Sql
FreeNot checkedAn extensible read-only MCP server for SQL databases, enabling schema exploration and safe SELECT queries via tools like list_schemas, list_tables, describe_tab
About
An extensible read-only MCP server for SQL databases, enabling schema exploration and safe SELECT queries via tools like list_schemas, list_tables, describe_table, and execute_query.
README
An extensible, read-only Model Context Protocol
server for SQL databases. It lets an MCP client (Claude, etc.) explore schemas and
run SELECT queries safely.
- First engine: Microsoft SQL Server (via
pyodbc/ ODBC Driver 18). - Designed to extend: new engines plug in behind a
DatabaseProviderinterface; auth methods plug in behind anAuthStrategy. - Transports: local stdio and remote streamable HTTP from the same server.
- Read-only by design: every query is validated to be a single
SELECT/WITH/EXPLAIN.
Install
Requires Python 3.11+. The MS SQL engine needs the Microsoft ODBC Driver 18:
# macOS
brew tap microsoft/mssql-release https://github.com/microsoft/homebrew-mssql-release
brew trust microsoft/mssql-release # newer Homebrew requires trusting 3rd-party taps
HOMEBREW_ACCEPT_EULA=Y brew install unixodbc msodbcsql18
# Debian/Ubuntu: see https://learn.microsoft.com/sql/connect/odbc/linux-mac/
Then install the project (with the mssql extra for the SQL Server driver):
uv sync --extra mssql --extra dev
# or: pip install -e ".[mssql,dev]"
Configure
Copy .env.example to .env and edit. Key settings (env prefix MCPSQL_):
| Setting | Purpose |
|---|---|
MCPSQL_DB_TYPE |
Engine. Currently mssql. |
MCPSQL_HOST / MCPSQL_PORT / MCPSQL_DATABASE |
Connection target. |
MCPSQL_AUTH_METHOD |
sql_password | windows | azure_ad. |
MCPSQL_MAX_ROWS |
Row cap for execute_query (default 1000). |
MCPSQL_ODBC_DRIVER |
ODBC driver name (default ODBC Driver 18 for SQL Server). |
Authentication matrix (MS SQL)
MCPSQL_AUTH_METHOD |
What it does | Extra settings |
|---|---|---|
sql_password |
SQL Server login (username/password). | MCPSQL_USERNAME, MCPSQL_PASSWORD |
windows |
Integrated / trusted connection (Windows or AD-joined host). | — |
azure_ad |
OAuth2 access token via Azure AD / Entra ID. | MCPSQL_AZURE_AUTH_MODE |
azure_ad token acquisition modes (MCPSQL_AZURE_AUTH_MODE):
default—DefaultAzureCredential(env vars, managed identity, Azure CLI, …).service_principal— readsAZURE_TENANT_ID,AZURE_CLIENT_ID,AZURE_CLIENT_SECRET.managed_identity—ManagedIdentityCredential(for Azure-hosted workloads).
Security note: the read-only validator is a guard, not a boundary. For real protection, connect with a least-privilege principal (e.g. a login mapped to
db_datareader). Then even a validator bypass cannot write.
Quickstart with the bundled demo database
A docker-compose.yml spins up SQL Server 2022 and seeds a small AppDemo
database (sales.customers / orders / order_items + a view and FKs):
docker compose up -d # start + seed (first run pulls the image)
docker compose logs seed # look for "Seed complete"
.env.example's defaults already point at this database, so:
cp .env.example .env
uv run mcp-sql # or inspect it (see below)
When you're done: docker compose down -v.
The seed also creates a least-privilege
mcp_readerlogin (passwordReader!Pass1). PointMCPSQL_USERNAME/MCPSQL_PASSWORDat it to run mcp-sql with read-only database permissions — the recommended setup.On Apple Silicon the SQL Server image runs under amd64 emulation; first start takes a minute or two.
Run
# Local stdio (default) — how MCP clients usually launch it
uv run mcp-sql
# Remote streamable HTTP
uv run mcp-sql --transport http --host 0.0.0.0 --port 8000
Endpoint authentication is not done here. This server is designed to sit behind an MCP gateway that authenticates callers. Run it only on a network reachable through that gateway (private network / mTLS); for defense in depth bind to loopback and rely on FastMCP's DNS-rebinding (allowed-hosts) protection. The gateway should also strip/overwrite client-supplied connection headers it sets.
Remote: one server, many databases
For a remote deployment the server is not pinned to a single database. The
caller (or gateway) names the database in a request header; the server
resolves that name to a connection. The wire only ever carries the name — never
credentials. Backend chosen by MCPSQL_CONNECTION_BACKEND:
| Backend | Resolves a name via | Use for |
|---|---|---|
static (default) |
the single connection in the settings above | stdio / local / single DB |
map |
MCPSQL_CONNECTIONS JSON ({name: "<ODBC string>"}) |
local/dev multi-DB (no Azure) |
keyvault |
Azure Key Vault secret <prefix><name> → ODBC string |
production |
Request header (default X-MCP-Connection) selects the connection per request:
X-MCP-Connection: analytics → secret "mcpsql-conn-analytics" in Key Vault
Key Vault path (production):
- Store each database's ODBC connection string as a secret named
mcpsql-conn-<name>. Prefer connection strings that useazure_ad/ managed identity so the vault holds no SQL password. - The server authenticates to Key Vault with
DefaultAzureCredential(managed identity in Azure) — setMCPSQL_KEYVAULT_URL. - The connection name is validated against
[A-Za-z0-9-]{1,120}and the fixed prefix, so a header can never address an arbitrary vault secret. AddMCPSQL_CONNECTION_ALLOWLISTto restrict further. - Resolved connections are cached for
MCPSQL_CONNECTION_CACHE_TTLseconds (rotation is picked up on expiry).
Resolved connections are pooled (one connection per operation, via pyodbc's driver-level pool), so a single process serves many databases and many concurrent callers safely.
Use with an MCP client (stdio)
{
"mcpServers": {
"sql": {
"command": "uv",
"args": ["run", "mcp-sql"],
"cwd": "/path/to/mcp-sql"
}
}
}
Inspect manually
npx @modelcontextprotocol/inspector uv run mcp-sql
Runnable examples
See examples/ for working client scripts:
- examples/stdio_client.py — local stdio (spawns the server).
- examples/http_client.py — remote streamable HTTP, selecting the
database per request with the
X-MCP-Connectionheader.
Tools
| Tool | Description |
|---|---|
list_schemas() |
Schemas in the database. |
list_tables(schema?) |
Tables and views. |
describe_table(table, schema?) |
Columns, types, PK, FKs, indexes. |
list_relationships(schema?) |
Foreign-key relationships. |
execute_query(sql, max_rows?) |
Run a validated read-only query. |
Extending to another database
- Add a provider module implementing
DatabaseProvider(src/mcp_sql/providers/base.py). - Register it in
src/mcp_sql/providers/registry.py(one line). - Reuse the existing
AuthStrategytypes, or add new ones undersrc/mcp_sql/auth/. - Add the driver as a new optional extra in
pyproject.toml.
The MCP tool layer and the read-only validator are engine-agnostic and need no changes.
Develop
uv run pytest
The test_safety.py and test_config_auth.py suites need no database.
Install Sql in Claude Desktop, Claude Code & Cursor
unyly install mcp-sqlInstalls into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.
First time? Get the CLI: curl -fsSL https://unyly.org/install | sh
Or configure manually
Run in your terminal:
claude mcp add mcp-sql -- uvx mcp-sqlFAQ
Is Sql MCP free?
Yes, Sql MCP is free — one-click install via Unyly at no cost.
Does Sql need an API key?
No, Sql runs without API keys or environment variables.
Is Sql hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Sql in Claude Desktop, Claude Code or Cursor?
Open Sql on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
wenb1n-dev/SmartDB_MCP
A universal database MCP server supporting simultaneous connections to multiple databases. It provides tools for database operations, health analysis, SQL optim
by wenb1n-devPostgres Server
This server enables interaction with PostgreSQL databases through the Model Context Protocol, optimized for the AWS Bedrock AgentCore Runtime. It provides tools
by madhurprashPostgres
Query your database in natural language
by AnthropicPostgreSQL
Read-only database access with schema inspection.
by modelcontextprotocolCompare Sql with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All data MCPs
