Skip to main content
PostgreSQL

Overview

Tool catalogue

PostgreSQL exposes two native tools. In router mode the model discovers them with SEARCH_TOOLS and never needs you to bind a fixed resource ahead of time.

Connect setup

Unlike OAuth providers, PostgreSQL connects with a database connection URL — there is no redirect or consent screen. When the agent needs the database and it isn’t connected yet, it surfaces a Connect action; the user pastes their connection URL into a short form.
1

Open the connect form

In the playground (or wherever a connect link is surfaced), click Connect to PostgreSQL DB. A form asks for a single field, the connection URL:
Append ?sslmode=disable only for databases that do not use TLS; hosted databases generally require TLS and connect with it by default.
2

Validation and schema introspection

On submit, RouteMCP validates the host, opens a test connection (SELECT 1), introspects the schema (tables, columns, primary keys, foreign keys), caches a schema snapshot, and marks the connection active. If the database is unreachable or the URL is wrong, the form shows an error and nothing is stored.
3

Stored encrypted

The connection URL is encrypted at rest (AES-256-GCM). Only read-only queries are ever issued against it. Use Re-sync if your schema changes, or Disconnect to remove the connection.
For least privilege, supply a connection URL for a read-only database role. RouteMCP also enforces read-only at query time, but a read-only role is the strongest guarantee.

Usage

The agent calls POSTGRES_DESCRIBE_SCHEMA to learn the shape, writes a query such as SELECT count(*) FROM users WHERE created_at >= date_trunc('week', now()), runs it via POSTGRES_RUN_QUERY, and streams back a plain-language answer. The generated SQL is visible in the tool-call trace but never shown in the chat reply.

Direct MCP JSON-RPC (Claude Desktop / Cursor / custom MCP clients)

Data handling & security

PostgreSQL is the first read-only data connector and applies several guardrails automatically — you don’t configure anything.
  • Read-only only. POSTGRES_RUN_QUERY accepts a single SELECT/WITH statement. INSERT, UPDATE, DELETE, DDL, multi-statement input, and dangerous functions are rejected, and the query runs in a READ ONLY transaction. The assistant will not offer or attempt writes (no “force password reset”, “rotate credentials”, etc.) — it can only read and analyze.
  • Sensitive columns are redacted. Columns whose names indicate secrets — password, password_hash, secret, api_key, token, private_key, ssn, cvv, card_number, and similar — are returned as [restricted] and are marked restricted in the schema, regardless of how the query selects them.
  • Encrypted data is detected. When a column’s values look encrypted or hashed (bcrypt/argon prefixes, high-entropy base64/hex, iv:ciphertext:tag), they are returned as [encrypted] and the assistant tells you the data is encrypted at rest rather than presenting unreadable values.
  • Host protection. Connection hosts are validated to block internal, loopback, and cloud-metadata addresses.
Row results are capped (default 1000 rows) and queries run under a statement timeout. Ask for a count(*) or an aggregate when you want totals rather than every row.