Authorize requests

Unless authentication is disabled on the server, all requests must be authorized using the login credentials of a valid user.

Request are authorized through an Authorization header. The header value encoding follows the standard format for Basic authentication (RFC 7617), which is as follows:

Authorization: Basic <base64(username:password)>

For example, to authenticate as user neo4j with password verysecret, first join them with a colon:

neo4j:verysecret

and then base64-encode that value:

bmVvNGo6dmVyeXNlY3JldA==

How to base64-encode a string

To base64-encode a string on a Linux or Mac machine, use the built-in base64 command:

echo -n "neo4j:verysecret" | base64

To obtain the final header, prepend Basic to the base64-encoding of the credentials:

Authorization: Basic bmVvNGo6dmVyeXNlY3JldA==

If authentication is disabled on the server, requests can be sent without an Authorization header.

Missing authorization

If an Authorization header is not supplied (and authentication is not disabled), the server replies with status 401 Forbidden and an error.

Example request

POST http://localhost:7474/db/neo4j/query/v2

Example response

401: Unauthorized
Content-Type: application/json

{
  "errors" : [ {
    "code" : "Neo.ClientError.Security.Unauthorized",
    "message" : "No authentication header supplied."
  } ]
}

Incorrect authentication

If an incorrect username or password is provided, the server replies with status 401 Forbidden and an error.

Example request

POST http://localhost:7474/db/neo4j/query/v2
Authorization: Basic bmVvNGo6aW5jb3JyZWN0

Example response

401: Unauthorized
Content-Type: application/json

{
  "errors" : [ {
    "code" : "Neo.ClientError.Security.Unauthorized",
    "message" : "Invalid username or password."
  } ]
}

Invalid authentication

If the content of the Authorization header is not properly base64-encoded, the server replies with status 401 Forbidden and an error.

Example request

POST http://localhost:7474/db/neo4j/query/v2
Authorization: Basic not-proper-base64

Example response

401: Unauthorized
Content-Type: application/json

{
  "errors" : [ {
    "code": "Neo.ClientError.Request.InvalidFormat",
    "message": "Invalid authentication header."
  } ]
}