This error (code 28000) occurs when PostgreSQL denies access due to missing or incorrect authentication configuration in pg_hba.conf, invalid credentials, or authorization restrictions. Verify your connection credentials and pg_hba.conf settings to resolve it.
The "Invalid authorization specification" error indicates that the PostgreSQL server rejected your connection attempt due to authorization failures. This is classified as error code 28000 under "Class 28 - Invalid Authorization Specification" and means the server cannot verify that you have permission to access the requested database. The error typically stems from three sources: mismatched credentials (username/password), missing or incorrect entries in the pg_hba.conf authentication configuration file, or insufficient role permissions in the database. Unlike connection failures that occur before reaching the server, this error indicates the server was contacted but denied access based on its authorization rules.
Double-check the username and password you are using to connect. Ensure they are spelled correctly and match the PostgreSQL role that exists in your database.
# Test connection with explicit credentials
psql -h localhost -U your_username -d your_database -WWhen prompted, enter the password carefully. PostgreSQL is case-sensitive for usernames.
Locate your pg_hba.conf file, which controls client authentication. The location varies by installation:
# Find pg_hba.conf (typically in the PostgreSQL data directory)
sudo find / -name "pg_hba.conf" 2>/dev/null
# Or ask PostgreSQL directly
sudo -u postgres psql -c "SHOW hba_file;"Common locations include:
- Linux: /etc/postgresql/{version}/main/pg_hba.conf or /var/lib/postgresql/{version}/main/pg_hba.conf
- macOS: /usr/local/var/postgres/pg_hba.conf
- Windows: C:\Program Files\PostgreSQL\{version}\data\pg_hba.conf
Open pg_hba.conf and check for an entry matching your connection parameters. Each line specifies: connection type, client address, database, user, and authentication method.
# Example pg_hba.conf entry for local socket connections
local all all trust
# Example for TCP connections from localhost
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
# Example for TCP from specific IP
host your_db your_user 192.168.1.100/32 md5Add a line matching your connection. The format is:
<type> <database> <user> <address> <auth-method>Common auth methods: trust (no password), md5/scram-sha-256 (password), ident (OS user mapping), peer (socket).
After modifying pg_hba.conf, reload the configuration without restarting the server:
# Using psql as superuser
sudo -u postgres psql -c "SELECT pg_reload_conf();"
# Or send HUP signal to PostgreSQL process
sudo systemctl reload postgresql
# or
sudo kill -HUP $(pgrep -f "postgres.*master")If you modified other settings in postgresql.conf, you may need a full restart:
sudo systemctl restart postgresqlCheck that your database user (role) has the LOGIN attribute set:
-- Connect as superuser and check role attributes
\du your_username
-- Output should show "Attributes" like: |
-- Superuser | Create role | Create DB | ...If the role cannot login, grant permission:
ALTER ROLE your_username WITH LOGIN;If the role does not exist, create it:
CREATE ROLE your_username WITH LOGIN PASSWORD 'your_password';After making changes, test your connection:
# Using psql
psql -h localhost -U your_username -d your_database -W
# Or using a connection string
psql "postgresql://your_username:your_password@localhost/your_database"
# Check verbose output for debugging
psql -h localhost -U your_username -d your_database -W -vIf you still get errors, check the PostgreSQL server logs:
# View logs (location varies by system)
sudo tail -f /var/log/postgresql/postgresql.log
# or
sudo journalctl -u postgresql -n 50When using ident authentication, PostgreSQL maps OS usernames to database roles. If you connect as OS user "alice" but the database role is "alice_db", ident will fail. Use peer authentication for local socket connections or modify the ident map in pg_ident.conf. For remote connections over SSL/TLS, ensure both client and server certificates are properly configured and your pg_hba.conf entry specifies "hostssl". In containerized environments (Docker, Kubernetes), verify the container network allows PostgreSQL traffic and that the container's hostname resolves correctly if using host-based authentication.
insufficient columns in unique constraint for partition key
How to fix "insufficient columns in unique constraint for partition key" in PostgreSQL
ERROR 42501: must be owner of table
How to fix "must be owner of table" in PostgreSQL
trigger cannot change partition destination
How to fix "Trigger cannot change partition destination" in PostgreSQL
SSL error: certificate does not match host name
SSL error: certificate does not match host name in PostgreSQL
No SSL connection
No SSL connection to PostgreSQL