example response

401: Unauthorized
Content-Type: application/json;charset=utf-8
WWW-Authenticate: Basic realm="Neo4j"

{
  "errors" : [ {
    "code" : "Neo.ClientError.Security.Unauthorized",
    "message" : "Invalid username or password."
  } ]
}

Authentication failure on open transactions

A Neo.ClientError.Security.Unauthorized error will typically imply a transaction rollback. However, due to the way authentication is processed in the HTTP server, the transaction will remain open.

Was this page helpful?