MCP Server for Postgres: the options
Five real MCP servers that talk to Postgres, matched to what you actually run — plus the read-only config that keeps an agent off your production data.

The right MCP server for Postgres depends on one question: are you connecting to a raw Postgres instance you control, or to a managed platform like Supabase or Neon? For a plain database, install one thin query server — DBHub or Postgres MCP Pro — and turn on read-only mode. For a managed platform, use the vendor's own server so you also get project, branch, and migration tooling. Installing more than one is how you burn your tool budget.
This is the grounded shortlist. Every server below is real, linked, and matched to a specific job, with the minimal config that actually works. Roughly 90% of MCP servers run locally over stdio, and the Postgres ones are no exception — three of these five are stdio processes on your own machine, which is the least surprising, most private setup for a database credential.
Pick by what you're connecting to
Start from your setup, not from star counts. Raw Postgres wants a query server; a managed platform wants its vendor server. The table maps each option to its job so you install exactly one.
| Server | Best for | Transport | Official? | Notes |
|---|---|---|---|---|
| DBHub | Any Postgres (and 4 other engines) | stdio / HTTP | Community (Bytebase) | Zero-dependency, token-light |
| Postgres MCP Pro | Postgres perf work | stdio | Community (Crystal DBA) | Index tuning, EXPLAIN, health |
| Supabase MCP Server | Managing a Supabase project | HTTP (OAuth) | Official | Tables, SQL, branches, edge functions |
| Neon MCP Server | Serverless Postgres on Neon | HTTP (OAuth) | Official | Projects, branches, migrations |
| Query | Supabase | Supabase with strict write gating | stdio | Community | SAFE mode by default, 2-step confirm |
If you only read one row: raw Postgres → DBHub; you care about slow queries → Postgres MCP Pro; you live in Supabase or Neon → the official vendor server.
DBHub: the default for a raw Postgres
For a plain Postgres connection, DBHub is the server to reach for first. It's a zero-dependency, token-efficient server from Bytebase that speaks Postgres, MySQL, MariaDB, SQL Server, and SQLite through one binary, so you learn one tool surface instead of five. You point it at a database with a DSN and it exposes schema and query tools — nothing more, which is exactly what you want next to an LLM.
Run it over stdio with a single command:
{
"command": "npx",
"args": ["@bytebase/dbhub@latest", "--transport", "stdio", "--dsn", "postgres://user:password@localhost:5432/dbname"]
}
One caveat worth knowing before you deploy it anywhere shared: DBHub's HTTP transport defaults to binding 0.0.0.0 and does not authenticate clients. On stdio that's a non-issue — the process only talks to your local client. If you ever switch to HTTP, bind 127.0.0.1 and front it with a proxy. Stick to stdio and a least-privilege database role and you're fine.
Postgres MCP Pro: when you're tuning, not just querying
Reach for Postgres MCP Pro when the job is performance, not plumbing. Beyond read/write SQL, this community server from Crystal DBA adds index tuning, EXPLAIN plan analysis, and database health checks — the tools you'd otherwise be pasting into a chat window by hand. It's the only server on this list built for the "why is this query slow" workflow rather than "read me a row."
It runs over stdio, and the important flag is the access mode. Default to restricted (read-only) and only widen it when an agent genuinely needs to write or run DDL:
{
"command": "docker",
"args": ["run", "-i", "--rm", "-e", "DATABASE_URI", "crystaldba/postgres-mcp", "--access-mode=restricted"],
"env": { "DATABASE_URI": "postgresql://<user>:<password>@<host>:5432/<dbname>" }
}
The DATABASE_URI holds full credentials, so store it in your client's secret handling, not a committed config file, and hand it a role that can't drop tables.
Supabase and Neon: use the official server
If your Postgres lives on Supabase or Neon, skip the generic query servers and use the vendor's own — you get platform management on top of SQL. The Supabase MCP Server is official and manages tables, SQL, branches, configs, and edge functions. The Neon MCP Server is likewise official and covers projects, branches, migrations, and SQL for serverless Postgres. Both are remote HTTP servers you authorize with OAuth, which is the trade-off: convenient login, but the grant covers your whole org, so review the scopes.
With Supabase, always scope the connection and default it to read-only in the URL:
{ "url": "https://mcp.supabase.com/mcp?read_only=true&project_ref=<your-project-ref>" }
For Neon, the current path is the remote endpoint via mcp-remote (npx -y mcp-remote https://mcp.neon.tech/mcp). Note the standalone @neondatabase/mcp-server-neon npm package is deprecated — don't pin to it. Since these servers can run arbitrary SQL and reshape projects, treat the OAuth grant as production access. For a fuller take on OAuth-backed remote servers, see local vs remote MCP.
The safety-first Supabase option
If you want Supabase but don't trust an agent near your data, Query | Supabase is the community server built around write gating. It defaults to a SAFE read-only mode; writes require flipping into unsafe mode via a live_dangerously tool, and destructive operations demand an explicit two-step confirmation. That's a real behavioral guardrail, not a config flag you can forget.
The trade-offs: it's stdio and Python (pipx install supabase-mcp-server), and since v0.4 it needs a free QUERY_API_KEY from thequery.dev alongside your Supabase credentials. That's more env vars to manage than the official server's OAuth. Pick it when the confirmation-on-destructive-ops behavior is worth the extra setup — for example, pointing an agent at a shared project.
What to skip and how to wire it up
Skip installing two Postgres servers at once. They overlap, and every extra server eats into the roughly 40-tool budget most clients handle before selection gets unreliable — that's real math, covered in Cursor's tool limit. One server, read-only by default, least-privilege role: that covers the vast majority of real use.
Adding any of these is the same three steps in any client — server command or URL, credentials, restart — walked through in how to add an MCP server. To browse the full field or compare data tooling side by side, start from the best MCP servers, filter by capabilities, or check alternatives when a server doesn't fit.