FAQ
Frequently asked questions and answers.
Install & Account
Q. I see an "unidentified developer" warning on macOS.
Go to System Settings -> Privacy & Security and click "Open Anyway". Alternatively, run xattr -cr /Applications/NeoSQL.app in the terminal.
Q. I see a SmartScreen warning on Windows.
Click "More info" and then click "Run anyway". NeoSQL is a safe application.
Q. I forgot my password.
Click "Forgot password?" at the bottom of the sign-in page and enter your registered email — a reset link is sent to that address. The link is valid for 30 minutes; if it expires, you can request another.
Q. I signed up with a social login but the verification email never arrived.
If your social provider (such as GitHub) hides your email address, NeoSQL cannot receive it and the sign-up flow asks you to enter an email manually. A verification email is then sent to the address you typed; once you click the link, your account is activated. GitHub's authenticated primary email is pulled in automatically even when set to private, so in most cases no extra step is needed.
Q. How do I force-sign-out other devices?
The sign-out button only ends the current device's session. To terminate sessions on every device, change your password — existing session tokens are invalidated immediately, forcing other devices to sign in again. Sessions otherwise stay alive for 30 days from the last activity.
Projects & ERD
Q. How do I invite teammates to a project?
Open the project settings modal, go to the Members tab, click "Invite" and enter the email and role (Owner/Manager/DBA/Member). The invitee accepts from the email or the My Page notifications; you can cancel an invitation any time before it's accepted.
Q. What's the difference between Owner / Manager / DBA / Member?
Owner is the project creator (one per project) and can do everything, including transferring ownership. Manager is a delegated operator for member and settings management; DBA is the role typically designated as the DDL approver; Member is a general collaborator. Detailed permissions (sharing, connections, DDL restrictions, etc.) are toggled separately per role via checkboxes.
Q. Can I generate an ERD from an existing database?
On the ERD category's "Import" page, pick an existing DB connection and tables/relationships are extracted into a new ERD automatically. You can also upload a DDL file directly on the same page. Imported ERDs work just like any other ERD — edit them freely and Forward-apply changes back to the DB.
Q. How do I export the ERD as an image, SVG, or PDF?
Use the export menu in the top-right corner of the ERD canvas to save as PNG or SVG. Direct PDF export is not yet supported — export to PNG/SVG first and convert to PDF afterward. Depending on the watermark policy, exports may carry a watermark; the current mode is shown in the Watermark tab of project settings.
Database Work
Q. The connection test fails.
Check the following: verify the host address and port number are correct, that the database service is running, that the port is open in the firewall, and that the account has remote access permissions.
Q. Can I connect to a localhost DB from the web version?
The web version cannot directly connect to local databases due to browser security policies. Use the desktop app if you need to connect to a local DB.
Q. My localhost / SQLite connection isn't visible to my teammates.
SQLite, H2 Embedded, and localhost connections (127.0.0.1, ::1, 0.0.0.0) mean different things on another machine — or simply don't work there — so NeoSQL automatically marks them as "owner-only (Private)". This is intentional behavior and the flag cannot be toggled manually. If you need to share the connection with the team, register it against an external host (a remote DB) instead.
Q. How do I connect over SSL/TLS, an SSH tunnel, or a proxy?
Open the connection edit modal and configure SSL/TLS, SSH tunnel, and HTTP proxy options on the security tab. SSH and proxy credentials (id/password/private key) are stored per member and never shared with other teammates; SSL client certificates and keys are also kept separately per member.
Q. Are dangerous statements like DROP / DELETE blocked automatically?
If the connection profile is set to "Confirm", an explicit confirmation dialog appears just before running DELETE/UPDATE without WHERE and DDL statements (DROP/TRUNCATE etc.). With "Read-only", every non-SELECT statement is blocked immediately. The prod environment preset defaults to Confirm; for stricter operations, switch the prod profile to Read-only and route changes through a separate workflow.
AI & Security
Q. Can I keep AI from breaking my production database?
Set the connection profile of production connections to "Read-only" or "Confirm" — AI-issued DML/DDL goes through the same guard. In addition, NeoSQL's AI settings let you explicitly whitelist which connections and schemas MCP can access, and per-schema toggles control whether DDL runs immediately and whether DML auto-commits.
Q. How do I connect MCP clients like Claude Code or Cursor?
From NeoSQL's AI settings page, copy the configuration snippet for your MCP client (Claude Code, Cursor, Gemini, etc.) and paste it into that client's config file. No plugin install or token issuance is needed — the MCP server is bundled inside NeoSQL itself, so it's reachable as soon as NeoSQL is running.
Q. Are my database credentials stored securely?
Every project's DB credentials (host, port, URL, password, SSL certificates, SSH credentials, etc.) are field-level encrypted with AES-256-GCM. The encryption key (DEK) is then wrapped by an AWS KMS Customer Master Key — even if the server database is exfiltrated whole, plaintext recovery is impossible without separate KMS access. Passwords are never displayed in plaintext anywhere in the UI.
Q. I lost my Zero-Knowledge passphrase.
The passphrase itself is not recoverable — NeoSQL operators do not have it either, so we cannot help retrieve it. What you lose is only the encrypted credential fields stored in NeoSQL's database; the actual data and the upstream credential source (host/port/account/password) remain intact. Get the credentials again from your DBA or team password vault and re-enter them into a new project — or a project whose ZK was disabled and re-enabled — and you're back online in minutes.
For the full procedure, see the "If the passphrase is lost" section on the Security → Zero-Knowledge Encryption page.