Every "connect your AI agent to a database" tutorial ends the same
way: paste a connection string into a config file. That string now lives on a laptop, in shell history, maybe in a Slack DM to unblock someone on a Friday.
We didn't want that for our own team, so we built db-mcp-gateway a
self-hosted MCP server that sits between agents and databases. The
agent never holds a credential. It authenticates via SSO, the gateway
maps that identity to a YAML-defined grant, and the query runs under
least privilege with a row cap and a statement timeout.
What I want to cover in this post:
- why "just use a read replica" doesn't solve the audit problem
- the three design pillars we didn't compromise on (credentials never leave the gateway, identity end-to-end, config-as-code)
- what we deliberately left out (there's no admin UI that's on purpose)
Full writeup + a real docker pull you can run in five minutes:
https://github.com/developerz-ai/db-mcp-gateway
Tags: #mcp #ai #security #postgresql
Top comments (0)