This error occurs when PostgreSQL rejects a login attempt due to incorrect credentials, misconfigured authentication settings, or missing passwords. Verify your credentials and pg_hba.conf configuration to resolve it.
The PostgreSQL server received a connection attempt but rejected it during the authentication phase. This happens when the password provided doesn't match, the user lacks a password, or the pg_hba.conf authentication method doesn't support password-based login. PostgreSQL's Host-Based Authentication (HBA) configuration file controls which authentication methods are allowed for each user, database, and IP address combination.
Double-check that you're using the correct password for the user account. Passwords are case-sensitive in PostgreSQL. If unsure, reset the password using a trusted connection.
If you have access via the OS or local socket (peer authentication), reset the password:
sudo -i -u postgres
psqlThen execute:
ALTER USER username WITH PASSWORD 'new_password';Replace username and new_password with your values.
Locate your pg_hba.conf file (typically /etc/postgresql/VERSION/main/pg_hba.conf on Linux or %APPDATA%\\postgresql\\pg_hba.conf on Windows).
Look for entries matching your connection type (local, host, hostssl) and verify the METHOD column allows password authentication:
# Good: Allows password-based auth
host all all 127.0.0.1/32 md5
host all all 127.0.0.1/32 scram-sha-256
# Bad: Does not require password
host all all 127.0.0.1/32 trust
# Bad: Uses OS username instead of password
local all all peerRules are checked in order, so earlier matching rules take precedence.
Edit pg_hba.conf and change the METHOD field to a password-based authentication method:
- scram-sha-256 - Most secure (PostgreSQL 10+), uses SCRAM-SHA-256 hashing
- md5 - Widely compatible, uses MD5 hashing (less secure but standard)
- password - Plain text password (avoid in production)
Example configuration:
local all all peer
host all all 127.0.0.1/32 scram-sha-256
host all all ::1/128 scram-sha-256
host replication all 127.0.0.1/32 scram-sha-256
host replication all ::1/128 scram-sha-256After editing pg_hba.conf, reload the configuration without stopping the database:
# Linux with systemd
sudo systemctl reload postgresql
# Or using pg_ctl
pg_ctl reload -D /path/to/data/directory
# Or from psql (if you have superuser access)
SELECT pg_reload_conf();If reload doesn't work or you need to apply other changes, restart PostgreSQL:
sudo systemctl restart postgresqlIf you recently upgraded PostgreSQL (especially to v13+), check if your client supports the authentication method:
- PostgreSQL 13+ defaults to scram-sha-256
- Older clients may only support md5
- pgAdmin, DBeaver, and ORMs like Prisma usually support both
If your client doesn't support SCRAM-SHA-256, either:
- Update the client to a newer version
- Change pg_hba.conf back to md5 (less secure)
- Use a connection pooler that handles SCRAM-SHA-256 (e.g., PgBouncer)
Verify the role has the LOGIN privilege granted:
psql -U postgres-- Check if user can login
SELECT usename, usecanlogin FROM pg_user WHERE usename = 'your_username';
-- Grant LOGIN privilege if missing
ALTER USER username WITH LOGIN;If the above returns no rows, the user doesn't exist. Create it:
CREATE USER username WITH PASSWORD 'password' LOGIN;After making changes, test your connection:
psql -h localhost -U username -d databasenameOr for applications, provide connection details in your connection string:
postgresql://username:password@localhost:5432/databasenameIf the error persists, check PostgreSQL logs for more details:
# Linux
sudo tail -f /var/log/postgresql/postgresql.log
# Or from psql
SELECT pg_current_logfile();HBA Rule Matching: pg_hba.conf rules are processed sequentially. The first matching rule determines authentication. If you have overlapping rules, ensure the more specific rules (exact IP/user) appear before general ones (all). SCRAM-SHA-256 vs MD5: SCRAM-SHA-256 (introduced in PostgreSQL 10, default in 13+) is more secure but requires compatible clients. MD5 is still widely supported but less secure. Local Connections: On Unix/Linux, local socket connections (CONNECTION_TYPE = 'local') use 'peer' authentication by default, which validates the OS user matches the database user—no password needed. Remote connections (TCP/IP) require password authentication. Connection Poolers: Tools like PgBouncer may not support SCRAM-SHA-256 in all versions. If using a pooler, verify it supports your pg_hba.conf authentication method. Password Reset Without Access: If locked out, you may need direct database server access to reset the password or modify pg_hba.conf temporarily to allow trust authentication, then restore secure settings afterward.
insufficient privilege to bypass row security
How to fix "insufficient privilege to bypass row security" in PostgreSQL
HV004: fdw_invalid_data_type
How to fix "HV004: fdw_invalid_data_type" in PostgreSQL
insufficient columns in unique constraint for partition key
How to fix "insufficient columns in unique constraint for partition key" in PostgreSQL
ERROR 42501: must be owner of table
How to fix "must be owner of table" in PostgreSQL
trigger cannot change partition destination
How to fix "Trigger cannot change partition destination" in PostgreSQL