When this parameter is greater than zero, the server will emit a WARNING upon successful password authentication if less than this amount of time remains until the authenticated role’s password expires.
At a glance
| Property | Value |
|---|---|
| Parameter | password_expiration_warning_threshold |
| Category | Connections and Authentication |
| Default | 7 |
| Value type | integer |
| Change scope | Reload (postgresql.conf, SIGHUP) |
| Available in | PostgreSQL 19 (added in 19) |
What it does
When this parameter is greater than zero, the server will emit a WARNING upon successful password authentication if less than this amount of time remains until the authenticated role’s password expires. Note that a role’s password only expires if a date was specified in a VALID UNTIL clause for CREATE ROLE or ALTER ROLE. If this value is specified without units, it is taken as seconds. The default is 7 days. This parameter can only be set in the postgresql.conf file or on the server command line.
(Description quoted from the official PostgreSQL documentation.)
How to apply a change
Set it in postgresql.conf (or with ALTER SYSTEM) and reload with SELECT pg_reload_conf(); or pg_ctl reload — no restart needed.
Inspect the current value and source with SHOW password_expiration_warning_threshold; or SELECT name, setting, unit, context, source FROM pg_settings WHERE name = 'password_expiration_warning_threshold';.
Tuning guidance
This is a connectivity or security setting, not a performance knob. Choose the value from your security and network requirements (TLS files, ciphers, keepalives, authentication behaviour) rather than for throughput, and verify it against your organization’s policy. Test changes in staging, because a wrong value here can lock clients out.
Reference
PostgreSQL documentation — password_expiration_warning_threshold.