PostgreSQL AI Integration

Text-to-SQL and AI analytics for PostgreSQL

Chion turns natural-language questions into verified SQL against your Postgres database. Read-only by design, credentials encrypted in vault, no data leaves your instance's result set. Works with Neon, Supabase, Amazon RDS, Google Cloud SQL, and Azure. Jump to how SQL generation works.

Chion is an AI SQL workforce for PostgreSQL teams. It connects to Neon, Supabase, Amazon RDS, Google Cloud SQL, and Azure.

Problem. Teams want plain-English questions answered from their production PostgreSQL, without ETL or warehouse copies. What Chion does. Direct read-only connection to Neon, Supabase, Amazon RDS, Google Cloud SQL, or Azure. Five connection fields, two-minute setup.

How Chion connects to PostgreSQL

Five steps from role creation to interactive charts.

  1. 1

    Create a read-only Postgres role

    In your database, grant only what Chion needs:

    CREATE ROLE chion_read LOGIN PASSWORD '<strong-password>';
GRANT CONNECT ON DATABASE <dbname> TO chion_read;
GRANT USAGE  ON SCHEMA public       TO chion_read;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO chion_read;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO chion_read;
  2. 2

    Grab the six connection fields

    From your provider's dashboard, collect Host, Port (5432 for direct connections, 6543 for the Supabase transaction pooler, 6432 for the Azure PgBouncer pooler), Database, Schema (default public), User, and Password.

  3. 3

    Paste into Chion

    Open Chion, click Connect PostgreSQL, paste the six fields. Credentials are wrapped in an AES-256-GCM envelope in Supabase Vault, never logged, never shown to the language model, and only unsealed inside the edge function for the duration of one query.

  4. 4

    Chion profiles your schema

    Chion reads table and column metadata (names, types, cardinality) but never samples row data. The schema profile is what the language model sees; rows stay inside your database.

  5. 5

    Ask in plain English

    Type a question. Chion generates SQL, passes it through the multi-stage validator (L1 read-only SELECT check, L2 mode-based validator), executes it read-only with a capped LIMIT of 1,000 rows or 12,000 cells, and renders the result as an interactive D3.js chart. See how conversational analytics works.

Find your credentials

Select your PostgreSQL provider for step-by-step instructions.

FieldWhere to FindDefault
Server (Endpoint)Connectivity & security tab → Endpoint<instance>.<id>.<region>.rds.amazonaws.com
PortSame tab, next to Endpoint5432
DatabaseConfiguration tab → DB namepostgres (or what you set at creation)
SchemaNot in console; default is publicpublic
UserConfiguration tab → Master usernamepostgres (or what you set)
PasswordSet at instance creation. Modify → change Master password to reset(not retrievable)

Quick steps

  1. 1.Log in at console.aws.amazon.com/rds
  2. 2.Click Databases in the left sidebar
  3. 3.Click your PostgreSQL instance name
  4. 4.Connectivity & security tab → copy the Endpoint and Port
  5. 5.Configuration tab → note the DB name and Master username
  6. 6.Password is what you entered during creation (use Modify to reset if needed)
Open Amazon RDS for PostgreSQL console Full Amazon RDS for PostgreSQL guide
FieldWhere to FindDefault
Server (Host)Overview page → Server name<server>.postgres.database.azure.com
PortOverview or Connection strings page5432
DatabaseCreated by default. Check via Connection strings or psqlpostgres
SchemaNot in portal; default is publicpublic
UserOverview page → Admin usernameWhat you set at creation
PasswordSet at creation. Reset via Settings → Reset password(not retrievable)

Quick steps

  1. 1.Log in at portal.azure.com
  2. 2.Search for "Azure Database for PostgreSQL servers"
  3. 3.Click your server name
  4. 4.On the Overview page: copy the Server name (this is your host) and note the Admin username
  5. 5.Click Connection strings in the left sidebar for pre-built connection strings
  6. 6.Password is what you set during creation; reset via Settings → Reset password if needed

Azure Flexible Server uses port 5432 for direct connections and 6432 for the built-in PgBouncer pooler.

Open Azure Database for PostgreSQL console Full Azure Database for PostgreSQL guide
FieldWhere to FindDefault
Server (Host)Overview → Connect to this instance → Public/Private IPIP address (e.g., 34.x.x.x)
PortNot prominently displayed; always default5432
DatabaseDatabases tab in left sidebarpostgres
SchemaNot in console; default is publicpublic
UserUsers tab in left sidebarpostgres
PasswordUsers tab → three-dot menu → Change passwordSet at creation or via Users tab

Quick steps

  1. 1.Log in at console.cloud.google.com
  2. 2.Navigate to SQL from the left sidebar
  3. 3.Click your PostgreSQL instance name
  4. 4.Overview page → under "Connect to this instance," copy the Public IP address
  5. 5.Click Databases in the left sidebar to see available databases
  6. 6.Click Users to see usernames; use the three-dot menu to change/reset a password
  7. 7.Port is always 5432

Google recommends using the Cloud SQL Auth Proxy for production connections. For Chion, direct IP + SSL works for initial setup.

Open Google Cloud SQL for PostgreSQL console Full Google Cloud SQL for PostgreSQL guide
FieldWhere to FindDefault
Server (Host)Connect modal → displayed in connection stringep-<name>-<id>.us-east-2.aws.neon.tech
PortConnect modal5432
DatabaseConnect modal · selectable dropdownneondb
SchemaNot in UI; default is publicpublic
User (Role)Connect modal · selectable dropdownneondb_owner
PasswordShown in the connection string in the Connect modal(always visible in modal)

Quick steps

  1. 1.Log in at console.neon.tech
  2. 2.Select your project
  3. 3.Click the Connect button on the Project Dashboard
  4. 4.The "Connect to your database" modal opens
  5. 5.Select your Branch, Compute, Database, and Role from dropdowns
  6. 6.All connection parameters including password are displayed in the connection string
  7. 7.Toggle Connection pooling on/off to switch between pooled and direct connections

Password is always visible in the Connect modal; no need to reset.

Open Neon console Full Neon guide
FieldWhere to FindDefault
Server (Host)Connect → View parameters under "Direct connection"db.<project-ref>.supabase.co
PortSame panel · Direct: 5432, Transaction pooler: 65435432
DatabaseSame panelpostgres
SchemaNot shown in UI; default is publicpublic
UserSame panelpostgres
PasswordSet at project creation. Reset in Settings → Database(not displayed after creation)

Quick steps

  1. 1.Log in at supabase.com/dashboard
  2. 2.Select your project
  3. 3.Click the Connect button at the top of the page
  4. 4.Click "View parameters" under the Direct connection string
  5. 5.All fields (host, port, database, user) are displayed individually
  6. 6.Password must be the one you set at project creation (or reset it in Settings → Database)
Open Supabase console Full Supabase guide

Universal defaults

Standard PostgreSQL connection parameters.

Port5432
Databasepostgres
Schemapublic
SSL Moderequire (recommended for all cloud providers)

How Chion compares

Architectural constraints, not configuration options.

Most text-to-SQL tools accept a database connection and generate queries. Chion goes further: every generated query passes through a multi-stage SQL validator (L1 enforces read-only SELECT at the syntax level, L2 applies mode-based restrictions) before execution. Credentials never leave the AES-256-GCM vault except inside the edge function for a single query's duration. Result sets are capped at 1,000 rows or 12,000 cells. Row-level security policies are honored on every query, and the language model never sees raw row data, only schema metadata and aggregated results. These are architectural constraints, not configuration options.

Connection string reference

Where each field lives in a standard Postgres connection string.

Generic PostgreSQL URI

postgres://<user>:<password>@<host>:<port>/<database>?sslmode=require

Neon

postgres://neondb_owner:REDACTED@ep-cool-forest-123456.us-east-2.aws.neon.tech/neondb?sslmode=require

Supabase (direct connection, port 5432)

postgres://postgres:REDACTED@db.abcdefghijklmnop.supabase.co:5432/postgres?sslmode=require

Supabase (transaction pooler, port 6543)

postgres://postgres.abcdefghijklmnop:REDACTED@aws-0-us-east-1.pooler.supabase.com:6543/postgres?sslmode=require

Amazon RDS for PostgreSQL

postgres://postgres:REDACTED@my-db.c9akciq32.us-east-1.rds.amazonaws.com:5432/postgres?sslmode=require

All passwords above are redacted. Chion stores your password encrypted in Supabase Vault (AES-256-GCM); it is never logged, never shown in the UI after save, and never sent to the language model.

Schema discovery query

List all available schemas after connecting.

SELECT schema_name 
FROM information_schema.schemata 
WHERE schema_name NOT IN ('pg_catalog', 'information_schema', 'pg_toast')
ORDER BY schema_name;

Troubleshooting common PostgreSQL connection errors

Solutions for the most frequent connection issues.

ERROR: permission denied for relation X

Your role can CONNECT to the database but not read the table. Grant SELECT on the specific relation and set default privileges so newly-created tables are readable too:

GRANT SELECT ON TABLE schema.relation TO chion_read;
ALTER DEFAULT PRIVILEGES IN SCHEMA schema
  GRANT SELECT ON TABLES TO chion_read;

SSL connection required or no pg_hba.conf entry for host

Chion connects with sslmode=require. On managed Postgres (Neon, Supabase, RDS, GCP, Azure), SSL is always enabled; if you still see this error, check your IP allowlist.

Connection timeout or connection refused on port 5432

The port is not reachable. Check your firewall or cloud security group allows inbound connections on 5432 from the public internet. On AWS RDS, edit the security group associated with your DB instance. On GCP Cloud SQL, add an authorized network.

Pooler port mismatch

If you see connection errors with a pooled endpoint, check the port. Supabase transaction pooler is port 6543. Azure PostgreSQL Flexible Server's built-in PgBouncer is port 6432. Direct PostgreSQL is always 5432.

database "X" does not exist

You entered the wrong database name. Default names vary by provider: postgres on RDS, Azure, GCP, and Supabase; neondb on Neon. Check your provider's dashboard or run \l inside psql to list databases.

FATAL: too many connections for role

Your role or database has hit the connection limit. Chion uses a small connection pool, so if you see this error it is usually another process. For Neon, check the compute's max connections setting. For RDS, check the max_connections parameter. For Supabase, switch to the transaction pooler on port 6543 instead of the direct 5432 endpoint.

Official provider documentation

Authoritative references for each managed PostgreSQL service. All open in a new tab.

Your credentials are encrypted

All connection credentials are encrypted with AES-256-GCM and stored in an isolated vault. Chion connects with read-only permissions. No INSERT, UPDATE, or DELETE is ever possible. PostgreSQL's row-level security policies apply to every query: Chion connects via your read-only role; your RLS policies decide what that role can see. The LLM never sees raw rows, only metadata and aggregated results.

Read our security model

Frequently asked questions

Which PostgreSQL versions does Chion support?
Chion supports PostgreSQL 12 through 17. No server-side extensions are required; standard tables, views, and materialized views are queryable out of the box. PostgreSQL 11 and earlier are end-of-life upstream and not actively tested.
Is my PostgreSQL connection secure?
Yes. Credentials are wrapped in an AES-256-GCM envelope and stored in Supabase Vault. All traffic uses sslmode=require. Every generated query passes through the L1 read-only SELECT validator and the L2 mode-based validator before execution: INSERT, UPDATE, DELETE, DROP, and TRUNCATE are rejected at validation. Result sets are capped at 1,000 rows or 12,000 cells. Errors are stripped of DSN and JWT material before reaching the client.
Does Chion support PostgreSQL read replicas?
Yes. Chion only issues read queries, so a read replica endpoint is a perfect fit. Point Chion at the replica's host and your primary stays untouched.
Does Chion work with PgBouncer?
Yes. Chion's query pattern is compatible with PgBouncer's transaction pooling mode. For Supabase, use the transaction pooler at port 6543. For Azure Database for PostgreSQL Flexible Server, use the built-in PgBouncer on port 6432.
Does Chion work with PostgreSQL extensions like PostGIS, pgvector, or TimescaleDB?
Extension tables and views are queryable the same as any other relation. Extension-specific functions (ST_Distance, vector similarity operators, time_bucket) are not in Chion's function allowlist; to use them, create a materialized view or a standard view that precomputes the result, and Chion can query the view.
How does Chion differ from other text-to-SQL tools?
Chion enforces a multi-stage SQL validator (L1 read-only SELECT, L2 mode-based) at the edge function layer, caps results at 1,000 rows or 12,000 cells, stores credentials in an AES-256-GCM vault, and honors Postgres row-level security policies on every query. The language model never sees row data, only schema metadata and aggregated results.
Do I need a superuser or owner role for Chion?
No. A plain read-only role with CONNECT, USAGE on the schema, and SELECT on the tables you want to query is sufficient. Chion never needs write privileges.
Which managed PostgreSQL hosts does Chion support?
Chion connects to Amazon RDS for PostgreSQL, Azure Database for PostgreSQL, Google Cloud SQL for PostgreSQL, Neon, and Supabase.

Ready to connect?

Open Chion, enter your credentials, and start asking questions in plain English.

Start your trial Watch the 2-minute demo