PostgreSQL Connection
A Postgres connection lets Mycorr read tables from any Postgres-wire-compatible database — RDS, Cloud SQL, self-hosted, Heroku, Neon, Crunchy Bridge, etc.
For a managed Supabase project, use the Supabase connection type instead — it has helpers for finding the connection string and dealing with poolers.
What Mycorr needs
A user (role) on your database with SELECT on the tables you want
to import. Mycorr never issues anything beyond SELECT and a handful of
information_schema lookups.
We strongly recommend creating a dedicated read-only role rather than reusing an application or admin role:
-- Create the role
CREATE ROLE mycorr_reader WITH LOGIN PASSWORD '<strong-random-password>';
-- Allow connecting to the database
GRANT CONNECT ON DATABASE your_db TO mycorr_reader;
-- Allow seeing the schema(s) you want to expose
GRANT USAGE ON SCHEMA public TO mycorr_reader;
-- Allow reading existing tables
GRANT SELECT ON ALL TABLES IN SCHEMA public TO mycorr_reader;
-- Allow reading tables created in the future too
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT ON TABLES TO mycorr_reader;
Repeat the last three statements for every schema you want to import from.
Network access
Mycorr connects to your database over the public internet from its hosting environment. Two things follow:
- Public reachability required. The host you give Mycorr must
resolve to a public IP. Private addresses (
10.x,172.16-31.x,192.168.x,169.254.x, loopback,*.local,localhost) are rejected up front — see the SSRF note in the Security model section. - No static egress IPs published today. If your database firewall needs an allowlist, reach out to support — VPC peering / site-to-site tunnels are on the roadmap. For now the practical setup is "publicly reachable, TLS-required, read-only role".
Setting it up
- Go to Settings → Connections → New Connection.
- Pick PostgreSQL.
- Fill in:
- Name — anything human, e.g. "Prod analytics replica".
- Host —
db.example.comor an IP. Internal hostnames (e.g.localhost,*.local) are rejected. - Port — usually
5432. - Database — the database name (not the cluster name).
- Username — the read-only role you created above.
- Password — the password for that role.
- Require encrypted connection is on by default. Leave it on unless your database is on a trusted private network.
- (Optional) Under Advanced, paste a Custom CA certificate (PEM) if your database uses a private / self-signed CA that isn't in the public trust store (common for RDS proxy, internal PKI). Get the PEM from your DBA.
- Test & save. Mycorr opens one short connection, runs a trivial query, and stores the encrypted credentials.
The host, port, database, and username are immutable after creation — they define the connection's identity. To point at a different database, create a new connection. The password and CA certificate can be updated by editing the connection.
SSL modes
| Setting | Equivalent libpq mode | When to use |
|---|---|---|
| Require encrypted connection ON (default) | verify-full | Always, unless you have a specific reason not to. Encrypts traffic and validates the server's certificate against either the public trust store or your provided CA. |
| Require encrypted connection OFF | disable | Trusted private network only — traffic is unencrypted. |
There is no equivalent of prefer / require (encrypt but don't
validate). If you have a self-signed CA, paste it in the Advanced
section rather than turning off validation.
Finding the connection details
Where to look depends on your provider:
- AWS RDS / Aurora: RDS console → your instance → Connectivity & security → Endpoint is your host, Port is the port. Database / username were set at create time.
- Google Cloud SQL: Cloud SQL console → your instance → Connections → Public IP is the host. Enable "Public IP" and allowlist Mycorr's egress IPs.
- Heroku Postgres:
heroku config:get DATABASE_URL→postgres://user:pass@host:port/database. Parse out each field. - Neon / Crunchy Bridge / Render: each provider shows a connection string on the project dashboard. Parse the URL into its parts.
- Self-hosted: whatever you set in
postgresql.conf/pg_hba.conf.
For Supabase, use the Supabase page — it has provider-specific guidance.
Importing data
Once the connection is saved:
- Inside a Model, open the Import panel.
- Pick the connection.
- Browse schemas → tables → click a table to import it.
- The imported table is fully owned by your Model. You can sync it later from the same panel; sync re-fetches the table contents and overwrites the previous data.
Security model
- Read-only by IAM. The role you create only has
SELECT. Even if Mycorr's code asked for more, your database would refuse it. - Encrypted at rest. The password and (if provided) CA certificate are AES-256-GCM encrypted in Mycorr's database. Other team members cannot see them; Mycorr support cannot read them as plaintext.
- Encrypted in flight. TLS to your database (
verify-fullby default) using either the system trust store or your custom CA. - No SQL injection surface. Mycorr does not run user-supplied SQL.
Schema and table names are validated against
information_schemabefore being interpolated into queries. - No SSRF. Connections to private / metadata / loopback addresses
(
127.0.0.0/8,10.0.0.0/8,172.16-31.0.0/12,192.168.0.0/16,169.254.0.0/16,localhost,*.local) are blocked. Mycorr cannot be used as a proxy into a private network.
Revoking
Two ways:
- In Mycorr: Settings → Connections → click the row → Delete.
- In Postgres:
REVOKEthe role's privileges, drop the role, or rotate the password. Sync will start failing on the next refresh.
Either is sufficient. Both is fine.
Troubleshooting
| Error | Likely cause | Fix |
|---|---|---|
connection refused / failed to lookup address | Wrong host or port, or your database firewall is dropping us | Verify host/port; allowlist Mycorr's egress IPs |
password authentication failed | Wrong username or password | Re-check; rotate the password if needed |
SSL error: certificate verify failed | Server uses a private CA not in the trust store | Paste your CA in Advanced → Custom CA certificate |
database "..." does not exist | Typoed database name (cluster vs database confusion) | Use the database name, not the cluster name |
permission denied for schema X | The role lacks USAGE on the schema | GRANT USAGE ON SCHEMA X TO mycorr_reader; |
permission denied for table Y | The role lacks SELECT on the table | GRANT SELECT ON Y TO mycorr_reader; |
prepared statement "..." already exists | A connection pooler in transaction mode (PgBouncer / Supavisor / PGCat) | Mycorr disables named statements by default — if you still see this, you're hitting a pooler edge case; switch to session mode or the direct connection |
connections to private/internal addresses are not allowed | Your host resolves to an RFC 1918 address | Mycorr can only reach public-internet hosts today; expose the database publicly with TLS, or wait for VPC peering support |
Used by
- Table imports from your database, browseable inside any Model's Import panel.