Flitch
Integrations

PostgreSQL

Connect a PostgreSQL database (self-hosted, RDS, Cloud SQL, or Azure) with a connection string or client certificate.

Reads tables and views from any PostgreSQL database. Queries run inside a read-only transaction, so Flitch can never write to your database.

Add a source

PostgreSQL supports two auth methods: a connection string (a database role over TLS) and a client certificate (mTLS).

Prerequisites

  • A reachable PostgreSQL host and database.
  • A role with read access to the tables you want.

Create a read-only role

CREATE ROLE flitch_readonly LOGIN PASSWORD 'choose-a-strong-password';
GRANT CONNECT ON DATABASE mydb TO flitch_readonly;
GRANT USAGE ON SCHEMA public TO flitch_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO flitch_readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO flitch_readonly;

Build the connection string

postgresql://flitch_readonly:password@your-host:5432/mydb?sslmode=require

For RDS, Cloud SQL, or Azure, copy the host (endpoint) from the provider console.

Open the form

Go to DataAddPostgreSQL, paste the connection string, then pick datasets.

Issue a client certificate

Generate an X.509 client certificate and key signed by a CA your server trusts, and configure pg_hba.conf to accept certificate auth for the role.

Open the form

Go to DataAddPostgreSQL, pick Client Certificate (mTLS), and paste the CA certificate, client certificate, and client key.

Pick datasets

Test the connection, then tick the tables and views.

Network access

Flitch connects from its own server, not your browser, so if your database is behind a firewall or VPC security group you must allow Flitch's connector egress IP (shown in the Add Source form), not your own IP. Managed hosts that are publicly reachable over SSL need no change.

Team-wide credential (optional)

A team admin can store one shared PostgreSQL credential in Settings → Data connections; new connections then default to it, with no per-connection secret.

Refresh

Refresh is off by default. Enable it to schedule a background refresh and serve from cache between runs. See Refresh.

Troubleshooting

Authentication failed. Check the role and password, and that it can log in.

Connection timed out / refused. Verify host and port, and that the egress IP is allowlisted.

TLS certificate not trusted. Use SSL mode "Require", or provide the CA certificate for Verify CA / Verify Full.

Databricks

Connect Databricks via a SQL warehouse with OAuth or a personal access token.

MySQL

Connect a MySQL database (self-hosted, RDS, Cloud SQL, Azure, or Aurora) with a connection string or client certificate.

On this page

Add a sourcePrerequisitesCreate a read-only roleBuild the connection stringOpen the formIssue a client certificateOpen the formPick datasetsNetwork accessTeam-wide credential (optional)RefreshTroubleshooting