Skip to main content
Cordon can inject credentials into database connections, not just HTTP APIs. For PostgreSQL, cordon intercepts the wire protocol handshake and injects the password before the connection reaches the upstream database. Your application connects to a local port with no password and cordon handles authentication transparently.

How it works

  1. Cordon listens on a local port (e.g., 15432)
  2. Your app connects to localhost:15432 with no password
  3. Cordon intercepts the PostgreSQL authentication handshake
  4. The real password is fetched from 1Password or the OS keyring and injected
  5. The authenticated connection is forwarded to the upstream database
Your application never sees or handles database credentials.

Configuration

Database connections are configured as services in cordon.yaml, separate from HTTP routes: 
listen: "127.0.0.1:6790"

tls:
  enabled: true
  ca_cert_path: "./ca-cert.pem"
  ca_key_path: "./ca-key.pem"

routes:
  # ... your HTTP routes ...

services:
  - name: prod-db
    listen: 15432
    upstream: "db.prod.example.com:5432"
    protocol: postgres
    auth:
      type: password
      username: app_user
      secret:
        source: 1password
        vault: Engineering
        item: Postgres Prod
        field: password
FieldTypeRequiredDescription
namestringYesIdentifier for the service (used in logs)
listenintegerYesLocal port to listen on
upstreamstringYesUpstream database host and port
protocolstringYesWire protocol. Currently postgres.
auth.typestringYesAuth type. Currently password.
auth.usernamestringYesUsername to authenticate as
auth.secretobjectYesSecret source reference. See Secret Sources.

Connecting your application

Point your application at the local port instead of the upstream database: 
postgresql://app_user@localhost:15432/mydb
No password in the connection string. Cordon injects it.

Multiple databases

Configure multiple services for different databases, each on its own local port: 
services:
  - name: prod-db
    listen: 15432
    upstream: "db.prod.example.com:5432"
    protocol: postgres
    auth:
      type: password
      username: app_user
      secret:
        source: 1password
        vault: Engineering
        item: Postgres Prod
        field: password

  - name: staging-db
    listen: 15433
    upstream: "db.staging.example.com:5432"
    protocol: postgres
    auth:
      type: password
      username: staging_user
      secret:
        source: keyring
        service: cordon
        account: staging-pg-pass
PostgreSQL support requires the pg feature. The npm package includes this by default.