App Vault uses PostgreSQL as its database backend. You can use either a local PostgreSQL instance or an external managed database service.
App Vault uses the standard PostgreSQL connection string format via the DATABASE_URL environment variable:
postgres://username:password@host:port/database?options
username- PostgreSQL userpassword- User passwordhost- Database server hostname or IPport- Database port (default: 5432)database- Database nameoptions- Connection options (e.g.,sslmode=require)
Use an external PostgreSQL database service. Simply set the DATABASE_URL in your .env file:
DATABASE_URL=postgres://user:password@host:5432/appvault?sslmode=requireSupported Providers:
DATABASE_URL=postgres://username:password@mydb.c9akciq32.us-east-1.rds.amazonaws.com:5432/appvault?sslmode=requireDATABASE_URL=postgres://username@servername:password@servername.postgres.database.azure.com:5432/appvault?sslmode=requireDATABASE_URL=postgres://username:password@<CLOUD_SQL_CONNECTION_NAME>:5432/appvault?sslmode=requireDATABASE_URL=postgres://doadmin:password@db-postgresql-nyc1-12345.db.ondigitalocean.com:25060/appvault?sslmode=requireDATABASE_URL=postgres://user:pass@ec2-xxx.compute-1.amazonaws.com:5432/d12345?sslmode=requireDATABASE_URL=postgres://postgres:password@containers-us-west-12.railway.app:5432/railway?sslmode=requireDATABASE_URL=postgres://postgres:password@db.project.supabase.co:5432/postgres?sslmode=requireDATABASE_URL=postgres://user:password@ep-cool-darkness-123456.us-east-2.aws.neon.tech/neondb?sslmode=requireFor local development, you can run PostgreSQL directly:
Windows:
choco install postgresqlmacOS:
brew install postgresql
brew services start postgresqlLinux:
sudo apt-get install postgresql postgresql-contrib
sudo systemctl start postgresqlDATABASE_URL=postgres://postgres:postgres@localhost:5432/appvault?sslmode=disableUncomment the postgres service in docker-compose.yml:
services:
postgres:
image: postgres:15-alpine
container_name: appvault-postgres
environment:
POSTGRES_USER: ${DB_USER:-postgres}
POSTGRES_PASSWORD: ${DB_PASSWORD:-postgres}
POSTGRES_DB: ${DB_NAME:-appvault}
ports:
- "${DB_PORT:-5432}:5432"
volumes:
- postgres_data:/var/lib/postgresql/data
volumes:
postgres_data:Then use:
DATABASE_URL=postgres://postgres:postgres@localhost:5432/appvault?sslmode=disable| Mode | Description | Use Case |
|---|---|---|
disable |
No SSL | Local development only |
require |
SSL required, no verification | Basic SSL |
verify-ca |
SSL + verify CA | Production |
verify-full |
SSL + verify CA + hostname | Maximum security |
Always use sslmode=require or higher in production:
DATABASE_URL=postgres://user:pass@host:5432/db?sslmode=requireFor custom CA certificates:
DATABASE_URL=postgres://user:pass@host:5432/db?sslmode=verify-ca&sslrootcert=/path/to/ca.crtApp Vault uses connection pooling with these defaults:
- Max Open Connections: 25
- Max Idle Connections: 5
- Connection Max Lifetime: 5 minutes
These are configured in the application code and don't need to be set in the connection string.
- PostgreSQL 13 or higher
App Vault uses standard PostgreSQL features and doesn't require special extensions.
The database user needs:
CREATE TABLEINSERT,UPDATE,DELETE,SELECTCREATE INDEXCREATE SEQUENCE
App Vault automatically runs migrations on startup. Ensure:
- Database exists
- User has proper permissions
- Network connectivity is available
psql "$DATABASE_URL"curl http://localhost:8080/healthResponse:
{
"status": "healthy",
"database": "connected"
}# Windows PowerShell
$env:DATABASE_URL = "postgres://user:pass@host:5432/db?sslmode=require"
.\bin\appvault.exe
# Test health
curl http://localhost:8080/healthcould not connect to server: Connection refused
Solutions:
- Verify database is running
- Check host and port are correct
- Verify firewall rules allow connection
- For cloud databases, check security groups/firewall rules
password authentication failed for user
Solutions:
- Verify username and password
- Check password special characters are URL-encoded
- For Azure, use
username@servernameformat
no pg_hba.conf entry for host, SSL off
Solutions:
- Change
sslmode=disabletosslmode=require - Ensure SSL is enabled on the database server
database "appvault" does not exist
Solutions:
-- Create database
CREATE DATABASE appvault;
-- Grant permissions
GRANT ALL PRIVILEGES ON DATABASE appvault TO username;could not connect to server: i/o timeout
Solutions:
- Check network connectivity
- Verify host is reachable
- Check if IP is whitelisted in cloud provider
- Increase connection timeout if needed
If your password contains special characters, URL-encode them:
| Character | Encoded |
|---|---|
| @ | %40 |
| : | %3A |
| / | %2F |
| ? | %3F |
| # | %23 |
| & | %26 |
| = | %3D |
Example:
Password: my@pass:word/123
Encoded: my%40pass%3Aword%2F123
DATABASE_URL=postgres://postgres:postgres@localhost:5432/appvault?sslmode=disableDATABASE_URL=postgres://appvault_staging:securepass@staging-db.example.com:5432/appvault_staging?sslmode=requireDATABASE_URL=postgres://appvault_prod:verysecurepass@prod-db.example.com:5432/appvault_prod?sslmode=verify-full&sslrootcert=/etc/ssl/certs/ca.crt- Never commit DATABASE_URL to version control
- Use SSL in production (
sslmode=requireminimum) - Strong passwords (20+ characters, mixed case, numbers, symbols)
- Rotate credentials regularly
- Least privilege principle for database user
- Network isolation (VPC, private subnets)
- Monitoring for suspicious activity
- Backups automated and tested
- Secrets management (AWS Secrets Manager, Azure Key Vault, etc.)
-
Backup local database:
pg_dump appvault > backup.sql -
Create external database (via cloud provider)
-
Restore backup:
psql "$NEW_DATABASE_URL" < backup.sql
-
Update .env:
DATABASE_URL=<new_external_url>
-
Restart application
-
Verify:
curl http://localhost:8080/health
- DEPLOYMENT.md - Production deployment guide
- docker-compose.yml - Docker configuration
- .env.example - Environment variables template