PostgreSQL MCP Server
Enables AI-driven database administration, observability, and querying with support for schema management, SQL execution, JSONB operations, text processing, statistical analysis, query optimization, and extensions including pgvector, PostGIS, and pg_stat_statements.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@PostgreSQL MCP Servershow me the top 10 users by last login date"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
postgres-mcp
PostgreSQL MCP Server binding the Model Context Protocol to a secure PostgreSQL sandbox.
Features Code Mode — a revolutionary approach that provides access to all 248 tools through a secure, true V8 isolate (worker_threads), eliminating the massive token overhead of multi-step tool calls. Also includes schema introspection, migration tracking, smart tool filtering, deterministic error handling, connection pooling, HTTP/SSE Transport, OAuth 2.1 authentication, and extension support for citext, ltree, pgcrypto, pg_cron, pg_stat_kcache, pgvector, PostGIS, and HypoPG.
248 Specialized Tools · 23 Resources · 20 AI-Powered Prompts
Docker Hub • npm Package • MCP Registry • Wiki • Tool Reference • Changelog
🎯 What Sets Us Apart
Feature | Description |
Code Mode (V8 Isolate) | Massive Token Savings: Execute complex, multi-step operations inside a secure, true V8 isolate ( |
Deterministic Error Handling | No more cryptic database errors causing AI hallucinations. We intercept and translate raw SQL exceptions into clear, actionable advice so your agent knows exactly how to recover without guessing. |
248 Token-Optimized Tools | The largest PostgreSQL toolset on the MCP registry. Every query uses zero-cost token estimation and smart dataset truncation, ensuring agents always see the big picture without blowing their context windows. |
OAuth 2.1 + Granular Control | Real enterprise security. Authenticate via OAuth 2.1 and control exactly who can read, write, or administer your database with precision scopes mapped down to the specific tool layer. |
Audit Trails & Semantic Diffing | Total accountability. Track exactly what your AI is doing with detailed JSON logs, automatically snapshot schemas before mutations, and confidently review semantic row-by-row diffs before restoring data. |
23 Resources & 20 Prompts | Instant database meta-awareness. Agents automatically read real-time health, performance, and replication metrics, and can invoke built-in prompt workflows for query tuning and schema design. |
Introspection & Migrations | Prevent costly mistakes. Let your AI simulate the cascade impact of schema changes, safely order foreign-key updates, and track migration history automatically. |
8 Extension Ecosystems | Ready for advanced workloads. First-class API support for pgvector (AI search), PostGIS (geospatial), pg_cron, pgcrypto, and more—all strictly typed and validated out of the box. |
Smart Tool Filtering | Give your agent exactly what it needs without overflowing IDE limits. Dynamically compile your server with any combination of our 22 distinct tool groups. |
Enterprise Infrastructure | Built for production. Blazing fast (millions of ops/sec), protected against SQL injection, features high-performance connection pooling, and supports both Streamable HTTP and Legacy SSE protocols simultaneously. |
Suggested Rule (Add to AGENTS.md, GEMINI.md, etc)
MCP TOKEN MANAGEMENT:
Token Visibility: When interacting with
postgres-mcp, always monitor the_meta.tokenEstimate(ormetrics.tokenEstimatein Code Mode) returned in tool responses.Audit Resource: Use the
postgres://auditresource to review session-level token consumption and identify high-cost operations.Proactive Efficiency: If operations are consuming high token counts, prefer code mode and proactively use
limitparameters.
🚀 Quick Start
Prerequisites
PostgreSQL 12-18 (tested with PostgreSQL 18.1)
Docker (recommended) or Node.js 24+ (LTS)
Docker (Recommended)
docker pull writenotenow/postgres-mcp:latestAdd to your ~/.cursor/mcp.json or Claude Desktop config:
{
"mcpServers": {
"postgres-mcp": {
"command": "docker",
"args": [
"run",
"--rm",
"-i",
"-e",
"POSTGRES_HOST",
"-e",
"POSTGRES_PORT",
"-e",
"POSTGRES_USER",
"-e",
"POSTGRES_PASSWORD",
"-e",
"POSTGRES_DATABASE",
"writenotenow/postgres-mcp:latest",
"--tool-filter",
"codemode",
"--audit-log",
"/tmp/postgres-logs/audit.jsonl"
],
"env": {
"POSTGRES_HOST": "host.docker.internal",
"POSTGRES_PORT": "5432",
"POSTGRES_USER": "your_username",
"POSTGRES_PASSWORD": "your_password",
"POSTGRES_DATABASE": "your_database"
}
}
}
}Note for Docker: Use
host.docker.internalto connect to PostgreSQL running on your host machine.
📖 Full Docker guide: DOCKER_README.md · Docker Hub
npm
npm install -g @neverinfamous/postgres-mcp
postgres-mcp --transport stdio --postgres postgres://user:password@localhost:5432/databaseFrom Source
git clone https://github.com/neverinfamous/postgres-mcp.git
cd postgres-mcp
npm install
npm run build
node dist/cli.js --transport stdio --postgres postgres://user:password@localhost:5432/databaseDevelopment
See From Source above for setup. After cloning:
npm run lint && npm run typecheck # Run checks
npm run bench # Run performance benchmarks
node dist/cli.js info # Test CLI
node dist/cli.js list-tools # List available toolsBenchmarks
Run npm run bench to execute the performance benchmark suite (10 files, 93+ scenarios) powered by Vitest Bench. Use npm run bench:verbose for detailed table output.
Performance Highlights (Node.js 24, Windows 11):
Area | Benchmark | Throughput |
Tool Dispatch | Map.get() single tool lookup | ~6.9M ops/sec |
WHERE Validation | Simple clause (combined regex fast-path) | ~3.7M ops/sec |
Identifier Sanitization | validateIdentifier() | ~4.4M ops/sec |
Auth — Token Extraction | extractBearerToken() | ~2.7M ops/sec |
Auth — Scope Checking | hasScope() | ~5.3M ops/sec |
Rate Limiting | Single IP check | ~2.3M ops/sec |
Logger | Filtered debug (no-op path) | ~5.4M ops/sec |
Schema Parsing | MigrationInitSchema.parse() | ~2.1M ops/sec |
Metadata Cache | Cache hit + miss pattern | ~1.7M ops/sec |
Sandbox Creation | CodeModeSandbox.create() cold start | ~863 ops/sec |
Full benchmark results and methodology are available on the Performance wiki page.
🔗 Database Connection Scenarios
Scenario | Host to Use | Example Connection String |
PostgreSQL on host machine |
|
|
PostgreSQL in Docker | Container name or network |
|
Remote/Cloud PostgreSQL | Hostname or IP |
|
Provider | Example Hostname |
AWS RDS PostgreSQL |
|
Google Cloud SQL |
|
Azure PostgreSQL |
|
Supabase |
|
Neon |
|
🛠️ Tool Filtering
All tool groups includeCode Mode (pg_execute_code) by default. To exclude it, add -codemode to your filter: --tool-filter cron,pgcrypto,-codemode
⭐ Code Mode (
--tool-filter codemode) is the recommended configuration — it exposespg_execute_code, a secure, true V8 isolate sandbox providing access to all 248 tools' worth of capability with up to 90% token savings. See Tool Filtering for alternatives.
Requires
adminOAuth scope — execution is logged for audit
📖 See Full Installation Guide →
What Can You Filter?
The --tool-filter argument accepts groups or tool names — mix and match freely:
Filter Pattern | Example | Description |
Groups only |
| Combine individual groups |
Tool names |
| Custom tool selection |
Group + Tool |
| Extend a group |
Group - Tool |
| Remove specific tools |
Tool Groups (22 Available)
Group | Tools | Description |
| 1 | Code Mode (sandboxed code execution) 🌟 Recommended |
| 21 | Read/write queries, tables, indexes, convenience/drop tools |
| 9 | BEGIN, COMMIT, ROLLBACK, savepoints, status |
| 21 | JSONB manipulation, queries, and pretty-print |
| 14 | Full-text search, fuzzy matching |
| 25 | EXPLAIN, query analysis, optimization, diagnostics, anomaly detection |
| 12 | VACUUM, ANALYZE, REINDEX, insights |
| 12 | Database sizes, connections, status |
| 13 | pg_dump, COPY, restore, audit backups |
| 13 | Schemas, views, sequences, functions, triggers |
| 7 | Dependency graphs, cascade simulation, schema analysis |
| 7 | Schema migration tracking and management |
| 7 | Native partition management |
| 20 | Statistical analysis, window functions, outlier detection |
| 17 | pgvector (AI/ML similarity search) |
| 16 | PostGIS (geospatial) |
| 9 | pg_cron (job scheduling) |
| 11 | pg_partman (auto-partitioning) |
| 7 | pg_stat_kcache (OS-level stats) |
| 7 | citext (case-insensitive text) |
| 9 | ltree (hierarchical data) |
| 10 | pgcrypto (encryption, UUIDs) |
Syntax Reference
Prefix | Target | Example | Effect |
(none) | Group |
| Whitelist Mode: Enable ONLY this group |
(none) | Tool |
| Whitelist Mode: Enable ONLY this tool |
| Group |
| Add tools from this group to current set |
| Group |
| Remove tools in this group from current set |
| Tool |
| Add one specific tool |
| Tool |
| Remove one specific tool |
🌐 HTTP/SSE Transport (Remote Access)
For remote access, web-based clients, or HTTP-compatible MCP hosts, use the HTTP transport:
node dist/cli.js \
--transport http \
--port 3000 \
--postgres "postgres://user:pass@localhost:5432/db"Docker:
docker run --rm -p 3000:3000 \
-e POSTGRES_URL=postgres://user:pass@host:5432/db \
writenotenow/postgres-mcp:latest \
--transport http --port 3000The server supports two MCP transport protocols simultaneously, enabling both modern and legacy clients to connect:
Streamable HTTP (Recommended)
Modern protocol (MCP 2025-03-26) — single endpoint, session-based:
Method | Endpoint | Purpose |
|
| JSON-RPC requests (initialize, tools/list, etc.) |
|
| SSE stream for server notifications |
|
| Session termination |
Sessions are managed via the Mcp-Session-Id header.
Stateless Mode
For serverless/stateless deployments where sessions are not needed:
node dist/cli.js --transport http --port 3000 --stateless --postgres "postgres://..."In stateless mode: GET /mcp returns 405, DELETE /mcp returns 204, /sse and /messages return 404. Each POST /mcp creates a fresh transport.
Legacy SSE (Backward Compatibility)
Legacy protocol (MCP 2024-11-05) — for clients like Python mcp.client.sse:
Method | Endpoint | Purpose |
|
| Opens SSE stream, returns |
|
| Send JSON-RPC messages to the session |
Utility Endpoints
Method | Endpoint | Purpose |
|
| Health check (bypasses rate limiting, always available for monitoring) |
🔐 Authentication
postgres-mcp supports two authentication mechanisms for HTTP transport:
Simple Bearer Token (--auth-token)
Lightweight authentication for development or single-tenant deployments:
node dist/cli.js --transport http --port 3000 --auth-token my-secret --postgres "postgres://..."
# Or via environment variable
export MCP_AUTH_TOKEN=my-secret
node dist/cli.js --transport http --port 3000 --postgres "postgres://..."Clients must include Authorization: Bearer my-secret on all requests. /health and / are exempt. Unauthenticated requests receive 401 with WWW-Authenticate: Bearer headers per RFC 6750.
OAuth 2.1 (Enterprise)
Full OAuth 2.1 with RFC 9728/8414 compliance for production multi-tenant deployments:
node dist/cli.js \
--transport http \
--port 3000 \
--postgres "postgres://user:pass@localhost:5432/db" \
--oauth-enabled \
--oauth-issuer http://localhost:8080/realms/postgres-mcp \
--oauth-audience postgres-mcp-clientAdditional flags:
--oauth-jwks-uri <url>(auto-discovered if omitted),--oauth-clock-tolerance <seconds>(default: 60).
OAuth Scopes
Access control is managed through OAuth scopes:
Scope | Access Level |
| Read-only queries (SELECT, EXPLAIN) |
| Read + write operations |
| Full administrative access |
| Grants all access |
| Access to specific database |
| Access to specific schema |
| Access to specific table |
RFC Compliance
This implementation follows:
RFC 9728 — OAuth 2.1 Protected Resource Metadata
RFC 8414 — OAuth 2.1 Authorization Server Metadata
RFC 7591 — OAuth 2.1 Dynamic Client Registration
The server exposes metadata at /.well-known/oauth-protected-resource.
Note for Keycloak users: Add an Audience mapper to your client (Client → Client scopes → dedicated scope → Add mapper → Audience) to include the correct
audclaim in tokens.
Per-tool scope enforcement: Scopes are enforced at the tool level — each tool group maps to a required scope (read, write, or admin). When OAuth is enabled, every tool invocation checks the calling token's scopes before execution. When OAuth is not configured, scope checks are skipped entirely.
HTTP without authentication: When using --transport http without enabling OAuth or --auth-token, all clients have full unrestricted access. Always enable authentication for production HTTP deployments. See SECURITY.md for details.
Priority: When both
--auth-tokenand--oauth-enabledare set, OAuth 2.1 takes precedence. If neither is configured, the server warns and runs without authentication.
🔧 Configuration
Environment Variables
Variable | Default | Description | CLI Flag |
|
| Database host |
|
|
| Database port |
|
|
| Database username |
|
| (empty) | Database password |
|
|
| Database name |
|
| — | Connection string (overrides individual vars) |
|
|
| Server bind host ( |
|
|
| Transport type: |
|
|
| HTTP port for http/sse transports |
|
| — | Simple bearer token for HTTP auth |
|
|
| Log level: |
|
|
| Schema cache TTL (ms) | — |
| — | Tool filter string (also |
|
|
| Rate limit per IP per 15min window | — |
|
| HTTP request timeout (ms) for Slowloris protection | — |
|
| HTTP headers timeout (ms) | — |
|
| Trust X-Forwarded-For for client IP |
|
|
| Enable OAuth 2.1 authentication |
|
| — | Authorization server URL |
|
| — | Expected token audience |
|
| (auto) | JWKS URI (auto-discovered from issuer) |
|
|
| Clock tolerance in seconds |
|
| — | Audit log file path ( |
|
|
| Omit tool arguments from audit entries |
|
|
| Enable pre-mutation DDL snapshots |
|
|
| Include sample data rows in snapshots |
|
|
| Maximum snapshot age in days |
|
|
| Maximum number of snapshots to retain |
|
|
| Maximum table size for data capture (bytes) |
|
|
| Log read-scoped tool calls (compact entries) |
|
|
| Max log file size before rotation (bytes). Keeps up to 5 files. |
|
Aliases:
PGHOST,PGPORT,PGUSER,PGPASSWORD,PGDATABASEare also supported (standard PostgreSQL client env vars).
Pool Tuning for IAM Auth: For cloud-managed databases with IAM authentication (e.g., AWS RDS, Google Cloud SQL), use
--pool-maxto control pool size.
CLI Reference
Flag | Description |
| Connection string |
| PostgreSQL host |
| PostgreSQL port |
| Username |
| Password (prefer |
| Database name |
| Enable SSL |
| Max pool connections (default: 10) |
|
|
| HTTP port |
| Server bind host |
| Simple bearer token for HTTP auth |
| Stateless HTTP mode (no sessions, no SSE) |
| Tool filter string |
| Log verbosity |
| Enable OAuth 2.1 |
| Trust reverse proxy headers |
| Enable JSONL audit trail ( |
| Omit tool arguments from audit entries |
| Enable pre-mutation DDL snapshots |
| Include sample data rows in snapshots |
| Maximum snapshot age in days (default: 30) |
| Maximum number of snapshots to retain (default: 1000) |
| Maximum table size for data capture (default: 52428800) |
| Log read-scoped tool calls (compact entries) |
| Max log file size before rotation (default: 10MB). System retains up to 5 rotated historical archives before oldest deletion ( |
🤖 AI-Powered Prompts
Prompts provide step-by-step guidance for complex database tasks. Instead of figuring out which tools to use and in what order, simply invoke a prompt and follow its workflow — great for learning PostgreSQL best practices or automating repetitive DBA tasks.
This server includes 20 intelligent prompts for guided workflows:
Prompt | Description | Required Groups |
| Construct queries with CTEs and window functions | core |
| Design schemas with constraints and indexes | core |
| Analyze queries with EXPLAIN and optimization | core, performance |
| Generate migration scripts with rollback support | core |
| Lazy hydration - compact index of all tools | — |
| Quick SQL query guidance for common operations | core |
| Quick reference for exploring database schema | core |
| Comprehensive database health assessment | core, performance, monitoring |
| Enterprise backup planning with RTO/RPO | core, monitoring, backup |
| Index analysis and optimization workflow | core, performance |
| Extension installation and configuration guide | core |
| Complete pgvector setup for semantic search | core, vector |
| Complete PostGIS setup for geospatial operations | core, postgis |
| Complete pg_cron setup for job scheduling | core |
| Complete pg_partman setup for partition management | core, partman |
| Complete pg_stat_kcache setup for OS monitoring | core, kcache |
| Complete citext setup for case-insensitive text | core, citext |
| Complete ltree setup for hierarchical data | core, ltree |
| Complete pgcrypto setup for cryptographic funcs | core, pgcrypto |
| 6-step safe restore playbook with | backup |
📦 Resources
Resources give you instant snapshots of database state without writing queries. Perfect for quickly checking schema, health, or performance metrics — the AI can read these to understand your database context before suggesting changes.
This server provides 23 resources for structured data access:
Resource | URI | Description |
Schema |
| Full database schema |
Tables |
| Table listing with sizes |
Settings |
| PostgreSQL configuration |
Statistics |
| Database statistics with stale detection |
Activity |
| Current connections |
Pool |
| Connection pool status |
Capabilities |
| Server version, extensions, tool categories |
Performance |
| pg_stat_statements query metrics |
Health |
| Comprehensive database health status |
Extensions |
| Extension inventory with recommendations |
Indexes |
| Index usage with unused detection |
Replication |
| Replication status and lag monitoring |
Vacuum |
| Vacuum stats and wraparound warnings |
Locks |
| Lock contention detection |
Cron |
| pg_cron job status and execution history |
Partman |
| pg_partman partition configuration and health |
Kcache |
| pg_stat_kcache CPU/I/O metrics summary |
Vector |
| pgvector columns, indexes, and recommendations |
PostGIS |
| PostGIS spatial columns and index status |
Crypto |
| pgcrypto availability and security recommendations |
Insights |
| AI-appended business insights and observations |
Audit |
| Audit trail with token summary and top tools |
Help |
| Group-specific help and workflow documentation |
🔧 Extension Support
Extension | Purpose | Tools |
| Query performance tracking |
|
| Text similarity |
|
| Fuzzy matching |
|
| Hypothetical indexes |
|
| Vector similarity search | 16 vector tools |
| Geospatial operations | 15 postgis tools |
| Job scheduling | 8 cron tools |
| Automated partition management | 10 partman tools |
| OS-level CPU/memory/I/O stats | 7 kcache tools |
| Case-insensitive text | 6 citext tools |
| Hierarchical tree labels | 8 ltree tools |
| Hashing, encryption, UUIDs | 9 pgcrypto tools |
Extension tools gracefully handle cases where extensions are not installed. Extension tool counts include
create_extensionhelpers but exclude Code Mode; the Tool Groups table above adds +1 per group for Code Mode.
Contributing
Contributions are welcome! Please read our Contributing Guidelines before submitting a pull request.
Security
For security concerns, please see our Security Policy.
⚠️ Never commit credentials - Store secrets in environment variables
License
This project is licensed under the MIT License - see the LICENSE file for details.
Code of Conduct
Please read our Code of Conduct before participating in this project.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/neverinfamous/postgres-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server