Managing Connections

  • how-to
    This section describes how to connect the Node.js SDK to a Couchbase cluster. It contains best practices as well as information on TLS/SSL and other advanced connection options.

    Connecting to a Cluster

    A connection to a Couchbase Server cluster is represented by a Cluster object. A Cluster provides access to Buckets, Scopes, and Collections, as well as various Couchbase services and management interfaces. The simplest way to create a Cluster object is to const cluster = couchbase.connect with a username, and password:

    var cluster = await couchbase.connect('couchbase://localhost', {
      username: 'Administrator',
      password: 'password',
    If you are connecting to a version of Couchbase Server older than 6.5, it will be more efficient if the addresses are those of data (KV) nodes. You will in any case, with 6.0 and earlier, need to open a `Bucket instance before connecting to any other HTTP services (such as Query or Search.

    Connection String options are covered in the API guide.

    In a production environment, your connection string should include the addresses of multiple server nodes in case some are currently unavailable. Multiple addresses may be specified in a connection string by delimiting them with commas:

    cluster = await couchbase.connect(
        username: 'Administrator',
        password: 'password',
    You don’t need to include the address of every node in the cluster. The client fetches the full address list from the first node it is able to contact.

    Connection Strings

    The backend implementation of connection strings parameters changed substantially in 4.0 and is not currently fully documented. This will be resolved in a future 4.x release. See more details on migrating to 4.0.

    A Couchbase connection string is a comma-delimited list of IP addresses and/or hostnames, optionally followed by a list of parameters.

    The parameter list is just like the query component of a URI; name-value pairs have an equals sign (=) separating the name and value, with an ampersand (&) between each pair. Just as in a URI, the first parameter is prefixed by a question mark (?).

    Simple connection string with one seed node
    Connection string with two seed nodes
    Connection string with two parameters

    The full list of recognized parameters is documented in the client settings reference.

    A connection string may optionally be prefixed by either "couchbase://" or "couchbases://". If you wish to use TLS, the connection string must be configured as described in Secure Connections.

    Connection Lifecycle

    We recommend creating a single Cluster instance when your application starts up, and sharing this instance throughout your application. Each of the respective sub-instances (Bucket, Collection, etc…​) of the Cluster class can be stored and re-used, or created in an on-demand fashion whenever needed.

    Before your application stops, gracefully shut down the client by calling the close() method of each Cluster you created.

    Alternate Addresses and Custom Ports

    If your Couchbase Server cluster is running in a containerized, port mapped, or otherwise NAT’d environment like Docker or Kubernetes, a client running outside that environment may need additional information in order to connect to the cluster. Both the client and server require special configuration in this case.

    On the server side, each server node must be configured to advertize its external address as well as any custom port mapping. This is done with the setting-alternate-address CLI command introduced in Couchbase Server 6.5. A node configured in this way will advertise two addresses: one for connecting from the same network, and another for connecting from an external network.

    On the client side, the externally visible ports must be used when connecting. If the external ports are not the default, you can specify custom ports by explicitly specifying them in the connection string:

    cluster = await couchbase.connect(
        username: 'Administrator',
        password: 'password',

    To verify how the connection string is being deconstructed by the library, our C SDK’s cbc connstr may also be used:

    $ cbc connstr 'couchbase://localhost:1234,localhost:2345=http?network=external&timeout=10.0'
    Implicit port: 11210
    Boostrap Protocols: CCCP,HTTP
      [memcached]         localhost:1234
      [restapi]           localhost:2345

    In many cases the client is able to automatically select the correct set of addresses to use when connecting to a cluster that advertises multiple addresses.

    If the detection heuristic fails in your environment, you can override it by setting the network client setting to default if the client and server are on the same network, or external if they’re on different networks.

    Any TLS certificates must be set up at the point where the connections are being made.

    Secure Connections

    Couchbase Server Enterprise Edition and Couchbase Capella support full encryption of client-side traffic using Transport Layer Security (TLS). This includes key-value type operations, queries, and configuration communication. Make sure you have the Enterprise Edition of Couchbase Server, or a Couchbase Capella account, before proceeding with configuring encryption on the client side.

    • Couchbase Capella

    • Couchbase Server

    The Node.js SDK bundles Capella’s standard root certificate by default. This means you don’t need any additional configuration to enable TLS — simply use couchbases:// in your connection string.

    Capella’s root certificate is not signed by a well known CA (Certificate Authority). However, as the certificate is bundled with the SDK, it is trusted by default.

    As of SDK 4.2, if you connect to a Couchbase Server cluster with a root certificate issued by a trusted CA (Certificate Authority), you no longer need to configure this in the SecurityConfig settings.

    The cluster’s root certificate just needs to be issued by a CA whose certificate is in your OpenSSL trust store. This can include publicly trusted CAs (e.g., GoDaddy, Verisign, etc…​), plus any other CA certificates that you wish to add. The Node.js SDK uses Couchbase++ internally to retrieve the root CAs.

    Couchbase++ loads your root CA store using OpenSSL and depending on your Node installation, certificates might not be in the CA store by default. You might need to configure the SSL_CERT_DIR or SSL_CERT_FILE environment variable to set the directory or root CA store file Couchbase++ uses to retrieve root CAs.

    You can still provide a certificate explicitly if necessary:

    1. Get the CA certificate from the cluster and save it in a text file.

    2. Enable encryption on the client side and point it to the file containing the certificate.

    It is important to make sure you are transferring the certificate in an encrypted manner from the server to the client side, so either copy it through SSH, or through a similar secure mechanism.

    If you are running on localhost and just want to enable TLS for a development machine, just copying and pasting it suffices — so long as you use rather than localhost in the connection string. This is because the certificate will not match the name localhost.

    Navigate in the admin UI to Settings  Cluster and copy the input box of the TLS certificate into a file on your machine (which we will refer to as cluster.cert). It looks similar to this:

    -----END CERTIFICATE-----

    The next step is to enable encryption and pass it the path to the certificate file (note the connection string scheme is couchbases:// rather than the non-TLS couchbase://). Additionally, you need to provide your username and password:

    cluster = await couchbase.connect('couchbases://localhost', {
      trustStorePath: '/path/to/ca/certificates.pem',
      username: 'Administrator',
      password: 'password',

    If you want to verify it’s actually working, you can use a tool like tcpdump. For example, an unencrypted upsert request looks like this (using sudo tcpdump -i lo0 -A -s 0 port 11210):


    After enabling encryption, you cannot inspect the traffic in cleartext (same upsert request, but watched on port 11207 which is the default encrypted port):

    ..... ...xuG.O=.#.........?.Q)8..D...S.W.4.-#....@7...^.Gk.4.t..C+......6..)}......N..m..o.3...d.,.     ...W.....U..

    Using DNS SRV records

    As an alternative to specifying multiple hosts in your program, you can get the actual bootstrap node list from a DNS SRV record. The following steps are necessary to make it work:

    1. Set up your DNS server to respond properly from a DNS SRV request.

    2. Enable it on the SDK and point it towards the DNS SRV entry.

    Your DNS server should be set up like this (one row for each bootstrap node):  3600  IN  SRV  0  0  11210  3600  IN  SRV  0  0  11210  3600  IN  SRV  0  0  11210
    The ordering, priorities, and weighting are completely ignored and should not be set on the records to avoid ambiguities.

    If you plan to use secure connections, you use _couchbases instead:  3600  IN  SRV  0  0  11207  3600  IN  SRV  0  0  11207  3600  IN  SRV  0  0  11207

    The Node.js SDK always tries to use the SRV records, if the connection string contains a single hostname and the feature is not disabled explicitly with connection string option dnssrv=off.

    In case of successful resolution a message like this will be written at INFO level of debug logs:

    44ms [I4ebdb48d23db23b6] {10474} [INFO] (instance - L:219) Found host via DNS SRV

    If the DNS SRV records could not be loaded properly you’ll get an exception logged and the given hostname will be used as an A record lookup.

    81ms [If1e0caf208c1ff41] {11763} [INFO] (instance - L:202) DNS SRV lookup failed: LCB_ERR_UNKNOWN_HOST (1049). Ignore this if not relying on DNS SRV records

    Working in the Cloud

    For most use cases, connecting client software using a Couchbase SDK to the new Couchbase Capella service is similar to connecting to an on-premises Couchbase Cluster. The use of DNS-SRV. Alternate Address, and TLS is covered above.

    We strongly recommend that the client and server are in the same LAN-like environment (e.g. AWS Availability Zone). As this may not always be possible during development, read the guidance on working with constrained network environments. More details on connecting your client code to Couchbase Capella can be found in the Cloud docs.

    Troubleshooting Connections to Cloud

    Some DNS caching providers (notably, home routers) can’t handle an SRV record that’s large — if you have DNS-SRV issues with such a set-up, reduce your DNS-SRV to only include three records. [For development only, not production.]. Our Troubleshooting Cloud Connections page will help you to diagnose this and other problems — as well as introducing the SDK doctor tool.