Guild uses a PostgreSQL database for all platform data. When running self-hosted, you configure the connection with the DATABASE_URL environment variable.
DATABASE_URL follows the SQLAlchemy connection string format with the postgresql+asyncpg driver:
DATABASE_URL=postgresql+asyncpg://user:password@host/dbname
SSL configuration
When your PostgreSQL server requires SSL certificate verification, add sslmode and sslrootcert as query parameters to the connection string.
sslmode
The sslmode parameter controls how Guild verifies the server’s TLS certificate.
| Value | Behavior |
|---|
require | Encrypts the connection but does not verify the certificate. This is the default. |
verify-ca | Verifies that the server certificate is signed by a trusted CA. Does not verify the server hostname. |
verify-full | Verifies the server certificate and confirms that the hostname matches the certificate. |
sslrootcert
The sslrootcert parameter specifies the path to a CA certificate file. Guild uses this file to verify the server’s certificate when sslmode is verify-ca or verify-full.
DATABASE_URL=postgresql+asyncpg://user:pass@host/dbname?sslmode=verify-full&sslrootcert=/path/to/ca.pem
Managed database services such as AWS RDS, Google Cloud SQL, and Azure Database for PostgreSQL provide a CA certificate you can download and reference with sslrootcert.
Use verify-full when the hostname in the URL matches the hostname in the server’s certificate. Use verify-ca when you want to verify the certificate chain but hostname matching is not applicable.
sslrootcert has no effect unless sslmode is verify-ca or verify-full.