Connecting to your PlanetScale for Postgres database
(Updated )
PlanetScale for Postgres work with any standard PostgreSQL driver or library that supports SSL connections.
Creating a password
Every PostgreSQL database comes with a default postgres role that you can generate upon creating your database. This role has the most privileged access to your database and can be used to create additional roles with fewer permissions. See the postgres role section for more information.
- From the PlanetScale organization dashboard, select the desired database
- Select the desired branch from the dropdown
- Click "Connect"
- Click "Create default role"
- This generates the unique username and password pair for your default user that you can use to access the designated branch of your database.
Tip
Make sure you copy the credentials, as we will not display them once you leave the page. If you need to access your default credentials after leaving the page, you have to reset the default password.
You'll be provided with the following:
DATABASE_HOST=**********-<REGION>.horizon.psdb.cloud DATABASE_NAME=<DATABASE_NAME> DATABASE_USERNAME=postgres.<BRANCH_ID> DATABASE_PASSWORD=pscale_pw_**************************
Here is an example of the connection string that connects directly (without PSBouncer) you can use to connect to the Postgres CLI:
psql 'host=xxxxxxxxxx-useast1-1.horizon.psdb.cloud \
port=5432 \
user=postgres.xxxxxxxxxx \
password=pscale_pw_xxxxxxxxxxxxxxxxxx \
dbname=my_database \
sslnegotiation=direct \
sslmode=verify-full \
sslrootcert=system'
Connection parameters
| Parameter | Description |
|---|---|
| host | Your database hostname in the format {id+region}.horizon.psdb.cloud |
| port | Connection port (5432 for direct, 6432 for PSBouncer) |
| user | Your role username in the format {role}.{branch_id} |
| password | Your role password (begins with pscale_pw_) |
| dbname | Your database name |
| sslmode | Set to verify-full for secure connections (required) |
| sslrootcert | Set to system. See the Secure connections documentation if that produces an error. |
| sslnegotiation | Set to direct for improved performance (optional) |
Secure connections
All PlanetScale for Postgres connections require SSL/TLS encryption. The following parameters are used to enforce this:
| Parameter | Required | Description |
|---|---|---|
sslmode=verify-full | Required | Verifies both encryption and server identity |
sslrootcert=system | Required | Uses system certificate store by default. If this method doesn't work, you can enter the path to your root certificate instead. The exact locations of root certificates differ by SSL implementation and platform. |
sslnegotiation=direct | Optional | Enables direct SSL negotiation for better performance. |
Additional roles
You should not connect to your database from application servers with the default role, as you will need to take some downtime if you ever have to rotate your password.
Instead, you can create additional roles with fine-grained permission settings for this purpose. Check out our roles documentation for more information.
Resetting the default password
If you need to reset the password for the default postgres role:
- From the PlanetScale organization dashboard, select the desired database
- Select the desired branch from the dropdown
- Click "Connect"
- Click "Reset default role"
- Update the credentials any place that they are in use
Warning
Resetting the default password will disconnect any existing connections using the previous credentials.
Default postgres role
The default postgres role is similar to the Postgres superuser, but with fewer permissions. It is defined by the following statement:
CREATE ROLE $POSTGRES_USERNAME NOSUPERUSER CREATEDB CREATEROLE INHERIT LOGIN REPLICATION BYPASSRLS PASSWORD '$PASSWORD';
It also inherits the following permissions:
GRANT pg_read_all_data, pg_write_all_data, pg_read_all_settings, pg_read_all_stats, pg_stat_scan_tables, pg_monitor, pg_signal_backend, pg_checkpoint, pg_maintain, pg_use_reserved_connections, pg_create_subscription TO $ALMOST_SUPERUSER_ROLENAME WITH ADMIN OPTION;
You should not connect to your database from your applications using the default role, as you will need to take some downtime if you ever have to rotate your password. Instead, you should create additional roles as needed.
Connection types: Direct vs PSBouncer
PlanetScale offers two connection methods for PostgreSQL databases: direct (port 5432) and via PSBouncer (port 6432).
Note
PSBouncer (port 6432) does not support replica routing. All connections through PSBouncer are automatically routed to the primary database, regardless of the username specification. Use direct connections (port 5432) for replica access.
Direct connection (Port 5432)
Using port 5432 bypasses PSBouncer and connects directly to Postgres. This is the recommended way to connect for any operations that require long-running queries or persistent connections.
PSBouncer operates in transaction pooling mode, where connections are returned to the pool after each transaction completes. This means that session-level features and long-running operations are interrupted between transactions.
Direct connections are recommended for:
- Schema changes and DDL
- OLAP, analytics, reporting, or batch processing
- Session-specific features: Custom session variables, temporary tables
- ETL processes and data streaming
- Long-running transactions or queries that span multiple transactions
Additionally, if you're connecting to a replica, you must connect directly. PSBouncer is not supported for replica connections.
PSBouncer connection (Port 6432)
PSBouncer enables high availability for a Postgres database by efficiently pooling connections and buffering queries during failovers. PSBouncer is generally recommended for OLTP workloads. For example, we'd recommend routing your application connections through PSBouncer. You can connect through PSBouncer by updating your connection string to use port 6432.
PSBouncer connections operate in transaction mode, which means each connection is only held for the duration of a single transaction. This provides excellent performance for OLTP workloads but limits certain PostgreSQL features that require persistent connections. For use cases that require long-running operations, we recommend a direct connection on port 5432.
Routing to replicas
PlanetScale for Postgres supports routing connections to replicas for improved read performance and load distribution. To connect to a replica, append |replica to your credential username. For example:
# Connect to replica user=postgres.xxxxxxxxx|replica # where postgres.xxxxxxxxx is your username
You can append |replica to any role you create on your Postgres database.
Note
PSBouncer (port 6432) does not support replica routing. All connections through PSBouncer are automatically routed to the primary database, regardless of the username specification. Use direct connections (port 5432) for replica access.
Authentication
PlanetScale for Postgres uses SCRAM-SHA-256 authentication, which provides enhanced security over traditional password authentication methods.
Username format
All usernames follow the format {role}.{branch_id}:
| Component | Description | Examples |
|---|---|---|
| role | The role name | postgres, app_user |
| branch_id | The unique identifier for your database branch | cnlmx96ec5kw |
| Full username | Complete format: {role}.{branch_id} | postgres.cnlmx96ec5kw, app_user.cnlmx96ec5kw |
The branch ID in the username tells PlanetScale's routing layer (Exosphere) which specific database branch to connect to.
Password format
All PlanetScale for PostgreSQL passwords begin with pscale_pw_ followed by a unique string:
pscale_pw_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Strong security model
PlanetScale roles are created for use with a single database branch. This strong security model allows you to generate roles that are tied to a branch, and cannot access data/schema from another branch.
Need help?
Get help from the PlanetScale Support team, or join our GitHub discussion board to see how others are using PlanetScale.