Connecting to a database
Every PandaStack database is reached through a single TLS-terminating proxy at *.db.pandastack.app. This page covers the connection strings, the credential-reveal behavior, and the critical MySQL connection rule you must follow.
Connection strings
Section titled “Connection strings”A database detail response returns two connection URLs:
| Field | Reachable from | Notes |
|---|---|---|
publicUrl | The open internet (public databases) | Routed through *.db.pandastack.app over TLS |
privateUrl | Inside the platform network only | For your PandaStack apps in the same org |
Both are always returned masked — the password segment is replaced with ********:
{ "publicUrl": "postgresql://postgres:********@app-db.db.pandastack.app:5432/postgres", "privateUrl": "postgresql://postgres:********@app-db.internal:5432/postgres"}Alongside the URLs, connectionDetails breaks out the host / port / username / database:
{ "connectionDetails": { "host": "app-db.db.pandastack.app", "port": 5432, "username": "postgres", "database": "postgres", "passwordAvailable": true }}passwordAvailable: true means a password exists and can be revealed — but it is never included in this response.
Revealing the password
Section titled “Revealing the password”Passwords are AES-encrypted at rest (iv:cipher) and never returned in a normal response. A role-gated Reveal / Copy action fetches the decrypted password and substitutes it back into the full connection URLs on demand.
GET /v1/databases/:id/credentials
Returns DatabaseCredentials — the real password plus full (unmasked) connection URLs:
{ "success": true, "data": { "password": "a1B2c3D4e5F6g7H8i9J0k1L2", "publicUrl": "postgresql://postgres:a1B2c3D4e5F6g7H8i9J0k1L2@app-db.db.pandastack.app:5432/postgres", "privateUrl": "postgresql://postgres:a1B2c3D4e5F6g7H8i9J0k1L2@app-db.internal:5432/postgres" }}In the dashboard, the Copy button copies a connection string with the real password already substituted, so a pasted string connects immediately.
PostgreSQL — connects normally
Section titled “PostgreSQL — connects normally”PostgreSQL clients route through the proxy using SNI (the TLS server name). This means you connect with a plain username and a normal host — nothing special is required.
psql "postgresql://postgres:<password>@app-db.db.pandastack.app:5432/postgres"# Individual flagspsql -h app-db.db.pandastack.app -p 5432 -U postgres -d postgresNode.js (pg):
import { Client } from "pg";
const client = new Client({ connectionString: "postgresql://postgres:<password>@app-db.db.pandastack.app:5432/postgres", ssl: { rejectUnauthorized: true },});await client.connect();MySQL — the critical username rule
Section titled “MySQL — the critical username rule”MySQL clients do not send SNI, so the proxy cannot route by TLS server name. Instead, the proxy routes by a key encoded in the username. For a public MySQL database you must do one of the following:
- Connect as user
root.<name>— append.<name>(the database deployment name) to the username. The.<name>suffix is what routes the connection. The dashboard shows this encoded username so pasted GUI/CLI values route correctly. OR - Pass the deployment name as the database you connect to, so the proxy can resolve the route from the database name.
# Correct: routed username root.<name>mysql -h app-db.db.pandastack.app -P 3306 \ -u 'root.app-db' -p app-dbConnection string form:
mysql://root.app-db:<password>@app-db.db.pandastack.app:3306/mysqlNode.js (mysql2):
import mysql from "mysql2/promise";
const conn = await mysql.createConnection({ host: "app-db.db.pandastack.app", port: 3306, user: "root.app-db", // .<name> suffix routes through the proxy password: "<password>", database: "mysql", ssl: {}, // TLS via the proxy});Private MySQL databases and all PostgreSQL databases are unchanged — they use a plain username with no suffix.
Public vs. private
Section titled “Public vs. private”| Public | Private | |
|---|---|---|
| Reachable from | Open internet via *.db.pandastack.app | Platform network only |
| Use with | External clients (laptop, CI, external host) | PandaStack apps in the same org |
| MySQL username | root.<name> (routed) or pass name as database | plain username |
| PostgreSQL | plain username (SNI routing) | plain username |
Set visibility at create time (visibility: public | private).
The proxy terminates TLS, so connections travel over an encrypted channel. Use your client’s SSL/TLS mode when connecting to *.db.pandastack.app (as shown in the examples above).
Related
Section titled “Related”- Databases overview
- Create a database — set username, database name, password, and visibility.
- Database API — the credentials and detail endpoints.