Last reviewed 2026-05-13 Edit this page on GitHub

Quick start

Add pgJDBC to your build, open a TLS-protected connection, run a query. This page is the minimum viable path to a working application; the rest of the documentation fills in the edges.

Add the dependency

<dependency>
    <groupId>org.postgresql</groupId>
    <artifactId>postgresql</artifactId>
    <version>42.7.11</version>
</dependency>

implementation("org.postgresql:postgresql:42.7.11")

implementation 'org.postgresql:postgresql:42.7.11'

libraryDependencies += "org.postgresql" % "postgresql" % "42.7.11"

Open a connection

String url = "jdbc:postgresql://db.example.com:5432/mydb";

Properties props = new Properties();
props.setProperty("user", "alice");
props.setProperty("password", System.getenv("PGPASSWORD"));

// TLS + channel-bound SCRAM. See "Configure SSL/TLS" for the rationale.
props.setProperty("sslmode",        "verify-full");
props.setProperty("sslrootcert",    "/etc/postgresql/ssl/ca.pem");
props.setProperty("channelBinding", "require");

try (Connection conn = DriverManager.getConnection(url, props);
     PreparedStatement ps = conn.prepareStatement(
         "SELECT name FROM users WHERE id = ?")) {
    ps.setLong(1, 42);
    try (ResultSet rs = ps.executeQuery()) {
        while (rs.next()) {
            System.out.println(rs.getString("name"));
        }
    }
}

Configure SSL/TLS

For any non-local server, use both of these together:

sslmode=verify-full: the driver validates the server’s certificate chain against sslrootcert and verifies that the certificate’s Subject Alternative Name matches the hostname you connected to. Any weaker mode (including the default prefer) leaves you open to a man-in-the-middle attack.
channelBinding=require: binds the SCRAM authentication exchange to the established TLS channel. An attacker who terminated and re-established the TLS connection to the server cannot replay the SCRAM handshake; without channel binding, that attack works even when TLS is in use.

Channel binding requires PostgreSQL 11 or newer and the server must be configured for SCRAM-SHA-256 (the default since PG 14). If you must run against legacy infrastructure, fall back to channelBinding=prefer, but only after explicitly auditing what the target server supports.

The SSL-related connection properties:

14 of 14

Name	Type	Default	Versions	Description
`channelBinding`	`enum`	`prefer`	since 42.7.0	This option controls the client’s use of channel binding.
`pemKeyAlgorithm`	`string`	`RSA`	since 42.7.9	Algorithm of the PEM key
`ssl`	`string`	—	since 9.4	Control use of SSL (any non-null value causes SSL to be required)
`sslcert`	`string`	—	since 9.4	The location of the client’s SSL certificate
`sslfactory`	`class`	`org.postgresql.ssl.LibPQFactory`	since 9.4	Provide a SSLSocketFactory class when using SSL.
`sslfactoryarg`	`string`	—	since 9.4	Argument forwarded to constructor of SSLSocketFactory class.
`sslhostnameverifier`	`class`	—	since 9.4	A class, implementing javax.net.ssl.HostnameVerifier that can verify the server
`sslkey`	`string`	—	since 9.4	The location of the client’s PKCS#8 SSL key
`sslmode`	`enum`	—	since 9.4-1200	Parameter governing the use of SSL
`sslNegotiation`	`enum`	`postgres`	since 42.7.4	This option controls whether the driver will perform its protocol negotiation to request encryption from the server or will just directly make a standard SSL connection. Traditional PostgreSQL protocol negotiation is the default and the most flexible with different server configurations. If the server is known to support direct SSL connections then the latter requires one fewer round trip reducing connection latency and also allows the use of protocol agnostic SSL network tools.
`sslpassword`	`string`	—	since 9.4	The password for the client’s ssl key (ignored if sslpasswordcallback is set)
`sslpasswordcallback`	`class`	—	since 9.4	A class, implementing javax.security.auth.callback.CallbackHandler that can handle PasswordCallback for the ssl password.
`sslResponseTimeout`	`int`milliseconds	`5000`	since 42.5.2	Time in milliseconds we wait for a response from the server after requesting SSL upgrade
`sslrootcert`	`string`	—	since 9.4	The location of the root certificate for authenticating the server.

Common follow-ups

Connection pooling. Use HikariCP, Tomcat JDBC, or your container’s pool. Do not call DriverManager.getConnection per request; the driver was built for pool usage and the cost of opening a connection is significant. See Connection pooling for the recipes and sizing guidance.
Authentication. SCRAM-SHA-256 is handled transparently. See Authentication for the full method list, the requireAuth allow-list / deny-list, channel-binding semantics, and the AuthenticationPlugin SPI for IAM / Vault / token-based credentials.
Performance. Server-side prepared statements activate after prepareThreshold executions (default 5). See Server-prepared statements for the full discussion, including binary transfer trade-offs.

The authentication-related connection properties:

6 of 6

Name	Type	Default	Versions	Description
`authenticationPluginClassName`	`class`	—	since 42.2.25	Name of class which implements AuthenticationPlugin
`channelBinding`	`enum`	`prefer`	since 42.7.0	This option controls the client’s use of channel binding.
`password`	`string`	—	since 9.4	Password to use when authenticating.
`requireAuth`	`string`	—	since 42.7.0	Comma-separated list of acceptable authentication methods. Use ‘!’ prefix to reject methods (e.g., ‘!password’ to reject cleartext). Supported: password, md5, gss, sspi, scram-sha-256, none
`scramMaxIterations`	`int`	`100000`	since 42.7.11	Maximum PBKDF2 iteration count accepted from the server during SCRAM authentication. A value of zero disables this check.
`user`	`string`	—	since 9.4	Username to connect to the database as.

What’s next

Connection properties : the full set of tunables.
SSL / TLS : certificate setup, custom socket factories, CRL/OCSP.
DataSource and JNDI : how to integrate with HikariCP and friends.

Compatibility