Quick answer

A Neon connection string is built from four things: the role name, the role password, the compute hostname, and the database name. The hostname and database name don't rotate. The password does. So "rotate the connection string" means reset the role's password, copy the new connection string from the Connect modal, and roll it out to every place it's stored.

What the connection string looks like

A standard Neon connection string has this shape:

postgresql://alex:AbC123dEf@ep-cool-darkness-a1b2c3d4-pooler.us-east-2.aws.neon.tech/dbname?sslmode=require&channel_binding=require

The password is the only segment that changes when you rotate. See Connect from any application for the full breakdown.

Reset the password and copy the new string

  1. Open the Neon Console and select your project.
  2. Go to Branches and select the branch.
  3. On the Roles & Databases tab, choose Reset password from the role's menu.
  4. Copy the new password from the confirmation modal.
  5. Back on the Project Dashboard, click Connect to copy the updated connection string.

See Reset a password.

Update environment variables

The new connection string needs to land in every place that holds the old one before clients can reconnect:

  • Vercel: Project Settings → Environment Variables for each environment, then redeploy. If you use the Neon Vercel integration, the integration can push rotated values for you.
  • Render, Fly, Railway: their dashboard's environment variables UI, followed by a restart.
  • GitHub Actions, GitLab CI: repository or organization secrets.
  • Secret managers: update the secret, then trigger a reload in any service that caches it.
  • Local .env files: notify your team to pull the new value.

New connections need the new password

Existing open sessions stay connected, but any new connection attempt with the old password fails. Roll out the new value to your deploy targets before (or right after) you reset, so reconnects don't fail to authenticate.

When you need to keep the old connection string working

If you can't change every consumer at once, create a second Postgres role with its own password, point new consumers at it, and drop the old role only after you've confirmed nothing still uses it. See the alternative approach in How do I rotate my database URL or connection string?.

Build connection-string rotation into your workflow

The Neon API and CLI make it easy to automate password rotation on a schedule.

API reference