MCP Directory

Best MCP Servers for SQL & Databases (2026)

Six database MCP servers worth installing — matched to what you actually run, with the read-only settings that keep an agent off your production data.

Hua·June 30, 2026·6 min read
Contemporary computer on support between telecommunication racks and cabinets in modern data center
Photo by Brett Sayles on Pexels

The best MCP servers for SQL and databases fall into two camps: thin query servers that run SQL and read schema (add one of these), and platform servers that manage a whole database-as-a-service. For most engineers the right answer is a single, token-light query server — DBHub or MCP Alchemy — plus read-only mode turned on. Everything past that is either a specialized need or a way to blow your tool budget.

This is the grounded shortlist: what each server does, the trade-offs, and what to skip. Every server here is real and linked, and I've kept the config notes minimal and correct. If you only want the headline: pick by which database you run and whether you need writes, not by star count.

The shortlist at a glance

Start from your database engine and your risk tolerance, then pick one server. The table below maps each to its job so you don't install three overlapping ones.

ServerBest forDatabasesTransportOfficial
DBHubToken-light SQL + schema, multi-DBPostgres, MySQL, MariaDB, SQL Server, SQLitestdio / HTTPCommunity (Bytebase)
MCP AlchemyAnything with a SQLAlchemy driverPostgres, MySQL, SQLite, Oracle, MS SQLstdioCommunity
Multi Database MCP ServerSeveral DBs at once + TimescaleDBMySQL, Postgres, SQLite, Oracle, TimescaleDBstdioCommunity
CentralMind GatewayA hardened, PII-redacted API layerStructured DBs (schema-discovered)stdio / SSE
Supabase MCP ServerManaging a Supabase projectPostgres (Supabase)HTTP (OAuth)Official
Query | SupabaseSupabase with strict write gatingPostgres (Supabase)stdioCommunity

Nearly every option here runs locally over stdio, which is the norm — roughly 90% of MCP servers do. That keeps latency low and your queries off a third party's logs.

The default pick: one thin query server

For plain "let the agent query my database," install DBHub and stop there. It's a zero-dependency server from Bytebase covering Postgres, MySQL, MariaDB, SQL Server, and SQLite, and it deliberately exposes a small tool set — execute_sql, search_objects, plus custom tools — so it stays token-efficient and doesn't crowd out your other servers. It supports read-only mode, row limiting, and query timeouts, which are exactly the guardrails you want when an LLM writes the SQL.

A minimal stdio launch is one line:

{
  "mcpServers": {
    "dbhub": {
      "command": "npx",
      "args": ["@bytebase/dbhub@latest", "--transport", "stdio",
               "--dsn", "postgres://user:pass@localhost:5432/mydb"]
    }
  }
}

One warning: DBHub's HTTP transport defaults to binding 0.0.0.0 with no client auth. If you run it over HTTP, bind to 127.0.0.1 and put it behind a proxy or firewall. Stick to stdio locally and this isn't a concern. Setup patterns for any client are in how to add an MCP server.

When your database isn't in that list: MCP Alchemy

If you run Oracle, or anything with a SQLAlchemy driver, reach for MCP Alchemy. It's a Python server that talks to Postgres, MySQL, SQLite, Oracle, and MS SQL through SQLAlchemy, and its four tools are well-shaped for how a model actually explores a schema: all_table_names, filter_table_names, schema_definitions (with primary and foreign keys), and execute_query. The foreign-key awareness is the reason I prefer it for unfamiliar schemas — the model can follow relationships instead of guessing joins.

The cost of that breadth is trust: execute_query runs arbitrary SQL against a connection string you supply. Give it a least-privilege, read-only database account and the blast radius is small. It runs via uvx, so there's nothing to install globally.

Special cases: multi-DB and a hardened gateway

Need several databases live in one session? Multi Database MCP Server connects to MySQL, Postgres, SQLite, Oracle, and TimescaleDB concurrently and generates per-database tools (query_<db_id>, execute_<db_id>, schema_<db_id>, and TimescaleDB hypertable operations). That's its strength and its catch: it can emit 13 tools across those groups, which eats into the ~40-tool budget most clients degrade past. Install it only if you genuinely query multiple databases at once — otherwise a single thin server is the better use of slots. See the coding-agents shortlist for how that budget math plays out across a real stack.

Different problem: exposing production data safely. CentralMind Gateway doesn't hand the model raw SQL. It runs a one-time discovery pass over your schema, generates a gateway.yaml where each endpoint becomes an MCP method, and adds PII redaction, row-level security, caching, and OpenTelemetry auditing on top. It's a Go binary that speaks stdio or SSE, and REST/OpenAPI too. Overkill for a local dev database; the right tool when a database sits behind compliance requirements.

For Supabase, pick by how much you trust writes

On Supabase, there are two good servers and the choice comes down to write safety. The official Supabase MCP Server is the default — it's maintained by Supabase in the supabase/mcp repo, and the recommended setup is the hosted remote at https://mcp.supabase.com/mcp with an OAuth 2.1 browser login, so you never paste an access token into a config file. It goes well beyond SQL: list_tables, execute_sql, apply_migration, deploy_edge_function, branch management, and generate_typescript_types.

Scope it every time. Append ?read_only=true&project_ref=<ref> to the URL to force read-only transactions on a single project:

https://mcp.supabase.com/mcp?read_only=true&project_ref=<your-project-ref>

The alternative, Query | Supabase MCP Server, is a community stdio server built around a three-tier safety system: it defaults to read-only, write operations require flipping into unsafe mode via a live_dangerously tool, and destructive statements need explicit two-step confirmation. Choose it if you want that confirmation gate in front of an agent that will write. It needs a free API key to run, whereas the official server's OAuth flow needs no token at all.

What to skip, and my default

Skip installing more than one query server. DBHub, MCP Alchemy, and the multi-DB server overlap heavily — running two means duplicate execute_sql-style tools competing for the same call, which reads as the model getting worse.

Skip write access you don't need. The single highest-value setting on every server here is read-only mode plus a least-privilege database user; turn both on before you connect anything to real data. Security trade-offs across servers are covered in MCP security: what actually matters.

My default: one thin query server (DBHub for the common engines, MCP Alchemy if you're on Oracle), read-only, on a least-privilege account. Add Supabase's official server only if you actually work in Supabase, and CentralMind only when production data needs a hardened layer. Browse the full ranked list at best MCP servers, or filter by what you need on the capabilities page.

FAQ

Are these SQL database MCP servers free and safe to use?

Yes to free: DBHub (MIT), MCP Alchemy (MPL-2.0), the Multi Database server (MIT), and CentralMind (Apache-2.0) are all open source and run locally over stdio, and Supabase's official server is free to connect. Safety is a config choice, not a default — always run in read-only mode and connect with a least-privilege database account, because tools like execute_sql and execute_query run whatever SQL the model writes.

Which MCP server is best for Postgres and MySQL?

DBHub. It covers Postgres, MySQL, MariaDB, SQL Server, and SQLite with a deliberately small, token-efficient tool set and built-in read-only, row-limit, and timeout guardrails. Reach for MCP Alchemy instead only if you also need Oracle or another SQLAlchemy-driver database.

What's the best MCP server for Supabase?

The official Supabase MCP Server for most people — it's maintained by Supabase and connects via an OAuth 2.1 remote endpoint, so there's no token to paste. Use the community Query | Supabase server instead if you want a stricter write path, since it defaults to read-only and requires two-step confirmation for destructive operations.

How do I stop an AI agent from modifying my database?

Turn on read-only mode and use a read-only database account. On Supabase's official server, add ?read_only=true to the URL; DBHub, MCP Alchemy, and the Query | Supabase server all default to or support read-only transactions. The database-level account is the real safety net, since it holds even if a server setting is misconfigured.

Can one MCP server connect to multiple databases at once?

Yes. The Multi Database MCP Server connects to MySQL, Postgres, SQLite, Oracle, and TimescaleDB simultaneously and generates per-database tools, and DBHub supports multiple connections via a TOML config. Only install a multi-DB server if you truly query several databases in one session, because each connection adds tools that count against your client's roughly 40-tool budget.

Put this into practice

Browse MCP servers by capability, or check your own setup's tool budget and security.

More essays