What MCP tools does the StackQL server expose?

Discovery tools (list_providers, list_services, list_resources, list_methods, describe_resource, describe_method), registry tools (list_registry, pull_provider), validation (validate_select_query), execution (run_select_query, run_mutation_query, run_lifecycle_operation), and server_info. The enabled_tools allowlist can narrow this set, for example to publish a read-only inventory server.

How are agent mutations kept safe?

By the server mode. The default safe mode allows SELECT and metadata calls but requires human approval (via the MCP elicitation flow) for INSERT, UPDATE, DELETE, and EXEC. read_only refuses mutations outright; delete_safe allows create/update but gates deletes; full_access allows everything. Every tool call is written to a JSONL audit log, on by default.

Which transports are supported?

stdio for editor-embedded clients (Claude Desktop, Cursor, Continue), HTTP for standalone agents, and a reverse-proxy mode that dispatches MCP requests to a backing StackQL PostgreSQL server, with optional TLS.

How to use StackQL with AI agents

StackQL ships a built-in Model Context Protocol (MCP) server. Any MCP-capable agent - Claude, Cursor, Continue, or a custom agent framework - connects to it and gains a self-describing, governed SQL interface to every cloud and SaaS provider in the StackQL registry.

Steps

Set provider credentials as environment variables before starting the server (the server inherits them):

export AWS_ACCESS_KEY_ID=YOURACCESSKEYID
export AWS_SECRET_ACCESS_KEY=YOURSECRETACCESSKEY

Start the MCP server. For a standalone HTTP server:

stackql mcp \
  --mcp.server.type=http \
  --mcp.config '{"server": {"transport": "http", "address": "127.0.0.1:9912"}}'

For editor-embedded clients, use --mcp.server.type=stdio and let the client launch the process (see How to use StackQL with Claude). To serve MCP and the PostgreSQL wire protocol from one process, use stackql srv with the same MCP flags plus --pgsrv.port.

Choose a safety mode. The mode is set in the server config and gates what agents can do:

Mode	SELECT / metadata	INSERT / UPDATE	DELETE	EXEC
`read_only`	allow	refuse	refuse	refuse
`safe` (default)	allow	needs approval	needs approval	needs approval
`delete_safe`	allow	allow	needs approval	needs approval
`full_access`	allow	allow	allow	allow

"Needs approval" uses the MCP elicitation flow: the client shows the user the pending SQL and the user accepts or declines. Pin read_only for inventory agents; reserve full_access for trusted pipelines with a reviewed audit log.

Let the agent discover, then query. A typical agent session: server_info once, then list_providers -> list_methods (which reveals required WHERE parameters) -> validate_select_query -> run_select_query:

SELECT name, language, stargazers_count
FROM github.repos.repos
WHERE org = 'stackql';

The agent never loads an SDK; the schema is discovered at runtime and the query is plain SQL.

Auditing

Every tool call writes one JSONL record - timestamp, tool, mode, decision, query class, SQL, duration - to a file sink with rotation. Audit is on by default and records what the agent did (not result rows). In the default strict failure mode, a failed audit write surfaces as an error rather than letting an unaudited mutation slip through.

How to use StackQL with Claude - Claude Desktop configuration
StackQL MCP Architecture - transports, modes, and audit internals
StackQL vs Custom MCP Servers - when to build instead
What is Agentic Infrastructure? - the pattern this enables
Why SQL is a Strong Interface for Cloud APIs - why agents and SQL fit

Steps​

Auditing​

Related concepts​

Steps

Auditing

Related concepts