> ## Documentation Index
> Fetch the complete documentation index at: https://docs.guild.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Database

> Configure the PostgreSQL database connection for self-hosted Guild deployments.

Guild uses a PostgreSQL database for all platform data. When running self-hosted, you configure the connection with the `DATABASE_URL` environment variable.

## Connection string format

`DATABASE_URL` follows the SQLAlchemy connection string format with the `postgresql+asyncpg` driver:

```bash theme={null}
DATABASE_URL=postgresql+asyncpg://user:password@host/dbname
```

## SSL configuration

When your PostgreSQL server requires SSL certificate verification, add `sslmode` and `sslrootcert` as query parameters to the connection string.

### `sslmode`

The `sslmode` parameter controls how Guild verifies the server's TLS certificate.

| Value         | Behavior                                                                                             |
| ------------- | ---------------------------------------------------------------------------------------------------- |
| `require`     | Encrypts the connection but does not verify the certificate. This is the default.                    |
| `verify-ca`   | Verifies that the server certificate is signed by a trusted CA. Does not verify the server hostname. |
| `verify-full` | Verifies the server certificate and confirms that the hostname matches the certificate.              |

### `sslrootcert`

The `sslrootcert` parameter specifies the path to a CA certificate file. Guild uses this file to verify the server's certificate when `sslmode` is `verify-ca` or `verify-full`.

```bash theme={null}
DATABASE_URL=postgresql+asyncpg://user:pass@host/dbname?sslmode=verify-full&sslrootcert=/path/to/ca.pem
```

Managed database services such as AWS RDS, Google Cloud SQL, and Azure Database for PostgreSQL provide a CA certificate you can download and reference with `sslrootcert`.

Use `verify-full` when the hostname in the URL matches the hostname in the server's certificate. Use `verify-ca` when you want to verify the certificate chain but hostname matching is not applicable.

<Warning>
  `sslrootcert` has no effect unless `sslmode` is `verify-ca` or `verify-full`.
</Warning>
