diff --git a/Makefile b/Makefile
index b5f62fa20..42660e8d9 100644
--- a/Makefile
+++ b/Makefile
@@ -8,7 +8,7 @@ CMAKE_BIN:=cmake
 
 SKIP_CLEANUP_DOCKER:=
 
-CMAKE_FLAGS:=-DCC_FLAGS="-Wextra -Wstrict-aliasing" -DUSE_SCRAM=NO
+CMAKE_FLAGS:=-DCC_FLAGS="-Wextra -Wstrict-aliasing" -DUSE_SCRAM=YES
 BUILD_TYPE=Release
 
 COMPILE_CONCURRENCY=8
diff --git a/config-examples/odyssey-dev-no-ldap.conf b/config-examples/odyssey-dev-no-ldap.conf
index 1fa72da95..66b13128c 100644
--- a/config-examples/odyssey-dev-no-ldap.conf
+++ b/config-examples/odyssey-dev-no-ldap.conf
@@ -88,6 +88,36 @@ database default {
 }
 
 database "postgres" {
+	user "user_aq" {
+		authentication "scram-sha-256"
+#		password "passwd"
+		auth_query "SELECT usename, passwd FROM pg_shadow WHERE usename=$1"
+		auth_query_user "reshke"
+		auth_query_db "postgres"
+
+		storage "postgres_server"
+#		storage_password "1"
+		pool "session"
+		pool_size 1
+
+		pool_timeout 0
+
+		pool_ttl 60
+
+		pool_discard no
+
+		pool_cancel yes
+
+		pool_rollback yes
+
+		client_fwd_error yes
+
+		application_name_add_host yes
+		server_lifetime 3600
+		log_debug no
+		quantiles "0.99,0.95,0.5"
+		client_max 107
+	}
 	user "user1" {
 		authentication "clear_text"
 		password "passwd"
diff --git a/documentation/configuration.md b/documentation/configuration.md
index fa6385d8b..84c01e908 100644
--- a/documentation/configuration.md
+++ b/documentation/configuration.md
@@ -444,7 +444,7 @@ auth_common_name "test"
 Enable remote route authentication. Use some other route to authenticate clients
 following this logic:
 
-Use selected 'auth\_query_db' and 'auth\_query\_user' to match a route.
+Use selected 'auth\_query\_db' and 'auth\_query\_user' to match a route.
 Use matched route server to send 'auth\_query' to get username and password needed
 to authenticate a client.
 
@@ -482,8 +482,8 @@ Set remote server to use.
 
 By default route database and user names are used as connection
 parameters to remote server. It is possible to override this values
-by specifying 'storage_db' and 'storage_user'. Remote server password
-can be set using 'storage_password' field.
+by specifying 'storage\_db' and 'storage\_user'. Remote server password
+can be set using 'storage\_password' field.
 
 ```
 storage "postgres_server"
diff --git a/sources/auth.c b/sources/auth.c
index 2325558c2..df7fa4bf0 100644
--- a/sources/auth.c
+++ b/sources/auth.c
@@ -125,6 +125,8 @@ static inline int od_auth_frontend_cleartext(od_client_t *client)
 	if (client->rule->auth_query) {
 		char peer[128];
 		od_getpeername(client->io.io, peer, sizeof(peer), 1, 0);
+		od_debug(&instance->logger, "auth", client, NULL,
+			 "running auth_query for peer %s", peer);
 		rc = od_auth_query(client, peer);
 		if (rc == -1) {
 			od_error(&instance->logger, "auth", client, NULL,
diff --git a/sources/auth_query.c b/sources/auth_query.c
index 4c71e5cf5..912d957cc 100644
--- a/sources/auth_query.c
+++ b/sources/auth_query.c
@@ -73,6 +73,7 @@ static inline int od_auth_query_do(od_server_t *server, char *query,
 			/* count */
 			uint16_t count;
 			rc = kiwi_read16(&count, &pos, &pos_size);
+
 			if (kiwi_unlikely(rc == -1))
 				goto error;
 			if (count != 2)
@@ -81,8 +82,9 @@ static inline int od_auth_query_do(od_server_t *server, char *query,
 			/* user (not used) */
 			uint32_t user_len;
 			rc = kiwi_read32(&user_len, &pos, &pos_size);
-			if (kiwi_unlikely(rc == -1))
+			if (kiwi_unlikely(rc == -1)) {
 				goto error;
+			}
 			char *user = pos;
 			rc = kiwi_readn(user_len, &pos, &pos_size);
 			if (kiwi_unlikely(rc == -1))
@@ -93,12 +95,26 @@ static inline int od_auth_query_do(od_server_t *server, char *query,
 			/* password */
 			uint32_t password_len;
 			rc = kiwi_read32(&password_len, &pos, &pos_size);
+
+			if (password_len == -1) {
+				result->password = NULL;
+				result->password_len = password_len + 1;
+
+				od_debug(
+					&instance->logger, "auth_query",
+					server->client, server,
+					"auth_query returned empty password for user : %s",
+					user, result->password);
+				has_result = 1;
+				break;
+			}
 			if (password_len >
 			    ODYSSEY_AUTH_QUERY_MAX_PASSSWORD_LEN) {
 				goto error;
 			}
 			if (kiwi_unlikely(rc == -1))
 				goto error;
+
 			char *password = pos;
 			rc = kiwi_readn(password_len, &pos, &pos_size);
 			if (kiwi_unlikely(rc == -1))
diff --git a/sources/scram.h b/sources/scram.h
index 908b3f224..e625f0e79 100644
--- a/sources/scram.h
+++ b/sources/scram.h
@@ -1,7 +1,7 @@
 #ifndef ODYSSEY_SCRAM_H
 #define ODYSSEY_SCRAM_H
 
-#if PG_VERSION_NUM >= 120000
+#if PG_VERSION_NUM >= 130000
 #define od_b64_encode(src, src_len, dst, dst_len) \
 	pg_b64_encode(src, src_len, dst, dst_len);
 #define od_b64_decode(src, src_len, dst, dst_len) \