This error occurs when PostgreSQL rejects a login attempt due to incorrect credentials, misconfigured authentication settings, or missing passwords. Verify your credentials and pg_hba.conf configuration to resolve it.
The PostgreSQL server received a connection attempt but rejected it during the authentication phase. This happens when the password provided doesn't match, the user lacks a password, or the pg_hba.conf authentication method doesn't support password-based login. PostgreSQL's Host-Based Authentication (HBA) configuration file controls which authentication methods are allowed for each user, database, and IP address combination.
Double-check that you're using the correct password for the user account. Passwords are case-sensitive in PostgreSQL. If unsure, reset the password using a trusted connection.
If you have access via the OS or local socket (peer authentication), reset the password:
sudo -i -u postgres
psqlThen execute:
ALTER USER username WITH PASSWORD 'new_password';Replace username and new_password with your values.
Locate your pg_hba.conf file (typically /etc/postgresql/VERSION/main/pg_hba.conf on Linux or %APPDATA%\\postgresql\\pg_hba.conf on Windows).
Look for entries matching your connection type (local, host, hostssl) and verify the METHOD column allows password authentication:
# Good: Allows password-based auth
host all all 127.0.0.1/32 md5
host all all 127.0.0.1/32 scram-sha-256
# Bad: Does not require password
host all all 127.0.0.1/32 trust
# Bad: Uses OS username instead of password
local all all peerRules are checked in order, so earlier matching rules take precedence.
Edit pg_hba.conf and change the METHOD field to a password-based authentication method:
- scram-sha-256 - Most secure (PostgreSQL 10+), uses SCRAM-SHA-256 hashing
- md5 - Widely compatible, uses MD5 hashing (less secure but standard)
- password - Plain text password (avoid in production)
Example configuration:
local all all peer
host all all 127.0.0.1/32 scram-sha-256
host all all ::1/128 scram-sha-256
host replication all 127.0.0.1/32 scram-sha-256
host replication all ::1/128 scram-sha-256After editing pg_hba.conf, reload the configuration without stopping the database:
# Linux with systemd
sudo systemctl reload postgresql
# Or using pg_ctl
pg_ctl reload -D /path/to/data/directory
# Or from psql (if you have superuser access)
SELECT pg_reload_conf();If reload doesn't work or you need to apply other changes, restart PostgreSQL:
sudo systemctl restart postgresqlIf you recently upgraded PostgreSQL (especially to v13+), check if your client supports the authentication method:
- PostgreSQL 13+ defaults to scram-sha-256
- Older clients may only support md5
- pgAdmin, DBeaver, and ORMs like Prisma usually support both
If your client doesn't support SCRAM-SHA-256, either:
- Update the client to a newer version
- Change pg_hba.conf back to md5 (less secure)
- Use a connection pooler that handles SCRAM-SHA-256 (e.g., PgBouncer)
Verify the role has the LOGIN privilege granted:
psql -U postgres-- Check if user can login
SELECT usename, usecanlogin FROM pg_user WHERE usename = 'your_username';
-- Grant LOGIN privilege if missing
ALTER USER username WITH LOGIN;If the above returns no rows, the user doesn't exist. Create it:
CREATE USER username WITH PASSWORD 'password' LOGIN;After making changes, test your connection:
psql -h localhost -U username -d databasenameOr for applications, provide connection details in your connection string:
postgresql://username:password@localhost:5432/databasenameIf the error persists, check PostgreSQL logs for more details:
# Linux
sudo tail -f /var/log/postgresql/postgresql.log
# Or from psql
SELECT pg_current_logfile();HBA Rule Matching: pg_hba.conf rules are processed sequentially. The first matching rule determines authentication. If you have overlapping rules, ensure the more specific rules (exact IP/user) appear before general ones (all). SCRAM-SHA-256 vs MD5: SCRAM-SHA-256 (introduced in PostgreSQL 10, default in 13+) is more secure but requires compatible clients. MD5 is still widely supported but less secure. Local Connections: On Unix/Linux, local socket connections (CONNECTION_TYPE = 'local') use 'peer' authentication by default, which validates the OS user matches the database user—no password needed. Remote connections (TCP/IP) require password authentication. Connection Poolers: Tools like PgBouncer may not support SCRAM-SHA-256 in all versions. If using a pooler, verify it supports your pg_hba.conf authentication method. Password Reset Without Access: If locked out, you may need direct database server access to reset the password or modify pg_hba.conf temporarily to allow trust authentication, then restore secure settings afterward.
insufficient columns in unique constraint for partition key
How to fix "insufficient columns in unique constraint for partition key" in PostgreSQL
ERROR 42501: must be owner of table
How to fix "must be owner of table" in PostgreSQL
trigger cannot change partition destination
How to fix "Trigger cannot change partition destination" in PostgreSQL
SSL error: certificate does not match host name
SSL error: certificate does not match host name in PostgreSQL
No SSL connection
No SSL connection to PostgreSQL