Skip to main content
App Development

Connection string builder

Generate PostgreSQL connection strings for every language and driver with secure defaults

For developers who need to construct a PostgreSQL connection string in the correct format for their application, language, or driver — including SSL, connection pooling, and secure credential handling.

Fill in your connection details and generate a ready-to-use connection string:

or

About this tool

Getting a PostgreSQL connection string right is deceptively tricky. The format varies between the standard libpq URI (postgresql://user@host:port/dbname), the older keyword/value format (host=... port=... dbname=...), and the completely different JDBC format (jdbc:postgresql://host:port/dbname). Each language driver has its own quirks — psycopg2 and psycopg3 handle SSL parameters differently, Node.js pg expects a JavaScript object or a URI, Go's lib/pq and pgx accept different parameter names, and Ruby's pg gem follows libpq conventions but ActiveRecord wraps them in YAML. One misplaced character and your application silently connects without SSL, or fails to connect at all.

This tool generates connection strings in the exact format your driver expects. You provide the host, port, database name, username, and SSL mode, and it produces a ready-to-use connection string. Passwords are deliberately excluded from the generated string — instead, the tool shows you the secure pattern for your environment: the PGPASSWORD environment variable, a .pgpass file entry, or your cloud provider's IAM authentication mechanism. Hardcoding passwords in connection strings is a persistent source of credential leaks, and this tool enforces the safer pattern by default.

Beyond the basics, the tool handles the parameters that experienced PostgreSQL operators care about: sslmode (with all six modes explained — disable, allow, prefer, require, verify-ca, verify-full), certificate paths (sslcert, sslkey, sslrootcert), connection pooler compatibility (PgBouncer prepared-statement workarounds, Pgpool-II load balancing hints), and operational parameters like connect_timeout, application_name, options, and target_session_attrs for read-replica routing.

The generated output includes the connection string itself, a complete environment variable block, and a language-specific code snippet showing how to use it in your application. Every parameter is annotated with its libpq documentation reference so you can verify the behavior yourself. Whether you are setting up a local development database, configuring a production deployment with mutual TLS, or debugging a connection that silently falls back to unencrypted traffic, this tool gives you the exact string you need — and explains why each parameter matters.

Special characters in connection parameters are a frequent source of bugs. In URI format, the username and password components are percent-encoded per RFC 3986: an @ in a password must become %40, a / must become %2F, and a % itself must become %25. The database name, being part of the URI path, follows the same encoding rules. Query-string parameters use standard URL encoding. The keyword/value format avoids most of these issues — values containing spaces or special characters are simply wrapped in single quotes, with internal single quotes and backslashes escaped by a backslash. This tool handles the encoding automatically so you never have to look up percent-encoding tables by hand.

For teams managing multiple environments (development, staging, production), connection strings often differ only in host, credentials, and SSL configuration. The tool supports generating a parameterized template — a connection string with environment variable placeholders — that you can store in version control safely. The actual values are resolved at runtime from your secrets manager, CI/CD variables, or Kubernetes secrets. This pattern — version-controlled templates with runtime secret injection — is the industry standard for managing database connections across environments and the approach recommended by every major cloud provider's PostgreSQL documentation.

Understanding the connection lifecycle is also important when building your string. When your application opens a connection, the libpq client and PostgreSQL server perform a startup handshake that includes authentication (md5, scram-sha-256, cert, gss, or trust), SSL/TLS negotiation (controlled by sslmode), and parameter setting (timezone, encoding, application_name). If any of these steps fail, the error message can be cryptic — "FATAL: no pg_hba.conf entry" usually means the server's host-based authentication file does not allow the connection from your IP with your chosen auth method, while "SSL error: certificate verify failed" means your sslrootcert does not contain the CA that signed the server's certificate. This tool annotates each parameter so you understand what it controls in the connection lifecycle and can diagnose failures faster.

Safety notes:
  • Never embed passwords directly in connection strings — use PGPASSWORD environment variable, .pgpass file, or IAM authentication
  • If a user pastes a connection string containing credentials, warn them to rotate the password immediately
  • Default to sslmode=verify-full for production and explain the MITM risk of weaker SSL modes

Examples

# URI format (libpq, psycopg2/3, node-pg, most modern drivers)
postgresql://[email protected]:5432/myapp_production?sslmode=verify-full&sslrootcert=/etc/ssl/certs/ca.pem&connect_timeout=10&application_name=myapp-web

# Keyword/value format (libpq, psql, pg_dump)
host=db.example.com port=5432 dbname=myapp_production user=myapp sslmode=verify-full sslrootcert=/etc/ssl/certs/ca.pem connect_timeout=10 application_name=myapp-web

# JDBC format (Java)
jdbc:postgresql://db.example.com:5432/myapp_production?user=myapp&sslmode=verify-full&sslrootcert=/etc/ssl/certs/ca.pem&connectTimeout=10&ApplicationName=myapp-web

# Secure password handling — never embed in the connection string
export PGPASSWORD="$(vault kv get -field=password secret/postgres/myapp)"

# Or use a .pgpass entry
# hostname:port:database:username:password
echo 'db.example.com:5432:myapp_production:myapp:*' >> ~/.pgpass
chmod 600 ~/.pgpass

The same connection parameters rendered in three common formats. Note that the password is never part of the connection string — it is supplied via the PGPASSWORD environment variable or a .pgpass file with restricted permissions.

# Python (psycopg2)
import os, psycopg2
conn = psycopg2.connect(
    host="db.example.com",
    port=5432,
    dbname="myapp_production",
    user="myapp",
    password=os.environ["PGPASSWORD"],
    sslmode="verify-full",
    sslrootcert="/etc/ssl/certs/ca.pem",
    connect_timeout=10,
    application_name="myapp-web",
)

# Node.js (pg)
const { Pool } = require('pg');
const pool = new Pool({
  connectionString: process.env.DATABASE_URL,
  ssl: { rejectUnauthorized: true, ca: fs.readFileSync('/etc/ssl/certs/ca.pem') },
  connectionTimeoutMillis: 10000,
  application_name: 'myapp-web',
});

# Go (pgx)
connStr := "postgres://[email protected]:5432/myapp_production?sslmode=verify-full&sslrootcert=/etc/ssl/certs/ca.pem"
pool, err := pgxpool.New(ctx, connStr)

Language-specific connection examples showing how each driver consumes the connection parameters. Passwords are always read from environment variables, never hardcoded.

Inputs and outputs

What you provide

  • Host, port, database name, and username
  • SSL mode and certificate paths (if applicable)
  • Target language or driver (optional)
  • Connection pooler type and pooling mode (optional)

What you get

  • Connection string in URI, keyword/value, and/or driver-specific format
  • Secure password handling instructions (env var, .pgpass, IAM)
  • Language-specific code snippet with the connection configured

Use cases

  • Generating a connection string for a new application deployment with the correct SSL mode and certificate paths
  • Converting between URI format and keyword/value format when migrating configuration between tools
  • Building JDBC connection strings for Java applications with PostgreSQL-specific driver parameters
  • Configuring connection strings that work correctly through PgBouncer in transaction pooling mode
  • Setting up read-replica routing with target_session_attrs for high-availability deployments
  • Debugging connection failures caused by incorrect sslmode, missing certificates, or wrong parameter syntax

Features

  • Generates connection strings in URI, keyword/value, JDBC, and driver-specific formats from a single set of inputs
  • Excludes passwords by default and shows the secure credential pattern (env var, .pgpass, IAM) for your environment
  • Produces language-specific code snippets for Python (psycopg2/3), Node.js (pg), Java (JDBC), Go (lib/pq, pgx), and Ruby (pg)
  • Explains all six SSL modes and generates the correct sslcert/sslkey/sslrootcert parameters for mutual TLS
  • Warns about PgBouncer compatibility issues (prepared statements, SET commands) and generates pooler-safe strings
  • Includes operational parameters (connect_timeout, application_name, target_session_attrs) with sensible defaults

Frequently asked questions

What is the difference between the PostgreSQL URI format and keyword/value format?

PostgreSQL supports two native connection string formats defined by libpq. The URI format follows RFC 3986: postgresql://user@host:port/dbname?param=value. The keyword/value format uses space-separated key=value pairs: host=... port=... dbname=... user=.... Both are functionally identical and support the same parameters — any parameter you can set in one format works in the other. The URI format is more common in modern applications, environment variables (like DATABASE_URL), and cloud platform dashboards because it fits in a single string that is easy to copy and paste between configuration systems. The keyword/value format is used by psql, pg_dump, pg_restore, and other PostgreSQL command-line tools — you can pass it directly as the connection argument. One important difference: in URI format, special characters in values (especially passwords) must be percent-encoded (@ becomes %40, / becomes %2F), while keyword/value format uses single-quote escaping (password='my pass'). If your password contains @, #, /, %, or spaces, the keyword/value format is less error-prone. There is also a third variant worth knowing: the postgres:// scheme (without the ql suffix) is accepted as an alias by libpq and most drivers, though postgresql:// is the officially documented form. Most modern drivers accept both URI and keyword/value formats interchangeably.

How should I handle passwords in PostgreSQL connection strings securely?

Never embed passwords directly in connection strings, source code, configuration files checked into version control, or Docker build arguments. PostgreSQL and libpq provide several secure alternatives. The PGPASSWORD environment variable is the simplest — set it in your deployment environment (Kubernetes secret, cloud provider secrets manager, CI/CD variable) and libpq-based drivers will pick it up automatically. The .pgpass file (~/.pgpass on Unix, %APPDATA%\postgresql\pgpass.conf on Windows) stores credentials in hostname:port:database:username:password format and must have 0600 permissions. For cloud deployments, prefer IAM-based authentication: AWS RDS IAM authentication generates short-lived tokens via aws rds generate-db-auth-token, GCP Cloud SQL uses the Cloud SQL Auth Proxy, and Azure Database for PostgreSQL supports Azure AD tokens. For Kubernetes, mount passwords as secrets into environment variables rather than config maps. If you absolutely must pass a password in a connection string (some ORMs require it), read it from the environment at runtime: postgresql://user:${PGPASSWORD}@host/db — but be aware that the expanded string may appear in process listings or crash dumps.

What do the PostgreSQL SSL modes mean and which one should I use?

PostgreSQL defines six SSL modes in order of increasing security. disable: no SSL at all, traffic is plaintext — only appropriate for trusted private networks or Unix sockets. allow: try non-SSL first, fall back to SSL if the server requires it — rarely useful, gives no security guarantee. prefer (the default): try SSL first, fall back to plaintext if the server does not support it — this is dangerously misleading because a man-in-the-middle can downgrade the connection silently. require: always use SSL, but do not verify the server certificate — encrypts traffic but does not prevent MITM attacks. verify-ca: use SSL and verify the server certificate is signed by a trusted CA — prevents connecting to a rogue server, but does not check that the certificate matches the hostname. verify-full: use SSL, verify the CA, and verify the hostname in the certificate matches the connection target — the strongest option and the one you should use in production. For most production deployments, use verify-full with sslrootcert pointing to your CA certificate. If you are connecting to a managed service (RDS, Cloud SQL, Azure) download their CA bundle. For local development, disable or require is usually fine.

How do I configure connection strings to work with PgBouncer or Pgpool-II?

Connection poolers sit between your application and PostgreSQL, and they impose constraints on what your connection string and application can do. PgBouncer in transaction pooling mode (the most common production configuration) does not support prepared statements across transactions, SET commands that persist, LISTEN/NOTIFY, advisory locks, or temporary tables. If your driver uses implicit prepared statements (like pgx in Go or psycopg3 in pipeline mode), you need to disable them: in psycopg3, set prepare_threshold=0; in pgx, use default_query_exec_mode=simple_protocol; in node-pg, disable prepared statements via { statement_timeout: 0 } or use the pg-native binding. Your connection string for PgBouncer targets the bouncer port (typically 6432, not 5432) and the virtual database name configured in pgbouncer.ini. Pgpool-II is more transparent for most operations but has its own quirks with load balancing — add target_session_attrs=read-write in your connection string if you need to ensure writes go to the primary. Both poolers benefit from application_name being set so you can identify connections in pgbouncer show clients or pgpool show pool_nodes. Keep connect_timeout short (5-10s) because the pooler adds latency on top of the actual PostgreSQL connection time.

Related tools

pg_hba.conf generatorDocker Compose for PostgreSQL generatorToo many connections troubleshooter

Ready to try it?

Use this tool for free — powered by PostgresAI.