Skip to main content
LangSmith uses a PostgreSQL database as the primary data store for transactional workloads and operational data (almost everything besides runs). By default, LangSmith Self-Hosted will use an internal PostgreSQL database. However, you can configure LangSmith to use an external PostgreSQL database. By configuring an external PostgreSQL database, you can more easily manage backups, scaling, and other operational tasks for your database.

​
Requirements

  • A provisioned PostgreSQL database that your LangSmith instance will have network access to. We recommend using a managed PostgreSQL service like:
  • Note: We only officially support PostgreSQL versions >= 14.
  • A user with admin access to the PostgreSQL database. This user will be used to create the necessary tables, indexes, and schemas.
  • This user will also need to have the ability to create extensions in the database. We use/will try to install the btree_gin, btree_gist, pgcrypto, citext, ltree, and pg_trgm extensions.
  • If using a schema other than public, ensure that you do not have any other schemas with the extensions enabled, or you must include that in your search path.
  • Support for pgbouncer and other connection poolers is community-based. Community members have reported that pgbouncer has worked with pool_mode = session and a suitable setting for ignore_startup_parameters (as of writing, search_path and lock_timeout need to be ignored). Care is needed to avoid polluting connection pools; some level of PostgreSQL expertise is advisable. LangChain Inc currently does not have roadmap plans for formal test coverage or commercial support of pgbouncer or amazon rds proxy or any other poolers, but the community is welcome to discuss and collaborate on support through GitHub issues.
  • By default, we recommend an instance with at least 2 vCPUs and 8GB of memory. However, the actual requirements will depend on your workload and the number of users you have. We recommend monitoring your PostgreSQL instance and scaling up as needed.

​
Connection String

You will need to provide a connection string to your PostgreSQL database. This connection string should include the following information:
  • Host
  • Port
  • Database
  • Username
  • Password (Make sure to url encode this if there are any special characters)
  • URL params
This will take the form of: 
username:password@host:port/database?<url_params>
An example connection string might look like: 
myuser:mypassword@myhost:5432/mydatabase?sslmode=disable
Without url parameters, the connection string would look like: 
myuser:mypassword@myhost:5432/mydatabase

​
Configuration

With your connection string in hand, you can configure your LangSmith instance to use an external PostgreSQL database. You can do this by modifying the values file for your LangSmith Helm Chart installation or the .env file for your Docker installation. 
postgres:
  external:
    enabled: true
    connectionUrl: "Your connection url"
Once configured, you should be able to reinstall your LangSmith instance. If everything is configured correctly, your LangSmith instance should now be using your external PostgreSQL database.

​
TLS with PostgreSQL

Use this section to configure TLS for PostgreSQL connections. For mounting internal/public CAs so LangSmith trusts your PostgreSQL server certificate, see Configure custom TLS certificates.

​
Server TLS (one-way)

To validate the PostgreSQL server certificate:
  • Provide a CA bundle using config.customCa.secretName and config.customCa.secretKey.
  • Use sslmode=require or sslmode=verify-full, as well as sslrootcert=system to your connection URL.
Mount a custom CA only when your PostgreSQL server uses an internal or private CA. Publicly trusted CAs do not require this configuration.
config:
  customCa:
    secretName: "langsmith-custom-ca"  # Secret containing your CA bundle
    secretKey: "ca.crt"    # Key in the Secret with the CA bundle
postgres:
  external:
    enabled: true
    connectionUrl: "myuser:mypassword@myhost:5432/mydatabase?sslmode=verify-full&sslrootcert=system"
    customTls: true

​
Mutual TLS with Client Auth (mTLS)

As of LangSmith helm chart version 0.12.28, we support mTLS for PostgreSQL clients. For server-side authentication in mTLS, use the Server TLS steps (custom CA) in addition to the following client certificate configuration. If your PostgreSQL server requires client certificate authentication:
  • Provide a Secret with your client certificate and key.
  • Reference it via postgres.external.clientCert.secretName and specify the keys with certSecretKey and keySecretKey.
  • Use sslmode=verify-full and sslrootcert=system in your connection URL.
postgres:
  external:
    enabled: true
    connectionUrl: "myuser:mypassword@myhost:5432/mydatabase?sslmode=verify-full&sslrootcert=system"
    customTls: true
    clientCert:
      secretName: "postgres-mtls-secret"
      certSecretKey: "tls.crt"
      keySecretKey: "tls.key"

​
Pod security context for certificate volumes

The certificate volumes mounted for mTLS are protected by file access restrictions. To ensure all LangSmith pods can read the certificate files, you must set fsGroup: 1000 in the pod security context. You can configure this in one of two ways: Option 1: Use commonPodSecurityContext Set the fsGroup at the top level to apply it to all pods: 
commonPodSecurityContext:
  fsGroup: 1000
Option 2: Add to individual pod security contexts If you need more granular control, add the fsGroup to each pod’s security context individually. See the mTLS configuration example for a complete reference.
Edit the source of this page on GitHub.
Connect these docs programmatically to Claude, VSCode, and more via MCP for real-time answers.