All posts
September 10, 20251 min read

JWT-based Authentication with pgcli: A Secure and Modern Alternative to Passwords

The password worked yesterday. Today it doesn’t. That’s when you know it’s time to move past old ways of logging in and start using JWT-based authentication with pgcli. Secure, fast, and script-ready — JSON Web Tokens solve the pain of storing credentials and passing them on every command. With pgcli, you can use JWT to connect without exposing static passwords in configs or shells. Pgcli is already a favorite for its autocomplete, syntax highlighting, and speed. Adding JWT authentication take

Free White Paper

Service-to-Service Authentication + VNC Secure Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The password worked yesterday. Today it doesn’t.

That’s when you know it’s time to move past old ways of logging in and start using JWT-based authentication with pgcli. Secure, fast, and script-ready — JSON Web Tokens solve the pain of storing credentials and passing them on every command. With pgcli, you can use JWT to connect without exposing static passwords in configs or shells.

Pgcli is already a favorite for its autocomplete, syntax highlighting, and speed. Adding JWT authentication takes it further. Instead of tying connections to a long-lived password, you generate a short-lived token from your identity provider. That token travels with the connection, expires on schedule, and keeps your database safer.

The workflow is simple. You sign in to your auth system, receive a JWT, and pass it to pgcli as part of your connection string or header setup. Many teams integrate this with their CI/CD pipelines so build jobs and scripts can grab a fresh token at run time. There’s no password leaking into logs or history files. Even if a token is intercepted, it has a short life.

Continue reading? Get the full guide.

Service-to-Service Authentication + VNC Secure Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Under the hood, the database needs to verify the JWT. This is often handled by a proxy or middleware layer that checks the signature against your trusted keys. Once verified, the middleware injects the right Postgres role into the session. Pgcli then operates as if you’d connected with normal credentials, but without the risk of those credentials being reused or stolen.

JWT-based authentication also pairs well with role-based access control. You can embed claims in the JWT that map to database roles, limiting what a connection can do. This keeps tokens precise and security tight.

For engineers frustrated by typing passwords over and over, the switch to JWT feels like unlocking a smoother, more modern workflow. For security teams, it means controlling access windows and reducing credential sprawl. For both, it’s a win.

You can test JWT-based authentication with pgcli without days of setup. Spin up a managed Postgres instance, wire it to a token issuer, and connect in minutes. Hoop.dev makes this easy — you can see it working live, right now, with full JWT integration driving secure pgcli sessions.

Try it today and take your pgcli workflow into the token age.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts