Back to Help

Connect a read-only analytics PostgreSQL database

Give your AI employee read-only access to a PostgreSQL database so it can build dashboards and answer questions about your data — without ever changing it.

Why we ask for this

To turn your data into dashboards and answers, your AI employee needs to read it directly from the source. These fields are the address and login for that PostgreSQL database.

We deliberately ask for a read-only account, and recommend you point it at a replica. Read-only means a reporting task can never accidentally modify or delete a row, and a replica means heavy queries run against a copy instead of slowing down the database your business depends on. This is the standard, safe way to expose data for analytics.

The password is stored encrypted at rest (AES-256-GCM) and scoped to your tenant. It is never baked into the container image. It is decrypted and set as an environment variable inside your isolated container only when a session starts, and you can rotate or revoke it from your database at any time.

Where to get the connection details

  1. 1Ask your DBA (or whoever manages the database) to create a dedicated read-only role — for example a user that can only SELECT, with no INSERT, UPDATE, DELETE or DDL rights.
  2. 2If you run a read replica, point this connection at the replica rather than the primary, so reporting load never competes with your production traffic.
  3. 3Collect the host and port (PostgreSQL defaults to 5432), the database name, and the read-only username and password.
  4. 4Decide the SSL mode — use "require" (or stricter) for any database reachable over a network, so the connection is always encrypted.
  5. 5If the database sits behind a firewall, set up a Tailscale or Cloudflare Tunnel first (see the Connectivity note below) and use the private host address it gives you.
  6. 6Enter the values into the matching fields: ANALYTICS_PGHOST, ANALYTICS_PGPORT, ANALYTICS_PGUSER, ANALYTICS_PGPASSWORD, ANALYTICS_PGDATABASE and ANALYTICS_PGSSLMODE.

Reaching a database behind a firewall

Your AI employee runs in an isolated cloud container that, by default, can only reach the public internet — it has no route into your private network. If the database only listens on a private address, the connection will simply time out.

The fix is a private tunnel. Set up Tailscale or a Cloudflare Tunnel on a machine that can already reach the database, then use the private hostname it provides as the host value here. Nothing else on your network is exposed.

Help & Knowledge Base