pgmcp
Provides tools for running read-only SQL queries and schema inspection on PostgreSQL databases.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@pgmcpList the tables in the analytics schema."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
pgmcp
A hardened, read-only Model Context Protocol server over a PostgreSQL database. It gives an LLM client a guarded SQL query tool plus schema introspection — and nothing else. No writes, no filesystem, no admin surface.
Why
Handing an LLM a raw database connection is dangerous. pgmcp puts a database between the model and your data with defense-in-depth:
Least-privilege role. pgmcp connects as a role with
SELECT-only grants on exactly the schemas you allow — notpg_read_all_data. Grants are the security boundary.Single-statement SELECT guard. A pglast AST guard rejects everything that isn't one read-only
SELECT: multi-statement SQL (theCOMMIT; DROP …escape), DML, DDL,COPY,SELECT … INTO, data-modifying CTEs, and filesystem/admin functions.READ ONLY transaction envelope around every query.
EXPLAIN cost pre-gate on the large schemas you designate — a runaway cartesian join is rejected before it runs.
Row cap with a truncation flag in the response.
Per-identity audit log — one structured JSON line per call, attributed to the authenticated user.
Everything domain-specific is configuration.
Related MCP server: PostgreSQL MCP Server
Tools
Tool | Purpose |
| Run one guarded, read-only SELECT; returns columns + rows + truncation flag. |
| List tables/views in one allowlisted schema. |
| Column names, types, nullability for one table/view. |
Quickstart
# 1. Create the least-privilege role and grants (see db/README.md).
# db/03_grants.sql and db/02_curated_views.sql are examples to edit for your
# own schema; PGMCP_ALLOWED_SCHEMAS below must match whatever you actually grant.
psql -f db/01_role.sql
psql -f db/03_grants.sql
psql -c "ALTER ROLE pgmcp_ro PASSWORD 'choose-a-secret'"
# 2. Install
uv venv && uv pip install -e .
# 3. Configure and run
export PGMCP_DSN="postgresql://pgmcp_ro:choose-a-secret@127.0.0.1:5432/mydb"
export PGMCP_ALLOWED_SCHEMAS="app,analytics,public"
export PGMCP_COST_GATED_SCHEMAS="app,analytics"
pgmcp # or: python -m pgmcp.serverThe server binds 127.0.0.1:8765 and speaks Streamable HTTP. It trusts an
X-Auth-User header injected by a reverse proxy — see deploy/ for an nginx +
systemd example that adds TLS and per-user bearer auth.
Configuration
Env var | Meaning | Default |
| libpq conninfo — |
|
| comma list of queryable schemas (required) | — |
| subset that gets the EXPLAIN pre-gate | (none) |
| path to a TOML schema-contract; asserted on boot | (unset → skip) |
| path to model instructions; overrides the default | (unset → default) |
| max rows returned |
|
| cost-gate ceiling |
|
| trusted identity header |
|
| bind address (loopback) |
|
| DNS-rebinding / Origin allowlists | hosts: loopback; origins: empty |
PGMCP_ALLOWED_SCHEMAS must mirror the grants in db/03_grants.sql. The server
refuses to boot with an empty allowlist.
Exposing a table with some sensitive columns
Don't grant the base table. Create a view in a curated schema that projects
only the safe columns, grant the view, and add curated to
PGMCP_ALLOWED_SCHEMAS. See db/02_curated_views.sql. The base table stays
unreachable through pgmcp.
Optional: schema contract
Point PGMCP_SCHEMA_CONTRACT at a TOML file (see examples/schema-contract.toml)
declaring expected column types. On boot pgmcp asserts them against
information_schema and refuses to start on drift — a guard against a query
tool silently outliving the schema it was written for.
Development
uv pip install -e ".[dev]"
pytest tests/ # unit tests need no database
PGMCP_DSN=... pytest tests/test_live.py # opt-in end-to-end checksDesign
Architecture decisions and their rationale are in docs/adr/. Start with
CONTEXT.md (glossary) and SETUP.md (setup runbook).
License
Released under the MIT License — see LICENSE.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/sbamin/pgmcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server