Directory

Best database MCP servers

Database MCP servers expose schemas as Resources and queries as Tools over JSON-RPC 2.0. A client like Claude Code or Cursor reads the schema, drafts a query, and sends it back through the server. The auth-token risk that any database integration carries applies here too, with the added surface of schema text entering the model context.

Common servers worth knowing

• Postgres MCP server. Streams table and column metadata as Resources; exposes query and (in write-enabled variants) execute as Tools. Connection string lives in env vars or a config file on the host.
• BigQuery MCP server. Authenticates via Google service account or ADC. Lists datasets and tables as Resources, runs SQL as a Tool. Token caching on disk follows standard gcloud conventions.
• Supabase MCP server. Uses the project anon or service-role key. Schema introspection covers tables, views, and RLS policies. The service-role key bypasses row-level security; scope it deliberately.
• Snowflake MCP server. OAuth or key-pair auth. Warehouse and role scoping happens at the connection level, before the server hands the model any schema text.
• MySQL MCP server. Connection string with username, password, host. Same shape as Postgres at the protocol level; differences live in SQL dialect and permission grants.

The MCP Toolbox for Databases is a separate Google-published project that fronts several database backends behind one MCP server, with declarative tool definitions. Useful when an agent needs to query across heterogeneous stores.

The risk profile

A database MCP server runs as a local process under stdio or a remote endpoint over HTTP. Either way, three credential paths matter:

• Plain-text credentials in env vars or config files. A compromised server process reads them directly. The same threat model as npm install applies (see CVE-2025-6514 for the mcp-remote pre-auth RCE case).
• OAuth tokens for hosted databases. BigQuery, Snowflake, and Supabase service-role flows cache tokens on disk. Token theft equals database access until rotation.
• Schema text entering the model context. Column names, table comments, and view definitions get streamed as Resources. If a column comment contains an injection payload, it reaches the client's prompt at session start.

What the trust score reads

• Schema-streaming pattern. Does the server stream schema metadata without echoing the raw connection string into Resources or Tools output? Servers that leak credentials into model-visible content fail this check.
• Permission scoping. Read-only mode available? Write tools gated behind a separate capability the client must explicitly approve? Default-write servers score lower.
• Version pinning. Install configs that pin a specific version or commit hash defeat the rug-pull pattern; floating latest tags do not.
• Publisher provenance. Maintainer track record, repository signals, and any incident history feed the composite score.

Related

• Best MCP servers (full directory)
• MCP security: the four attack patterns
• Scan a server before you install it
• How authentication works in MCP
• Free MCP servers worth installing