Skip to content

Connecting to a database

Every PandaStack database is reached through a single TLS-terminating proxy at *.db.pandastack.app. This page covers the connection strings, the credential-reveal behavior, and the critical MySQL connection rule you must follow.

A database detail response returns two connection URLs:

FieldReachable fromNotes
publicUrlThe open internet (public databases)Routed through *.db.pandastack.app over TLS
privateUrlInside the platform network onlyFor your PandaStack apps in the same org

Both are always returned masked — the password segment is replaced with ********:

{
"publicUrl": "postgresql://postgres:********@app-db.db.pandastack.app:5432/postgres",
"privateUrl": "postgresql://postgres:********@app-db.internal:5432/postgres"
}

Alongside the URLs, connectionDetails breaks out the host / port / username / database:

{
"connectionDetails": {
"host": "app-db.db.pandastack.app",
"port": 5432,
"username": "postgres",
"database": "postgres",
"passwordAvailable": true
}
}

passwordAvailable: true means a password exists and can be revealed — but it is never included in this response.

Passwords are AES-encrypted at rest (iv:cipher) and never returned in a normal response. A role-gated Reveal / Copy action fetches the decrypted password and substitutes it back into the full connection URLs on demand.

GET /v1/databases/:id/credentials

Returns DatabaseCredentials — the real password plus full (unmasked) connection URLs:

{
"success": true,
"data": {
"password": "a1B2c3D4e5F6g7H8i9J0k1L2",
"publicUrl": "postgresql://postgres:a1B2c3D4e5F6g7H8i9J0k1L2@app-db.db.pandastack.app:5432/postgres",
"privateUrl": "postgresql://postgres:a1B2c3D4e5F6g7H8i9J0k1L2@app-db.internal:5432/postgres"
}
}

In the dashboard, the Copy button copies a connection string with the real password already substituted, so a pasted string connects immediately.

PostgreSQL clients route through the proxy using SNI (the TLS server name). This means you connect with a plain username and a normal host — nothing special is required.

Terminal window
psql "postgresql://postgres:<password>@app-db.db.pandastack.app:5432/postgres"
Terminal window
# Individual flags
psql -h app-db.db.pandastack.app -p 5432 -U postgres -d postgres

Node.js (pg):

import { Client } from "pg";
const client = new Client({
connectionString:
"postgresql://postgres:<password>@app-db.db.pandastack.app:5432/postgres",
ssl: { rejectUnauthorized: true },
});
await client.connect();

MySQL clients do not send SNI, so the proxy cannot route by TLS server name. Instead, the proxy routes by a key encoded in the username. For a public MySQL database you must do one of the following:

  1. Connect as user root.<name> — append .<name> (the database deployment name) to the username. The .<name> suffix is what routes the connection. The dashboard shows this encoded username so pasted GUI/CLI values route correctly. OR
  2. Pass the deployment name as the database you connect to, so the proxy can resolve the route from the database name.
Terminal window
# Correct: routed username root.<name>
mysql -h app-db.db.pandastack.app -P 3306 \
-u 'root.app-db' -p app-db

Connection string form:

mysql://root.app-db:<password>@app-db.db.pandastack.app:3306/mysql

Node.js (mysql2):

import mysql from "mysql2/promise";
const conn = await mysql.createConnection({
host: "app-db.db.pandastack.app",
port: 3306,
user: "root.app-db", // .<name> suffix routes through the proxy
password: "<password>",
database: "mysql",
ssl: {}, // TLS via the proxy
});

Private MySQL databases and all PostgreSQL databases are unchanged — they use a plain username with no suffix.

PublicPrivate
Reachable fromOpen internet via *.db.pandastack.appPlatform network only
Use withExternal clients (laptop, CI, external host)PandaStack apps in the same org
MySQL usernameroot.<name> (routed) or pass name as databaseplain username
PostgreSQLplain username (SNI routing)plain username

Set visibility at create time (visibility: public | private).

The proxy terminates TLS, so connections travel over an encrypted channel. Use your client’s SSL/TLS mode when connecting to *.db.pandastack.app (as shown in the examples above).