Please report security issues by emailing


Postgres has a connection setting called sslmode.

Tembo Cloud supports sslmodes require, verify-ca, and verify-full. All of these options require encryption. The modes verify-ca and verify-full validate the server certificate using a locally provided certificate. For more information, please review the security documentation.

Connecting with certificate validation

The root CA certificate, know as sslrootcert in the Postgres documentation, can be used to authenticate the server when connecting to Postgres. It is more secure to connect to Postgres with certificate validation, using sslmode verify-ca or verify-full.

To use one of these options, the Postgres client needs to be configured to use the sslrootcert to authenticate the Postgres server. Users can download the root certificate using the the cloud ui or via the Tembo API. Both modes verify-ca or verify-full will authenticate the server, checking that the server’s certificate was signed by the sslrootcert. verify-full also checks that the hostname on the certificate matches the domain name used to connect, therefore verify-full does not work with the custom domains feature.

Downloading the root certificate


The root CA certificate, know as the sslrootcert in the Postgres documentation, is the same between all Tembo instances.

  • Visit Tembo Cloud
  • Navigate to your desired instance
  • Click “Show connection strings” on the right side of the screen
  • Download the root certificate using the button below:

Re-download the certificate at least monthly to avoid your copy of the certificate expiring


Downloading the root certificate via the Tembo API

For information on authenticating to the API, please see the Tembo Cloud API authentication guide.



curl -s -X 'GET' \
  "${ORG_ID}/instances/${INST_ID}/secrets/${secret_name}" \
  -H 'accept: application/json' \
  -H "Authorization: Bearer ${JWT}" \
  -H 'Content-Type: application/json' \
  | jq -r '."ca.crt"' > ca.crt

psql 'postgresql://postgres:****'

Different clients may connect in different ways. Connection examples are available in this section of the Tembo documentation.


chevron right arrow

Read only user