Database to MCP

Publish database scopes as safe MCP tools

Database to MCP lets AI clients inspect approved schema metadata and execute validated queries through the Gateway. PostgreSQL and SQL Server scopes stay bounded by published tables, column permissions, and conservative execution policies.

PostgreSQLSQL ServerQueryPlanSQL validationSchema tools

app.swaggertomcp.com/databases/acme/scopes/support

Swagger to MCP

Database scope publishing

Live MCP

support_readonly

PostgreSQL · 4 tables · 28 columns

QueryPlan

customers

9 columns · PII blocked

orders

8 columns · Read-only

tickets

7 columns · Scoped

Gateway validation

Scope, table, column, and read-only checks

Schema tool
metadata only
QueryPlan
validated
Executor
approved scope

Recent audit

query_support_scope · allowed columns only

schema_customers · returned metadata

Security model

Expose database context without exposing the database

AI clients need schema context to answer useful questions, but raw database access creates risk. Database to MCP separates metadata discovery from validated execution.

Schema first

AI clients can call schema tools to understand allowed tables, columns, relationships, and operations before proposing a query.

Validated execution

QueryPlan mode generates provider-specific SQL after validation. SQL mode is advanced and conservative by default.

Auditable query traffic

Execution logs store redacted request details and avoid persisting raw secrets or connection string values.

Use cases

Give AI agents governed database access

Use Database to MCP for reporting, internal operations, and controlled analytics where AI needs structured data access.

Operational reporting

Let assistants answer questions over approved sales, support, finance, or inventory scopes without crossing schema boundaries.

Internal analytics

Publish safe read-only scopes for teams that need natural language access to approved database domains.

Agent workflows

Combine database schema tools with OpenAPI tools so an agent can inspect context and then call the right business operation.

Database controls

What Database to MCP exposes

Database to MCP is designed to expose useful structure and controlled execution without turning an AI client into a direct database user.

Database featureGateway behavior
Schema toolsSchema tools never return database rows. They return approved metadata such as tables, columns, keys, relationships, permissions, and allowed operations.
QueryPlan modeQueryPlan mode is the recommended executor mode. The Gateway validates the plan, then generates provider-specific SQL for the approved scope.
SQL modeSQL mode is advanced and conservative by default. It is validated before execution and is not published together with QueryPlan mode for the same scope.
Column permissionsExecutors can only use columns published in the current scope. Sensitive columns are restricted by scope-based permission policy.
Audit logsExecution logs support observability while avoiding raw secrets, connection strings, and sensitive request values.
Scope isolationCross-database, cross-schema, cross-scope, and cross-owner access is forbidden by Gateway validation.

Security rules

Database access remains governed

The database flow follows explicit security rules so AI systems can understand the shape of the data without receiving unrestricted access.

Metadata-only schema tools

Schema tools never return database rows. They describe allowed tables, columns, keys, relationships, permissions, and operations.

Validated executors

Every database executor call is validated by the Gateway before execution. LLMs and orchestration frameworks may propose a plan or SQL candidate, but they are not trusted as the security boundary.

One executor mode per scope

QueryPlan mode and SQL mode executor tools are never published at the same time for one database scope.

Scope and column boundaries

Executor tools can only use tables and columns published in the current scope, and scope-based column permission is mandatory.

Workflow

From source to MCP endpoint

The Gateway keeps source discovery, publishing, execution, and monitoring separated so the AI-facing surface stays controlled.

  1. Step 1

    Connect PostgreSQL or SQL Server

    Save the database connection in the Gateway. Connection strings are protected and not returned after save.

  2. Step 2

    Publish a scope

    Choose the database, schema, or business domain scope and publish only the tables and columns AI clients may use.

  3. Step 3

    Validate every query

    Use QueryPlan or SQL executor tools that enforce scope, relationship, column permission, and read-only policy before execution.

FAQ

Common questions

Short answers for teams comparing MCP adapters, API gateways, and database access for AI agents.

Do schema tools return database rows?

No. Schema tools are metadata-only. They describe tables, columns, keys, relationships, permissions, and allowed operations without returning data row payloads.

Can QueryPlan and SQL executor tools be published together?

No. One scope publishes either QueryPlan mode or SQL mode executor tools, never both at the same time.

Who enforces database permissions?

The Gateway enforces scope and column permissions before execution. LLMs and orchestration layers may propose a plan, but they are not trusted as the security boundary.

What is QueryPlan mode?

QueryPlan mode is the recommended database executor mode. The client submits a structured plan, the Gateway validates tables, columns, relationships, limits, and policy rules, then generates provider-specific SQL for the approved scope.

How is SQL mode different from QueryPlan mode?

QueryPlan mode uses a structured request that is easier to validate conservatively. SQL mode accepts SQL candidates for advanced use cases, but it is still validated before execution and is not published together with QueryPlan mode for the same scope.

How are sensitive columns blocked?

Published database scopes include column-level permissions. Executor tools can only use columns allowed in the current scope, and sensitive or unpublished columns are blocked by Gateway validation.

Can a query cross schemas, databases, scopes, or owners?

No. Cross-database, cross-schema, cross-scope, and cross-owner access is forbidden by Gateway validation. Executor tools stay inside the published scope and its approved tables, columns, and relationships.

Which databases are supported?

Database to MCP is designed for PostgreSQL and SQL Server scopes. The Gateway keeps provider behavior explicit so validation and SQL generation can remain conservative.

Is the database connection string shown after save?

No. Connection strings are protected by the Gateway and are not returned after save. Public docs, LLM-readable files, and logs must not expose connection string values.

Can Gateway Chat query a database scope?

Yes. Published database scopes can be selected in Gateway Chat when the scope is active, has published tables, and uses a supported executor mode. Chat uses schema tools for context and follows Gateway validation before execution.