invalid_authorization_specification no pg_hba.conf entry for replication connection from host “…” — 28000

Symptoms

A replication connection was rejected because no pg_hba.conf entry permits replication from that host/user. PostgreSQL raises SQLSTATE 28000 (invalid_authorization_specification).

• No matching replication rule in pg_hba.conf.
• Common when setting up a new standby.
• Replication needs its own HBA entries.

What the server log shows

FATAL:  no pg_hba.conf entry for replication connection from host "10.0.0.7", user "replicator", no encryption

Why PostgreSQL raises this — what the manual says

Section 20.1 The pg_hba.conf File:

“The value replication specifies that the tuple/" title="Tuple">record matches if a physical replication connection is requested, however, it doesn’t match with logical replication connections.”

Replication connections are matched against pg_hba.conf rules whose database field is replication. With no rule covering the standby’s host/user, PostgreSQL denies the connection with 28000.

Common causes

• Missing replication HBA entry for the standby host/user.
• The standby’s IP not covered by any rule.
• Forgetting to reload after editing pg_hba.conf.

How to fix it

1. Add a rule like host replication replicator 10.0.0.7/32 scram-sha-256.
2. Reload the configuration: SELECT pg_reload_conf();.
3. Verify the standby’s source IP matches the rule.

Related & next steps

• SQLSTATE 28000 — Invalid Authorization Specification (full reference)
• Message: no pg_hba.conf entry for host
• Glossary: pg_hba.conf

Reference: PostgreSQL 18 Section 21.1 “pg_hba.conf”.