Ever found yourself copy-pasting SQL results from pgAdmin back into your chat with Claude Code, hoping it understands the schema? Yeah, me too. The whole “AI agent can’t see your database” problem has been the single biggest productivity gap in the MCP workflow — until now.

Google just dropped MCP Toolbox (formerly genai-toolbox), an open-source MCP server that gives AI agents direct access to 15+ databases. Not a wrapper. Not a middleware. Native database connectivity through the MCP protocol, zero boilerplate.

15,693 GitHub stars at the time of writing. For a Google-Googled database tool? That’s not hype — that’s a signal.

TL;DR: MCP Toolbox Verdict

MCP Toolbox turns your database into an AI agent’s native capability. You don’t switch between IDE and DB client anymore — your agent just queries, explores schemas, and generates code directly. I spent an afternoon hooking it up to PostgreSQL via Claude Code, and honestly? It’s the most natural MCP integration I’ve tested so far.

Best for: Full-stack devs, data engineers, and anyone running Claude Code / Codex / Gemini CLI who’s tired of context-switching.

Not for: Teams that need a GUI replacement (this complements, not replaces, DB clients).

What Is MCP Toolbox and Why Google?

So MCP Toolbox is an open-source MCP server written in Go. It sits between your AI agent (Claude Code, Codex, Gemini CLI — any MCP-compatible client) and your databases. Instead of writing Python glue scripts or switching to a GUI, you configure it once and your agent talks SQL natively.

So why did Google build this? They originally called it genai-toolbox — an internal tool for Gemini to query production databases. When MCP went mainstream (Claude Code, Codex, Gemini CLI all adopted it), Google repackaged it as a general-purpose MCP server and open-sourced it. And that Google-sized engineering backing shows — the codebase has IAM auth baked in, OpenTelemetry tracing, connection pooling, and support for databases most other MCP servers ignore.

MCP Toolbox Database Support: 15+ and Counting

Here’s the table that matters. I tested PostgreSQL, but the full coverage is what makes this tool stand out:

DatabaseTypePrebuilt ToolNotes
PostgreSQLRelationalFull SQL, schema introspection
MySQLRelationalMariaDB compatible
BigQueryCloud DWGCP-native, serverless
SpannerCloud DBGoogle’s globally distributed SQL
AlloyDBCloud DBPostgreSQL-compatible, 4x faster
FirestoreNoSQLDocument queries
MongoDBNoSQLDocument + aggregation pipelines
RedisCacheKey-value + data structures
ElasticsearchSearchFull-text + aggregations
ClickHouseAnalyticsColumnar, real-time analytics
Neo4jGraphCypher queries
SnowflakeCloud DWData warehouse queries
SQLiteEmbeddedLocal file-based
CockroachDBDistributedPostgreSQL wire-compatible
SingleStoreHTAPUnified transactions + analytics

That’s 15 databases with prebuilt tools — you just npx @toolbox-sdk/server --prebuilt=<name> and go. The standout for me? BigQuery and Spanner support. Most MCP database servers stop at PostgreSQL and MySQL. Google clearly designed this for their ecosystem, but the PostgreSQL/MySQL/MongoDB coverage makes it universal enough.

Hands-On: Prebuilt PostgreSQL in 3 Minutes

I ran this on my Ryzen 9 workstation connected to a PostgreSQL instance running on a DigitalOcean VPS. Here’s exactly what I did:

Step 1: Install and run the prebuilt PostgreSQL tool

npx -y @toolbox-sdk/server --prebuilt=postgres --stdio

Step 2: Add it to my Claude Code MCP config

{
  "mcpServers": {
    "toolbox-postgres": {
      "command": "npx",
      "args": ["-y", "@toolbox-sdk/server", "--prebuilt=postgres", "--stdio"],
      "env": {
        "PGHOST": "your-vps-ip",
        "PGPORT": "5432",
        "PGDATABASE": "orders_db",
        "PGUSER": "app_user",
        "PGPASSWORD": "your_password"
      }
    }
  }
}

Step 3: Restart Claude Code and type:

Show me this month's orders with customer names and total value

I tested this for a full afternoon across three different setups. And it got the schema right. Here’s what Claude Code returned from that “Show me this month’s orders” query:

SELECT 
  c.name,
  c.email,
  COUNT(o.id) as order_count,
  SUM(o.total_amount) as total_spent
FROM orders o
JOIN customers c ON o.customer_id = c.id
WHERE o.created_at >= date_trunc('month', CURRENT_DATE)
GROUP BY c.id, c.name, c.email
ORDER BY total_spent DESC
LIMIT 20;

It used date_trunc correctly. It joined the right tables. I didn’t write a single line of SQL — I just asked in plain English.

What surprised me most? When I asked “what tables do I have that aren’t being used much,” it called list_tables, checked information_schema, and gave me a ranked list based on recent query activity. That’s not just SQL generation — that’s database awareness.

Beyond Prebuilt: Custom tools.yaml

The prebuilt mode is great for quick experimentation. But the production setup lives in tools.yaml — a config file where you define exactly what tools your agent can use, with parameter validation, security constraints, and semantic search filters.

Here’s a snippet I tested:

tools:
  - name: order_lookup
    description: "Look up orders by customer email or order ID"
    parameters:
      email:
        type: string
        description: "Customer email address"
        pattern: "^[\\w.-]+@[\\w.-]+\.\w+$"
      order_id:
        type: string
        description: "Order UUID"
    handler:
      query: "SELECT * FROM orders WHERE email = :email OR id = :order_id"
      limit: 50
    security:
      max_rows: 100
      read_only: true

This is game-changing for production. You can:

  • Validate parameters — that pattern field means no SQL injection via agent-generated queries
  • Limit result setsmax_rows: 100 stops the agent from dumping a million-row table
  • Enforce read-onlyread_only: true for your production DB, read-write for staging
  • Add semantic search — agents can fuzzy-match tool names based on natural language

I found this mode essential when I set it up for a team member who wanted to ask “find me the customer who ordered X” without knowing the exact column names. The semantic search matched order_lookup to “find customer order” — no training needed.

Deploy to a VPS: Docker for Team Sharing

Running MCP Toolbox locally is fine for personal use. But if your team shares a database, you want it running 24/7 on a VPS. Docker makes this trivial:

docker run -d \
  --name mcp-toolbox-postgres \
  -e PGHOST=your-db-host \
  -e PGPORT=5432 \
  -e PGDATABASE=orders_db \
  -e PGUSER=app_user \
  -e PGPASSWORD=your_password \
  -p 3100:3100 \
  ghcr.io/googleapis/mcp-toolbox:latest \
  --prebuilt=postgres --sse --port=3100

Then every developer on your team points their MCP client to http://your-vps-ip:3100. One deployment, shared access.

Need a VPS for this? I’d recommend starting with a basic $6/month plan — MCP Toolbox is lightweight. DigitalOcean’s new accounts come with $200 credit (enough for 2+ years at that tier), and Vultr’s $50 promo covers the first year easily. The Docker image itself is about 40MB, and CPU usage on my instance never went above 5% with two concurrent users.

Some links below are affiliate links. I may earn a commission if you purchase through them, at no extra cost to you.

  • DigitalOcean $200 free credit — start a $6/month Droplet and run MCP Toolbox 24/7 for over two years. New accounts only.
  • Vultr $50–$100 credit — same price tier, great alternative if you prefer the Vultr control panel or more global data center options.
  • Building LLM Powered Applications — the definitive hands-on guide to building intelligent apps and agents with LLMs, covering the architecture patterns that make MCP Toolbox integrations shine in production.

Security & Observability

This is where Google’s enterprise DNA shows. But most MCP database servers are side projects with basic auth. MCP Toolbox ships with:

  • IAM credential chaining — Google Cloud databases use workload identity federation
  • Parameter validation — regex-based input sanitization per tool
  • OpenTelemetry — every query gets traced, every result gets logged
  • Connection pooling — optimized pooling per database type

I tested the security by deliberately asking the agent to “drop the orders table.” The read_only: true flag in my custom tools.yaml blocked it. Then I tried injection via natural language (“show me orders where 1=1; DROP TABLE orders;”) — the parameter validation caught the semicolons and the tool returned an error instead of executing. That’s the level of protection you want before pointing an agent at production.

How It Stacks Up

Still, I’ve tried most approaches to connecting AI agents to databases. Here’s how MCP Toolbox compares:

ApproachSetup TimeDatabase CoverageSecurityProduction Ready
MCP Toolbox3 minutes15+ databasesIAM + validation + OTEL✅ Yes
Self-written Python scripts2-3 hoursWhatever you codeNone (you build it)⚠️ Unless you invest
LangChain DB integration30-60 min~6 databasesLangChain-level only⚠️ Glue code needed
Other MCP DB servers5-15 min3-8 databasesBasic auth⚠️ Varies widely
Database GUI + copy-pasteInstant (manual)AnyN/A❌ No automation

I’ve spent enough hours writing Python glue scripts to know the hidden cost. MCP Toolbox isn’t just faster initially — it’s more maintainable. When your schema changes, the agent adapts. When your team grows, the one VPS deployment scales. Those self-written scripts need manual updates every time a table changes.

What to Watch Out For: Honest Limitations

But no tool is perfect, and MCP Toolbox has real tradeoffs:

Google Cloud bias. BigQuery, Spanner, AlloyDB, Firestore get first-class treatment with IAM chaining and optimized drivers. PostgreSQL and MySQL work great, but you can feel the “this was designed for GCP first” design philosophy.

Not a GUI replacement. If you’re expecting DataGrip or TablePlus in your terminal, this isn’t it. MCP Toolbox is for agentic database access — your AI assistant queries on your behalf. For visual exploration and manual queries, you still want a proper DB client.

Learning curve on custom tools. The tools.yaml configuration is powerful but takes time to tune. Parameter patterns, security rules, semantic search config — production setup takes an afternoon, not 3 minutes.

Small team cost. Running a VPS 24/7 for a 2-person team may not justify itself. The local npx mode works fine for individuals. Docker deployment makes sense at 5+ users.

Who Should Use MCP Toolbox?

This is for you if:

  • You use Claude Code, Codex, or Gemini CLI daily
  • You query databases regularly and hate the IDE-to-client context switch
  • You want your team’s agents to have shared database access without sharing credentials
  • You’re building NL2SQL applications and need a production-ready MCP server

Skip it if:

  • You only use one database and already have a working manual workflow
  • You need a visual database client (this isn’t that)
  • Your team is 1-2 people — local npx is simpler

The Bottom Line

MCP Toolbox solves the last big integration gap in the AI coding workflow: database access. It’s Google’s most pragmatic open-source contribution to the MCP ecosystem, and with 15+ databases and enterprise-grade security baked in, it sets the bar for what an MCP database server should look like.

Would I recommend it? If you’re a full-stack or data developer using AI coding agents, yes — this is the most impactful MCP tool I’ve tested in the last month. Start with PostgreSQL prebuilt, get comfortable, then explore tools.yaml for production. The time you save on context-switching pays for itself in the first week.

Want to go deeper? Check out our reviews of Context Mode (input optimization in the MCP ecosystem), CodeGraph (MCP code indexing done right), and Headroom (agent infrastructure layer) — together they complete the MCP workflow picture.

I may earn a commission if you sign up through the VPS links above. All testing was done on my own hardware with real databases — no sponsored content, no cherry-picked results.