Overview
Tool catalogue
PostgreSQL exposes two native tools. In router mode the model discovers them withSEARCH_TOOLS and never needs you to bind a fixed resource ahead of time.
Connect setup
Unlike OAuth providers, PostgreSQL connects with a database connection URL — there is no redirect or consent screen. When the agent needs the database and it isn’t connected yet, it surfaces a Connect action; the user pastes their connection URL into a short form.1
Open the connect form
In the playground (or wherever a connect link is surfaced), click Connect to PostgreSQL DB. A form asks for a single field, the connection URL:Append
?sslmode=disable only for databases that do not use TLS; hosted databases generally require TLS and connect with it by default.2
Validation and schema introspection
On submit, RouteMCP validates the host, opens a test connection (
SELECT 1), introspects the schema (tables, columns, primary keys, foreign keys), caches a schema snapshot, and marks the connection active. If the database is unreachable or the URL is wrong, the form shows an error and nothing is stored.3
Stored encrypted
The connection URL is encrypted at rest (AES-256-GCM). Only read-only queries are ever issued against it. Use Re-sync if your schema changes, or Disconnect to remove the connection.
For least privilege, supply a connection URL for a read-only database role. RouteMCP also enforces read-only at query time, but a read-only role is the strongest guarantee.
Usage
Through the chat endpoint (recommended)
POSTGRES_DESCRIBE_SCHEMA to learn the shape, writes a query such as SELECT count(*) FROM users WHERE created_at >= date_trunc('week', now()), runs it via POSTGRES_RUN_QUERY, and streams back a plain-language answer. The generated SQL is visible in the tool-call trace but never shown in the chat reply.
Direct MCP JSON-RPC (Claude Desktop / Cursor / custom MCP clients)
Data handling & security
PostgreSQL is the first read-only data connector and applies several guardrails automatically — you don’t configure anything.- Read-only only.
POSTGRES_RUN_QUERYaccepts a singleSELECT/WITHstatement.INSERT,UPDATE,DELETE, DDL, multi-statement input, and dangerous functions are rejected, and the query runs in aREAD ONLYtransaction. The assistant will not offer or attempt writes (no “force password reset”, “rotate credentials”, etc.) — it can only read and analyze. - Sensitive columns are redacted. Columns whose names indicate secrets —
password,password_hash,secret,api_key,token,private_key,ssn,cvv,card_number, and similar — are returned as[restricted]and are marked restricted in the schema, regardless of how the query selects them. - Encrypted data is detected. When a column’s values look encrypted or hashed (bcrypt/argon prefixes, high-entropy base64/hex,
iv:ciphertext:tag), they are returned as[encrypted]and the assistant tells you the data is encrypted at rest rather than presenting unreadable values. - Host protection. Connection hosts are validated to block internal, loopback, and cloud-metadata addresses.
Row results are capped (default 1000 rows) and queries run under a statement timeout. Ask for a
count(*) or an aggregate when you want totals rather than every row.