All posts
September 9, 20252 min read

Secure Postgres CLI Logins with OpenID Connect (OIDC) in pgcli

That’s the problem OpenID Connect (OIDC) solves for pgcli users. Secure, standards-based authentication directly in your Postgres command-line workflow. No extra hacks. No storing passwords in plain text. Identity flows that match your cloud’s security model, without touching a single .pgpass file. Why OIDC with pgcli matters Postgres connections have traditionally lived in a world of static credentials—long-lived usernames and passwords that never change until someone remembers to rotate the

Free White Paper

OpenID Connect (OIDC) + Just-in-Time Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

That’s the problem OpenID Connect (OIDC) solves for pgcli users. Secure, standards-based authentication directly in your Postgres command-line workflow. No extra hacks. No storing passwords in plain text. Identity flows that match your cloud’s security model, without touching a single .pgpass file.

Why OIDC with pgcli matters

Postgres connections have traditionally lived in a world of static credentials—long-lived usernames and passwords that never change until someone remembers to rotate them. It’s a slow, brittle method, and it’s not how modern teams run secure systems.

OpenID Connect gives pgcli the same authentication power as a modern web app: single sign-on, short-lived tokens, integration with identity providers like Okta, Google, or Azure AD. That means database sessions you can trace, lock down, and expire automatically.

When pgcli is wired with OIDC, your workflow changes in three big ways:

  1. No more password sprawl. OIDC replaces it with secure, token-based logins.
  2. Consistent auth. The same identity provider for browser apps, APIs, and CLI tools.
  3. Better auditability. Every login has a user identity tied to corporate SSO.

How it works in practice

With the right configuration, pgcli pulls an OIDC token from your identity provider before opening a database connection. That token is validated by Postgres or a proxy layer. No static passwords, no direct credential sharing.

Continue reading? Get the full guide.

OpenID Connect (OIDC) + Just-in-Time Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

The flow is simple:

  • Authenticate via your IdP using an OIDC client.
  • pgcli uses the issued token as your credential.
  • The database service or proxy verifies the token’s signature and claims.

It feels instant. And it works anywhere your OIDC provider can issue tokens for your database endpoint.

Security benefits you can’t ignore

OIDC with pgcli raises the bar for database security:

  • Short-lived access tokens mean compromised credentials expire fast.
  • Centralized identity management reduces risk from forgotten accounts.
  • Detailed logs tie every query to a verified user.
  • No need to distribute or rotate static passwords for each engineer.

Setting it up without the pain

The hardest part of OIDC for CLI tools used to be messy, manual integration. Modern tooling changes that. Services can broker OIDC tokens to your database without custom scripts or homegrown hacks. Simple configuration replaces weeks of trial and error.

You can have pgcli authenticating with OIDC in minutes—securely—by using a service that handles the token exchange and validation for you.

See it live

Identity-driven database access shouldn’t be a side project. Try it, see it work, and understand what secure-by-default feels like. Sign in to hoop.dev, connect your Postgres instance, and watch pgcli log in with OIDC in minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts