SQLSTATE 28000 FATAL Class 28: Invalid Authorization Specification

invalid_authorization_specification role “…” is not permitted to log in — 28000

PostgreSQL error “role … is not permitted to log in — 28000” (SQLSTATE 28000): what it means, common causes, and how to fix it.

PG 9.6, 10, 11, 12, 13, 14, 15, 16, 17, 18 Official docs
Last reviewed Jun 2026 Grounded in source

Diagnostic Queries

Symptoms

A login attempt used a role that lacks the LOGIN attribute. PostgreSQL raises SQLSTATE 28000 (invalid_authorization_specification).

  • The role exists but has NOLOGIN.
  • Common with group roles used as login roles.
  • Only LOGIN roles can start sessions.

What the server log shows

FATAL:  role "readers" is not permitted to log in

Why PostgreSQL raises this — what the manual says

Section 21.2 Role Attributes:

“Only roles that have the LOGIN attribute can be used as the initial role name for a database connection.”

PostgreSQL distinguishes login roles (users) from group roles. A role without the LOGIN attribute cannot begin a session, so connecting as one is rejected with 28000.

Common causes

  • Connecting as a group role created with NOLOGIN.
  • A role’s LOGIN attribute was removed.
  • Confusing a group role with a user role.

How to fix it

  1. Grant login: ALTER ROLE readers LOGIN; if it should be a user.
  2. Connect as an actual login role that is a member of the group.
  3. Keep group roles NOLOGIN and use separate login users.

Related & next steps

Reference: PostgreSQL 18 Section 22.2 “Role Attributes”.

Was this helpful?