Schema first
AI clients can call schema tools to understand allowed tables, columns, relationships, and operations before proposing a query.
Database to MCP
Database to MCP lets AI clients inspect approved schema metadata and execute validated queries through the Gateway. PostgreSQL and SQL Server scopes stay bounded by published tables, column permissions, and conservative execution policies.
app.swaggertomcp.com/databases/acme/scopes/support
Swagger to MCP
support_readonly
PostgreSQL · 4 tables · 28 columns
customers
9 columns · PII blocked
orders
8 columns · Read-only
tickets
7 columns · Scoped
Gateway validation
Scope, table, column, and read-only checks
Recent audit
query_support_scope · allowed columns only
schema_customers · returned metadata
Security model
AI clients need schema context to answer useful questions, but raw database access creates risk. Database to MCP separates metadata discovery from validated execution.
AI clients can call schema tools to understand allowed tables, columns, relationships, and operations before proposing a query.
QueryPlan mode generates provider-specific SQL after validation. SQL mode is advanced and conservative by default.
Execution logs store redacted request details and avoid persisting raw secrets or connection string values.
Use cases
Use Database to MCP for reporting, internal operations, and controlled analytics where AI needs structured data access.
Let assistants answer questions over approved sales, support, finance, or inventory scopes without crossing schema boundaries.
Publish safe read-only scopes for teams that need natural language access to approved database domains.
Combine database schema tools with OpenAPI tools so an agent can inspect context and then call the right business operation.
Database controls
Database to MCP is designed to expose useful structure and controlled execution without turning an AI client into a direct database user.
| Database feature | Gateway behavior |
|---|---|
| Schema tools | Schema tools never return database rows. They return approved metadata such as tables, columns, keys, relationships, permissions, and allowed operations. |
| QueryPlan mode | QueryPlan mode is the recommended executor mode. The Gateway validates the plan, then generates provider-specific SQL for the approved scope. |
| SQL mode | SQL mode is advanced and conservative by default. It is validated before execution and is not published together with QueryPlan mode for the same scope. |
| Column permissions | Executors can only use columns published in the current scope. Sensitive columns are restricted by scope-based permission policy. |
| Audit logs | Execution logs support observability while avoiding raw secrets, connection strings, and sensitive request values. |
| Scope isolation | Cross-database, cross-schema, cross-scope, and cross-owner access is forbidden by Gateway validation. |
Security rules
The database flow follows explicit security rules so AI systems can understand the shape of the data without receiving unrestricted access.
Schema tools never return database rows. They describe allowed tables, columns, keys, relationships, permissions, and operations.
Every database executor call is validated by the Gateway before execution. LLMs and orchestration frameworks may propose a plan or SQL candidate, but they are not trusted as the security boundary.
QueryPlan mode and SQL mode executor tools are never published at the same time for one database scope.
Executor tools can only use tables and columns published in the current scope, and scope-based column permission is mandatory.
Workflow
The Gateway keeps source discovery, publishing, execution, and monitoring separated so the AI-facing surface stays controlled.
Step 1
Save the database connection in the Gateway. Connection strings are protected and not returned after save.
Step 2
Choose the database, schema, or business domain scope and publish only the tables and columns AI clients may use.
Step 3
Use QueryPlan or SQL executor tools that enforce scope, relationship, column permission, and read-only policy before execution.
FAQ
Short answers for teams comparing MCP adapters, API gateways, and database access for AI agents.
No. Schema tools are metadata-only. They describe tables, columns, keys, relationships, permissions, and allowed operations without returning data row payloads.
No. One scope publishes either QueryPlan mode or SQL mode executor tools, never both at the same time.
The Gateway enforces scope and column permissions before execution. LLMs and orchestration layers may propose a plan, but they are not trusted as the security boundary.
QueryPlan mode is the recommended database executor mode. The client submits a structured plan, the Gateway validates tables, columns, relationships, limits, and policy rules, then generates provider-specific SQL for the approved scope.
QueryPlan mode uses a structured request that is easier to validate conservatively. SQL mode accepts SQL candidates for advanced use cases, but it is still validated before execution and is not published together with QueryPlan mode for the same scope.
Published database scopes include column-level permissions. Executor tools can only use columns allowed in the current scope, and sensitive or unpublished columns are blocked by Gateway validation.
No. Cross-database, cross-schema, cross-scope, and cross-owner access is forbidden by Gateway validation. Executor tools stay inside the published scope and its approved tables, columns, and relationships.
Database to MCP is designed for PostgreSQL and SQL Server scopes. The Gateway keeps provider behavior explicit so validation and SQL generation can remain conservative.
No. Connection strings are protected by the Gateway and are not returned after save. Public docs, LLM-readable files, and logs must not expose connection string values.
Yes. Published database scopes can be selected in Gateway Chat when the scope is active, has published tables, and uses a supported executor mode. Chat uses schema tools for context and follows Gateway validation before execution.