Authentication and authorization

This chapter describes the authentication and authorization required to use the HTTP API.

This chapter includes the following sections:

1. Introduction

Authentication and authorization are enabled by default in Neo4j (refer to Operations Manual → Authentication and authorization). With authentication and authorization enabled, requests to the HTTP API must be authorized using the username and password of a valid user.

2. Missing authorization

If an Authorization header is not supplied, the server will reply with an error.

Example request

  • POST http://localhost:7474/db/neo4j/tx/commit

  • Accept: application/json;charset=UTF-8

  • Content-Type: application/json

{
  "statements" : [ {
    "statement" : "CREATE (n:MyLabel) RETURN n"
  } ]
}

Example response

  • 401: Unauthorized

  • Content-Type: application/json;charset=utf-8

  • WWW-Authenticate: Basic realm="Neo4j"

{
  "errors" : [ {
    "code" : "Neo.ClientError.Security.Unauthorized",
    "message" : "No authentication header supplied."
  } ]
}

If authentication and authorization have been disabled, HTTP API requests can be sent without an Authorization header.

3. Incorrect authentication

If an incorrect username or password is provided, the server replies with an error.

Example request

  • POST http://localhost:7474/db/neo4j/tx/commit

  • Accept: application/json;charset=UTF-8

  • Authorization: Basic bmVvNGo6aW5jb3JyZWN0

  • Content-Type: application/json

{
  "statements" : [ {
    "statement" : "CREATE (n:MyLabel) RETURN n"
  } ]
}

Example response

  • 401: Unauthorized

  • Content-Type: application/json;charset=utf-8

  • WWW-Authenticate: Basic realm="Neo4j"

{
  "errors" : [ {
    "code" : "Neo.ClientError.Security.Unauthorized",
    "message" : "Invalid username or password."
  } ]
}