Skip to main content
LangSmith uses a PostgreSQL database as the primary data store for transactional workloads and operational data (almost everything besides runs). By default, LangSmith Self-Hosted will use an internal PostgreSQL database. However, you can configure LangSmith to use an external PostgreSQL database. By configuring an external PostgreSQL database, you can more easily manage backups, scaling, and other operational tasks for your database.

Requirements

  • A provisioned PostgreSQL database that your LangSmith instance will have network access to. We recommend using a managed PostgreSQL service like:
  • Note: We only officially support PostgreSQL versions >= 14.
  • We support password and IAM/Workload Identity authentication.
  • A user with admin access to the PostgreSQL database. This user will be used to create the necessary tables, indexes, and schemas.
  • This user will also need to have the ability to create extensions in the database. We use/will try to install the btree_gin, btree_gist, pgcrypto, citext, ltree, and pg_trgm extensions.
  • If using a schema other than public, ensure that you do not have any other schemas with the extensions enabled, or you must include that in your search path.
  • Support for pgbouncer and other connection poolers is community-based. Community members have reported that pgbouncer has worked with pool_mode = session and a suitable setting for ignore_startup_parameters (as of writing, search_path and lock_timeout need to be ignored). Care is needed to avoid polluting connection pools; some level of PostgreSQL expertise is advisable. LangChain Inc currently does not have roadmap plans for formal test coverage or commercial support of pgbouncer or amazon rds proxy or any other poolers, but the community is welcome to discuss and collaborate on support through GitHub issues.
  • By default, we recommend an instance with at least 2 vCPUs and 8GB of memory. However, the actual requirements will depend on your workload and the number of users you have. We recommend monitoring your PostgreSQL instance and scaling up as needed.

Connection String

You will need to provide a connection string to your PostgreSQL database. This connection string should include the following information:
  • Host
  • Port
  • Database
  • Username
  • Password (Make sure to url encode this if there are any special characters) - Note: When using IAM authentication, the password is not required in the connection string. More below.
  • URL params
This will take the form of: 
username:password@host:port/database?<url_params>
An example connection string might look like: 
myuser:mypassword@myhost:5432/mydatabase?sslmode=disable
Without url parameters, the connection string would look like: 
myuser:mypassword@myhost:5432/mydatabase
For IAM authentication, omit the password and use the identity name as the username: 
my-workload-identity@myhost:5432/mydatabase?sslmode=require

Configuration

With your connection string in hand, you can configure your LangSmith instance to use an external PostgreSQL database. You can do this by modifying the values file for your LangSmith Helm Chart installation or the .env file for your Docker installation. 
postgres:
  external:
    enabled: true
    connectionUrl: "Your connection url"
Once configured, you should be able to reinstall your LangSmith instance. If everything is configured correctly, your LangSmith instance should now be using your external PostgreSQL database.

TLS with PostgreSQL

Use this section to configure TLS for PostgreSQL connections. For mounting internal/public CAs so LangSmith trusts your PostgreSQL server certificate, see Configure custom TLS certificates.

Server TLS (one-way)

To validate the PostgreSQL server certificate:
  • Provide a CA bundle using config.customCa.secretName and config.customCa.secretKey.
  • Use sslmode=require or sslmode=verify-full, as well as sslrootcert=system to your connection URL.
Mount a custom CA only when your PostgreSQL server uses an internal or private CA. Publicly trusted CAs do not require this configuration.
config:
  customCa:
    secretName: "langsmith-custom-ca"  # Secret containing your CA bundle
    secretKey: "ca.crt"    # Key in the Secret with the CA bundle
postgres:
  external:
    enabled: true
    connectionUrl: "myuser:mypassword@myhost:5432/mydatabase?sslmode=verify-full&sslrootcert=system"
    customTls: true

Mutual TLS with Client Auth (mTLS)

As of LangSmith helm chart version 0.12.29, we support mTLS for PostgreSQL clients. For server-side authentication in mTLS, use the Server TLS steps (custom CA) in addition to the following client certificate configuration. If your PostgreSQL server requires client certificate authentication:
  • Provide a Secret with your client certificate and key.
  • Reference it via postgres.external.clientCert.secretName and specify the keys with certSecretKey and keySecretKey.
  • Use sslmode=verify-full and sslrootcert=system in your connection URL.
postgres:
  external:
    enabled: true
    connectionUrl: "myuser:mypassword@myhost:5432/mydatabase?sslmode=verify-full&sslrootcert=system"
    customTls: true
    clientCert:
      secretName: "postgres-mtls-secret"
      certSecretKey: "tls.crt"
      keySecretKey: "tls.key"

Pod security context for certificate volumes

The certificate volumes mounted for mTLS are protected by file access restrictions. To ensure all LangSmith pods can read the certificate files, you must set fsGroup: 1000 in the pod security context. You can configure this in one of two ways: Option 1: Use commonPodSecurityContext Set the fsGroup at the top level to apply it to all pods: 
commonPodSecurityContext:
  fsGroup: 1000
Option 2: Add to individual pod security contexts If you need more granular control, add the fsGroup to each pod’s security context individually. See the mTLS configuration example for a complete reference.

IAM Authentication

As of LangSmith helm chart version 0.12.34, we support IAM authentication for PostgreSQL. This allows you to use cloud provider workload identity instead of static passwords.

Supported providers

ProviderDatabase ServiceDocumentation
AWSRDS PostgreSQLIAM database authentication
GCPCloud SQLIAM authentication
AzureAzure Database for PostgreSQLMicrosoft Entra authentication

Prerequisites

IAM authentication only handles connection authentication. You may still need to run SQL commands in your database to create the IAM user/role and grant it the necessary permissions and privileges to access the LangSmith schema.
  1. Configure workload identity in your Kubernetes cluster. See your cloud provider’s documentation:
  2. Enable IAM authentication on your PostgreSQL instance and grant access to your workload identity. Refer to your cloud provider’s documentation linked above.
  3. Annotate your Kubernetes ServiceAccounts and Deployments/Jobs with the workload identity binding per your cloud provider’s requirements.

Configuration

If you switch to a new IAM user after LangSmith has already run initial migrations, you may need to transfer ownership of existing tables to the new IAM user. Otherwise, migrations may fail due to insufficient privileges on tables owned by the previous user.
To enable IAM authentication, set the iamAuthProvider field and use an IAM-compatible connection string (without password):
Helm
postgres:
  external:
    enabled: true
    existingSecretName: "postgres-secret"
    iamAuthProvider: "azure"  # or "gcp" or "aws"
Kubernetes Secret
apiVersion: v1
kind: Secret
metadata:
  name: postgres-secret
type: Opaque
stringData:
  # IAM connection URL - note no password, username is the identity name
  connection_url: "<identity-name>@<host>:5432/<database>?sslmode=require"
IAM authentication requires TLS. You must include sslmode=require in your connection string.

Required annotations

You must apply the ServiceAccount annotations and pod labels required by your cloud provider’s workload identity to all LangSmith components that connect to PostgreSQL. This includes: Deployments: backend, queue, platformBackend, hostBackend Jobs: migrations, authBootstrap, feedbackConfigMigration, feedbackDataMigration, e2eTest
All jobs listed above (except e2eTest) use the backend service account. For these jobs, you only need to configure pod labels if your cloud provider requires them (e.g., Azure requires azure.workload.identity/use: "true" on pods). The e2eTest job uses its own service account and requires separate annotation configuration.
Example for the backend service (repeat for other services listed above): 
backend:
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: "arn:aws:iam::<account-id>:role/<role-name>"
...
See the Helm values reference for the full list of configurable services and their annotation/label options.
Edit this page on GitHub or file an issue.
Connect these docs to Claude, VSCode, and more via MCP for real-time answers.