MCP Directory

MCP Server for Postgres: the options

Five real MCP servers that talk to Postgres, matched to what you actually run — plus the read-only config that keeps an agent off your production data.

Hua·June 30, 2026·6 min read
Steel framework cabinets housing servers networking devices and cables in contemporary equipped data center
Photo by Brett Sayles on Pexels

The right MCP server for Postgres depends on one question: are you connecting to a raw Postgres instance you control, or to a managed platform like Supabase or Neon? For a plain database, install one thin query server — DBHub or Postgres MCP Pro — and turn on read-only mode. For a managed platform, use the vendor's own server so you also get project, branch, and migration tooling. Installing more than one is how you burn your tool budget.

This is the grounded shortlist. Every server below is real, linked, and matched to a specific job, with the minimal config that actually works. Roughly 90% of MCP servers run locally over stdio, and the Postgres ones are no exception — three of these five are stdio processes on your own machine, which is the least surprising, most private setup for a database credential.

Pick by what you're connecting to

Start from your setup, not from star counts. Raw Postgres wants a query server; a managed platform wants its vendor server. The table maps each option to its job so you install exactly one.

ServerBest forTransportOfficial?Notes
DBHubAny Postgres (and 4 other engines)stdio / HTTPCommunity (Bytebase)Zero-dependency, token-light
Postgres MCP ProPostgres perf workstdioCommunity (Crystal DBA)Index tuning, EXPLAIN, health
Supabase MCP ServerManaging a Supabase projectHTTP (OAuth)OfficialTables, SQL, branches, edge functions
Neon MCP ServerServerless Postgres on NeonHTTP (OAuth)OfficialProjects, branches, migrations
Query | SupabaseSupabase with strict write gatingstdioCommunitySAFE mode by default, 2-step confirm

If you only read one row: raw Postgres → DBHub; you care about slow queries → Postgres MCP Pro; you live in Supabase or Neon → the official vendor server.

DBHub: the default for a raw Postgres

For a plain Postgres connection, DBHub is the server to reach for first. It's a zero-dependency, token-efficient server from Bytebase that speaks Postgres, MySQL, MariaDB, SQL Server, and SQLite through one binary, so you learn one tool surface instead of five. You point it at a database with a DSN and it exposes schema and query tools — nothing more, which is exactly what you want next to an LLM.

Run it over stdio with a single command:

{
  "command": "npx",
  "args": ["@bytebase/dbhub@latest", "--transport", "stdio", "--dsn", "postgres://user:password@localhost:5432/dbname"]
}

One caveat worth knowing before you deploy it anywhere shared: DBHub's HTTP transport defaults to binding 0.0.0.0 and does not authenticate clients. On stdio that's a non-issue — the process only talks to your local client. If you ever switch to HTTP, bind 127.0.0.1 and front it with a proxy. Stick to stdio and a least-privilege database role and you're fine.

Postgres MCP Pro: when you're tuning, not just querying

Reach for Postgres MCP Pro when the job is performance, not plumbing. Beyond read/write SQL, this community server from Crystal DBA adds index tuning, EXPLAIN plan analysis, and database health checks — the tools you'd otherwise be pasting into a chat window by hand. It's the only server on this list built for the "why is this query slow" workflow rather than "read me a row."

It runs over stdio, and the important flag is the access mode. Default to restricted (read-only) and only widen it when an agent genuinely needs to write or run DDL:

{
  "command": "docker",
  "args": ["run", "-i", "--rm", "-e", "DATABASE_URI", "crystaldba/postgres-mcp", "--access-mode=restricted"],
  "env": { "DATABASE_URI": "postgresql://<user>:<password>@<host>:5432/<dbname>" }
}

The DATABASE_URI holds full credentials, so store it in your client's secret handling, not a committed config file, and hand it a role that can't drop tables.

Supabase and Neon: use the official server

If your Postgres lives on Supabase or Neon, skip the generic query servers and use the vendor's own — you get platform management on top of SQL. The Supabase MCP Server is official and manages tables, SQL, branches, configs, and edge functions. The Neon MCP Server is likewise official and covers projects, branches, migrations, and SQL for serverless Postgres. Both are remote HTTP servers you authorize with OAuth, which is the trade-off: convenient login, but the grant covers your whole org, so review the scopes.

With Supabase, always scope the connection and default it to read-only in the URL:

{ "url": "https://mcp.supabase.com/mcp?read_only=true&project_ref=<your-project-ref>" }

For Neon, the current path is the remote endpoint via mcp-remote (npx -y mcp-remote https://mcp.neon.tech/mcp). Note the standalone @neondatabase/mcp-server-neon npm package is deprecated — don't pin to it. Since these servers can run arbitrary SQL and reshape projects, treat the OAuth grant as production access. For a fuller take on OAuth-backed remote servers, see local vs remote MCP.

The safety-first Supabase option

If you want Supabase but don't trust an agent near your data, Query | Supabase is the community server built around write gating. It defaults to a SAFE read-only mode; writes require flipping into unsafe mode via a live_dangerously tool, and destructive operations demand an explicit two-step confirmation. That's a real behavioral guardrail, not a config flag you can forget.

The trade-offs: it's stdio and Python (pipx install supabase-mcp-server), and since v0.4 it needs a free QUERY_API_KEY from thequery.dev alongside your Supabase credentials. That's more env vars to manage than the official server's OAuth. Pick it when the confirmation-on-destructive-ops behavior is worth the extra setup — for example, pointing an agent at a shared project.

What to skip and how to wire it up

Skip installing two Postgres servers at once. They overlap, and every extra server eats into the roughly 40-tool budget most clients handle before selection gets unreliable — that's real math, covered in Cursor's tool limit. One server, read-only by default, least-privilege role: that covers the vast majority of real use.

Adding any of these is the same three steps in any client — server command or URL, credentials, restart — walked through in how to add an MCP server. To browse the full field or compare data tooling side by side, start from the best MCP servers, filter by capabilities, or check alternatives when a server doesn't fit.

FAQ

Is there an official MCP server for Postgres?

Not for generic Postgres — the reference Postgres server was archived. But the two managed platforms have official servers: the Supabase MCP Server and the Neon MCP Server. For a raw Postgres instance, the best-maintained options are community servers like DBHub and Postgres MCP Pro.

Is it safe to connect an MCP server to my production database?

Only with guardrails. Run the server in read-only mode (DBHub over stdio, Postgres MCP Pro with --access-mode=restricted, Supabase with read_only=true), give it a least-privilege database role, and store credentials in your client's secret handling rather than a committed file. Query | Supabase goes further with two-step confirmation on destructive operations.

DBHub or Postgres MCP Pro — which should I pick?

DBHub if you just need schema and query tools, especially across multiple database engines; it's zero-dependency and token-light. Postgres MCP Pro if you're doing performance work, since it adds index tuning, EXPLAIN plan analysis, and health checks that DBHub doesn't.

Do these Postgres MCP servers run locally?

The raw-Postgres ones do. DBHub, Postgres MCP Pro, and Query | Supabase all run locally over stdio, matching the roughly 90% of MCP servers that run on your own machine. The official Supabase and Neon servers are remote HTTP endpoints you connect to over OAuth.

Can an MCP server write to Postgres, or only read?

Both, but most default to read-only for safety. DBHub reads by default; Postgres MCP Pro needs a wider --access-mode for writes; Query | Supabase requires enabling unsafe mode via a live_dangerously tool before any write. Only widen access when an agent genuinely needs to modify data.

Put this into practice

Browse MCP servers by capability, or check your own setup's tool budget and security.

More essays