An MCP server for Postgres that does not hand the LLM a blank check.
A Postgres MCP server for Claude Code and Cursor that is read-only by default, scoped to one connection, and project-aware via your ORM schema.
QueryDeck ships a built-in MCP server for PostgreSQL, MySQL, SQLite, MongoDB, and Redis. One config block exposes your database as typed tools for Claude Code, Cursor, and any MCP client. Read-only by default, scoped to one connection, project-aware via your ORM schema.
Native macOS. Local stdio. No telemetry. $79 once.
An MCP (Model Context Protocol) server lets LLM clients like Claude Code and Cursor call typed tools instead of guessing at your data. The QueryDeck Postgres MCP server is the same MCP server you would expect from a database tool, with one design choice that I made deliberately: it is not a single run_sql(query) escape hatch.
Most database MCP servers expose one giant tool that takes arbitrary SQL. That puts the entire safety story on the model. If Claude misreads your intent or hallucinates a DELETE, you have no defense in depth. The QueryDeck server splits the surface into a dozen narrow tools (list_tables, describe_table, get_row, run_select, count_where, explain_plan, ...) plus a guarded run_write that requires Touch ID on every call.
The result: reads feel frictionless (you ask Cursor a question about your data, it answers), and writes feel like writes (you actually approve them). That is the trade I want as someone who runs this thing against my own production databases.
- A local process, spawned by QueryDeck, talking stdio to your MCP client
- A set of typed tools the model can call (introspection, reads, guarded writes)
- Scoped to one connection per server instance
- Aware of your ORM schema if QueryDeck found one in the project
- A hosted service. Your credentials and queries never leave the Mac.
- A single run_sql tool with no constraints
- A way to bypass the QueryDeck connection guards (Touch ID, prod tagging)
- Locked behind a separate price. It is in the $79 Standard license.
In QueryDeck, open the connection you want to expose, open the Connection menu, and pick Enable MCP server. QueryDeck writes a config snippet to your clipboard for your client of choice. The snippet for Claude Code looks like this:
{
"mcpServers": {
"querydeck-orders-prod": {
"command": "qdeck",
"args": ["mcp", "--connection", "orders-prod"],
"env": {
"QDECK_READONLY": "true"
}
}
}
}For Cursor, the format is similar but lives in ~/.cursor/mcp.json. The connection name (orders-prod) matches what you named the connection in QueryDeck. The command is the qdeck CLI that ships with the app. QDECK_READONLY locks the server to read tools only, even if the underlying connection has write permissions.
That is it. Restart your MCP client. Claude Code or Cursor will discover the new tools automatically and start using them when you ask questions about the database.
stdio (local)
12 read + 2 write
sub-50ms per tool call
List tables in the orders schema
“Show me all the tables in the orders schema, sorted by row count.”
list_tables(schema: "orders", sort: "rows_desc")
13 tables: line_items (4.2M), orders (1.8M), shipments (1.1M), refunds (380K), ...
Find the slowest queries on a table
“What were the 5 slowest queries on the orders table in the last 24h?”
run_select(query: "SELECT query, mean_exec_time ... pg_stat_statements WHERE query LIKE '%orders%' ORDER BY mean_exec_time DESC LIMIT 5")
Returns 5 rows with mean_exec_time, calls, and the query text. The model can then call explain_plan on the worst one.
Why is this query slow?
“Run EXPLAIN ANALYZE on the orders dashboard query and tell me what to fix.”
explain_plan(query: "...")
Returns the JSON plan plus the model's read of it: Seq Scan on line_items (cost=0..43k), suggested index on (order_id, created_at).
Apply a fix (requires Touch ID)
“Add the index you suggested.”
run_write(query: "CREATE INDEX CONCURRENTLY ...") → Touch ID prompt → confirm modal in QueryDeck
Index created. The CREATE statement and the resulting row count are appended to the QueryDeck query history for audit.
Reads do not need approval. Writes always do.
The MCP server exposes run_select, count_where, explain_plan, and the introspection tools without confirmation. The model can browse your data freely. Anything that mutates (run_write, run_ddl) is behind a separate tool that requires Touch ID and surfaces a diff modal in the QueryDeck UI before executing.
One MCP server, one database connection.
Each connection in QueryDeck spawns its own MCP server instance, with its own tool surface scoped to that connection's schema. The model literally cannot see tables in another database. If you have a staging Postgres and a prod Postgres, they are two distinct MCP servers and two distinct Cursor configs.
Prod connections light up red and require extra steps.
When a connection is tagged production, even read queries surface a banner in the response (so the model knows it is reading from prod). Writes require Touch ID plus a confirm click. The connection itself stays color-coded red across the QueryDeck UI so you cannot fat-finger it.
QueryDeck's MCP inspector shows every tool call from the model live, with the SQL it ran, the rows it touched, and the latency.
Why most database MCP servers are wrong
An opinionated take on why one-tool run_sql servers are a footgun, and what a project-aware MCP server should look like.
Read the essay →Drift Mode: catch schema drift before prod
QueryDeck compares your Prisma or Drizzle schema against the live database and surfaces every divergence. The MCP server can call into the same parser.
See Drift Mode →What is the Model Context Protocol (MCP)?
MCP is an open protocol from Anthropic that lets LLM clients call structured tools instead of asking the model to imagine API responses. An MCP server exposes a set of tools (functions with typed inputs and outputs). When you wire Claude Code, Cursor, or Claude Desktop to an MCP server, the model can call those tools directly. For a database, MCP turns the LLM from a text generator into something that can introspect schemas and run queries against your actual data.
How is QueryDeck's Postgres MCP server different from running raw SQL through an MCP wrapper?
Most MCP database servers expose one tool: run_sql(query). That puts the entire safety story on the model. QueryDeck splits it into typed tools (list_tables, describe_table, get_row, run_select, count_where, explain_plan) and a guarded run_write that requires Touch ID. The model never gets a blank check on your database. Read the longer write-up on why this matters.
Does the QueryDeck MCP server require an internet connection?
No. The MCP server runs as a local process on your Mac. Claude Code, Cursor, and Claude Desktop talk to it over stdio, the same way they talk to filesystem or git MCP servers. Your database credentials never leave your machine, and the queries never transit a third party.
Can I use the MCP server with Cursor and Claude Code at the same time?
Yes. The QueryDeck MCP server is just a process. Both Cursor and Claude Code can spawn their own instance pointed at the same connection. They will not conflict because each reads from its own stdio channel. The QueryDeck app itself can stay running with its UI open while the MCP server is in use.
What about MySQL, SQLite, MongoDB, and Redis?
The same MCP server backend speaks all five engines. The tool names stay the same (list_tables, describe_table, run_select, etc.); the underlying queries adapt. For MongoDB and Redis the semantics shift slightly: list_collections and list_keys replace list_tables, and run_select takes a Mongo filter or a Redis pattern instead of SQL.
Is the MCP server read-only by default?
Yes. The default tool surface is read-only. Writes require a Touch ID gate per session, plus an explicit confirm prompt in the QueryDeck UI for any production-tagged connection. The goal is to make destructive operations conscious choices, not a thing that happens because the model misread your intent.
Do I need a paid Claude or Cursor plan for this to work?
MCP works on any plan that supports it. As of 2026, Claude Code, Cursor, Claude Desktop, and several IDE plugins ship MCP client support out of the box. QueryDeck does not gate its MCP server behind a separate price; it is included in the $79 Standard and $149 Lifetime licenses.
Wire your Postgres into Claude Code in 2 minutes.
The database client that knows your project. $79 one-time. All your Macs.