PostgREST reads a configuration file to determine information about the database and how to serve client requests. There is no predefined location for this file, you must specify the file path as the one and only argument to the server:
./postgrest /path/to/postgrest.conf
The configuration file must contain a set of key value pairs. At minimum you must include these keys:
# postgrest.conf # The standard connection URI format, documented at # https://www.postgresql.org/docs/current/static/libpq-connect.html#AEN45347 db-uri = "postgres://user:pass@host:5432/dbname" # The name of which database schema to expose to REST clients db-schema = "api" # The database role to use when no client authentication is provided. # Can (and should) differ from user in db-uri db-anon-role = "anon"
The user specified in the db-uri is also known as the authenticator role. For more information about the anonymous vs authenticator roles see the :ref:`roles`.
Here is the full list of configuration parameters.
Name | Type | Default | Required |
---|---|---|---|
db-uri | String | Y | |
db-schema | String | Y | |
db-anon-role | String | Y | |
db-pool | Int | 10 | |
db-pool-timeout | Int | 10 | |
db-extra-search-path | String | public | |
server-host | String | !4 | |
server-port | Int | 3000 | |
server-unix-socket | String | ||
server-unix-socket-mode | String | 660 | |
openapi-server-proxy-uri | String | ||
jwt-secret | String | ||
jwt-aud | String | ||
secret-is-base64 | Bool | False | |
max-rows | Int | ∞ | |
pre-request | String | ||
app.settings.* | String | ||
role-claim-key | String | .role | |
raw-media-types | String |
The standard connection PostgreSQL URI format. Symbols and unusual characters in the password or other fields should be percent encoded to avoid a parse error. If enforcing an SSL connection to the database is required you can use sslmode in the URI, for example
postgres://user:pass@host:5432/dbname?sslmode=require
.When running PostgREST on the same machine as PostgreSQL, it is also possible to connect to the database using a Unix socket and the Peer Authentication method as an alternative to TCP/IP communication and authentication with a password, this also grants higher performance. To do this you can omit the host and the password, e.g.
postgres://user@/dbname
, see the libpq connection string documentation for more details.On older systems like Centos 6, with older versions of libpq, a different db-uri syntax has to be used. In this case the URI is a string of space separated key-value pairs (key=value), so the example above would be
"host=host user=user port=5432 dbname=dbname password=pass"
.Choosing a value for this parameter beginning with the at sign such as
@filename
(e.g.@./configs/my-config
) loads the secret out of an external file.
The database schema to expose to REST clients. Tables, views and stored procedures in this schema will get API endpoints.
db-schema = "api"
This schema gets added to the search_path of every request.
You can also specify a list of schemas that can be used for schema-based multitenancy and api versioning by :ref:`multiple-schemas`. Example:
db-schema = "tenant1, tenant2"
If you don't :ref:`Switch Schemas <multiple-schemas>`, the first schema in the list(
tenant1
in this case) is chosen as the default schema.Only the chosen schema gets added to the search_path of every request.
Warning
Never expose private schemas in this way. See :ref:`schema_isolation`.
The database role to use when executing commands on behalf of unauthenticated clients. For more information, see :ref:`roles`.
Number of connections to keep open in PostgREST's database pool. Having enough here for the maximum expected simultaneous client connections can improve performance. Note it's pointless to set this higher than the max_connections
GUC in your database.
Time to live, in seconds, for an idle database pool connection. If the timeout is reached the connection will be closed. Once a new request arrives a new connection will be started.
Extra schemas to add to the search_path of every request. These schemas tables, views and stored procedures don't get API endpoints, they can only be referred from the database objects inside your :ref:`db-schema`.
This parameter was meant to make it easier to use PostgreSQL extensions (like PostGIS) that are outside of the :ref:`db-schema`.
Multiple schemas can be added in a comma-separated string, e.g.
public, extensions
.
Where to bind the PostgREST web server. In addition to the usual address options, PostgREST interprets these reserved addresses with special meanings:
*
- any IPv4 or IPv6 hostname*4
- any IPv4 or IPv6 hostname, IPv4 preferred!4
- any IPv4 hostname*6
- any IPv4 or IPv6 hostname, IPv6 preferred!6
- any IPv6 hostname
The TCP port to bind the web server.
Unix domain socket where to bind the PostgREST web server. If specified, this takes precedence over :ref:`server-port`. Example:
server-unix-socket = "/tmp/pgrst.sock"
Unix file mode to be set for the socket specified in :ref:`server-unix-socket` Needs to be a valid octal between 600 and 777.
server-unix-socket-mode = "660"
Overrides the base URL used within the OpenAPI self-documentation hosted at the API root path. Use a complete URI syntax
scheme:[//[user:password@]host[:port]][/]path[?query][#fragment]
. Ex.https://postgrest.com
{ "swagger": "2.0", "info": { "version": "0.4.3.0", "title": "PostgREST API", "description": "This is a dynamic API generated by PostgREST" }, "host": "postgrest.com:443", "basePath": "/", "schemes": [ "https" ] }
The secret or JSON Web Key (JWK) (or set) used to decode JWT tokens clients provide for authentication. For security the key must be at least 32 characters long. If this parameter is not specified then PostgREST refuses authentication requests. Choosing a value for this parameter beginning with the at sign such as @filename
loads the secret out of an external file. This is useful for automating deployments. Note that any binary secrets must be base64 encoded. Both symmetric and asymmetric cryptography are supported. For more info see :ref:`asym_keys`.
Specifies the JWT audience claim. If this claim is present in the client provided JWT then you must set this to the same value as in the JWT, otherwise verifying the JWT will fail.
When this is set totrue
, the value derived fromjwt-secret
will be treated as a base64 encoded secret.
A hard limit to the number of rows PostgREST will fetch from a view, table, or stored procedure. Limits payload size for accidental or malicious requests.
A schema-qualified stored procedure name to call right after switching roles for a client request. This provides an opportunity to modify SQL variables or raise an exception to prevent the request from completing.
Arbitrary settings that can be used to pass in secret keys directly as strings, or via OS environment variables. For instance:app.settings.jwt_secret = "$(MYAPP_JWT_SECRET)"
will takeMYAPP_JWT_SECRET
from the environment and make it available to postgresql functions ascurrent_setting('app.settings.jwt_secret')
.
A JSPath DSL that specifies the location of the
role
key in the JWT claims. This can be used to consume a JWT provided by a third party service like Auth0, Okta or Keycloak. Usage examples:# {"postgrest":{"roles": ["other", "author"]}} # the DSL accepts characters that are alphanumerical or one of "_$@" as keys role-claim-key = ".postgrest.roles[1]" # {"https://www.example.com/role": { "key": "author }} # non-alphanumerical characters can go inside quotes(escaped in the config value) role-claim-key = ".\"https://www.example.com/role\".key"
This serves to extend the Media Types that PostgREST currently accepts through an
Accept
header.These media types can be requested by following the same rules as the ones defined in :ref:`binary_output`.
As an example, the below config would allow you to request an image and an xml by doing a request with
Accept: image/png
and a request withAccept: text/xml
, respectively.raw-media-types="image/png, text/xml"