Quick answer
In Neon, "rotating a password" means resetting the password for the affected Postgres role. You can do this from the Neon Console (Branches → branch → Roles & Databases → Reset password), through the Neon API, or with an SQL ALTER USER statement. Neon generates a new password immediately and returns the updated connection string. Any new connection attempt using the old password will fail to authenticate.
Reset the password
Pick the interface that matches your workflow. The result is the same: a new password and a new connection string. Any client trying to reconnect with the old credential will fail to authenticate.
- Open the Neon Console and select your project.
- Go to Branches and select the branch where the role lives (usually
productionormain). - On the Roles & Databases tab, open the role menu and choose Reset password.
- Confirm. Neon shows the new password once. Copy it.
- Click Connect on the Project Dashboard to copy the updated connection string.
See Reset a password for screenshots.
Update your applications
A new password produces a new connection string. Any process still using the old DATABASE_URL will fail to authenticate on its next connection attempt.
Update the connection string everywhere it's stored:
- Vercel, Render, Fly, Railway, or other deploy targets: project Environment Variables
- GitHub Actions or CI secrets
- Local
.envfiles - Secret managers (AWS Secrets Manager, Doppler, 1Password, etc.)
- Long-running workers, cron jobs, and background services
Reconnects use the new password
Existing open sessions stay connected, but every new connection (or reconnect) must use the new password. Roll out the new value to your deployment platform first if you want to avoid authentication failures during the cutover.
If the leak might have exposed more than one role, see How do I rotate all my Neon database credentials after a breach?.