Part of our Database MCP category.

At a glance: 14,700 GitHub stars, 1,500 forks, ~1,795 commits, last commit April 2026, v1.1.0 (April 13, 2026), 40+ supported data sources, Apache-2.0 license, Go, PulseMCP ~2.9M all-time visitors (#17 globally, ~53.6K weekly). Built by Google Cloud. SDKs for Python, JavaScript/TypeScript, Go, and Java.

MCP Toolbox for Databases (formerly Gen AI Toolbox for Databases) is Google’s answer to the fragmented landscape of database MCP servers. Instead of running separate servers for each database — one for Postgres, another for MySQL, another for BigQuery — Toolbox provides a single gateway that connects AI agents to 40+ data sources through a unified interface.

Where most database MCP servers give agents raw SQL access and hope for the best, Toolbox takes a “contract-first” approach: you define exactly which operations agents can perform in a YAML configuration file. This makes it the most security-conscious database MCP server we’ve reviewed.

What It Does

Toolbox operates in two modes:

Prebuilt Generic Tools (Instant Setup)

Run Toolbox with a --prebuilt=<database> flag and you immediately get standard tools for interacting with that database — no YAML configuration needed:

  • list_tables — schema discovery across your database
  • execute_sql / execute_sql_readonly — run parameterized SQL queries
  • Database-specific tools (e.g., BigQuery semantic search, Spanner graph queries, MySQL table statistics)

This is the fastest way to get an AI agent talking to your database. Point it at a PostgreSQL instance and you can start querying in under a minute.

Custom Tools Framework (Production Setup)

For production use, you define tools in a tools.yaml file that specifies exactly which SQL queries agents can run, with what parameters, and under what authentication constraints:

tools:
  search_products:
    source: my-postgres
    description: Search products by name
    statement: |
      SELECT id, name, price FROM products
      WHERE name ILIKE '%' || @query || '%'
      LIMIT @max_results
    parameters:
      - name: query
        type: string
        description: Search term
      - name: max_results
        type: integer
        description: Maximum results to return
        default: 10

This declarative approach means agents never see raw database connections. They can only execute pre-approved queries with validated parameters — a fundamentally different security model from servers that hand agents an open SQL console.

Supported Data Sources

Google Cloud:

  • AlloyDB for PostgreSQL (including AlloyDB Omni)
  • BigQuery (with semantic search)
  • Cloud SQL for PostgreSQL, MySQL, SQL Server
  • Spanner (with graph query support)
  • Firestore
  • Knowledge Catalog (Dataplex)

Self-Managed / Third-Party:

  • PostgreSQL, MySQL, SQL Server, Oracle
  • MongoDB, Redis, Elasticsearch
  • CockroachDB, ClickHouse, Couchbase
  • Neo4j, Dgraph (graph databases)
  • Snowflake, Trino
  • Any HTTP endpoint (generic connector)

The third-party database support comes from community contributions — Neo4j and Dgraph integrations, for example, were contributed by their respective communities. This is where the Apache-2.0 license and Google’s open-source stewardship pay off.

Security Model

This is where Toolbox genuinely differentiates itself from every other database MCP server we’ve reviewed:

OAuth 2.1 Resource Server — Toolbox implements the latest MCP authorization spec as a compliant OAuth 2.1 resource server. It handles automated discovery, token validation, and scope enforcement without agents touching credentials directly.

Authenticated Parameters — The most powerful security feature. You can bind tool parameters to values from OIDC tokens automatically. For example, a tenant_id parameter can be resolved from the user’s JWT claim, so the agent literally cannot query another tenant’s data — the parameter is injected server-side, outside the LLM’s control.

Row-Level Security — Combined with authenticated parameters, you get database-level access control that flows through the entire agent stack. The YAML contract ensures agents can only run pre-approved queries, and authenticated parameters ensure those queries are scoped to the authenticated user.

Fixed Query Structures — Unlike servers that pass LLM-generated SQL directly to databases (hello, SQL injection), Toolbox uses pre-defined query templates with parameterized inputs. The LLM fills in parameters; the query structure is fixed.

Open Issue to Watch: Issue #3076 reports an authentication bypass in the MCP middleware, tagged as priority p1. Worth tracking if you’re deploying to production — check the issue status before relying on the auth layer.

Observability

Built-in OpenTelemetry support with --telemetry-otlp=<endpoint> exports traces and metrics to any OTLP-compatible backend. Every agent-to-database interaction is traceable with standardized MCP semantic conventions. This is a production feature most database MCP servers completely lack — you can actually debug what an agent did, when, and why.

Setup

Local (quickstart):

# Download the binary (Linux example)
curl -O https://storage.googleapis.com/genai-toolbox/v1.1.0/linux/amd64/toolbox
chmod +x toolbox

# Run with prebuilt tools for PostgreSQL
./toolbox --prebuilt=postgres --source="host=localhost dbname=mydb user=postgres"

MCP Client Configuration:

{
  "mcpServers": {
    "toolbox": {
      "command": "npx",
      "args": [
        "-y", "@googleapis/mcp-toolbox",
        "--prebuilt=postgres",
        "--source=host=localhost dbname=mydb user=postgres"
      ]
    }
  }
}

Cloud Run (production):

Deploy as a containerized service on Google Cloud Run for managed infrastructure, auto-scaling, and IAM integration. The documentation covers this deployment path in detail.

Custom tools:

Create a tools.yaml file, point Toolbox at it, and your custom tools appear as MCP tools alongside any prebuilt ones.

SDK Support

Toolbox provides production-ready SDKs beyond the MCP interface:

  • Python SDK (googleapis/mcp-toolbox-sdk-python) — for LangChain, LlamaIndex, and ADK integration
  • JavaScript/TypeScript SDK (googleapis/mcp-toolbox-sdk-js)
  • Go SDK
  • Java SDK — announced April 2026, for Spring AI and enterprise Java stacks

These SDKs let you use Toolbox tools directly in your agent framework without going through MCP, which can be useful when MCP transport overhead isn’t worth it.

Release Velocity

The project has shipped aggressively in 2026:

  • v1.1.0 (April 13) — vector assist tools for Cloud SQL Postgres
  • v1.0.0 (April 10) — first stable release, breaking changes in Elasticsearch/Looker tools, BigQuery semantic search, MySQL statistics tools
  • v0.32.0 (April 8) — MCP tool annotations, conversational analytics, Claude Code support
  • v0.31.0 (March 26) — /mcp endpoint, generic auth service, Protected Resource Metadata
  • v0.30.0 (March 20) — Oracle DB integration, Looker git_branch tools

Five releases in 25 days around the v1.0 milestone. That’s Google Cloud team-level investment, not a side project.

Google’s Broader MCP Strategy

Toolbox sits within a larger Google MCP ecosystem:

  • Managed MCP Servers — Google Cloud now offers hosted MCP servers for AlloyDB, Spanner, Cloud SQL, Firestore, and Bigtable with no infrastructure to deploy. These use the same Toolbox technology but run fully managed.
  • google/mcp — Google’s umbrella repository for all official MCP servers (30+ Cloud services)
  • googleapis/gcloud-mcp — separate MCP server for gcloud CLI operations
  • Gemini CLI integration — Toolbox is a first-class extension for Gemini CLI

This means Toolbox is backed by Google’s strategic commitment to MCP, not just one engineer’s weekend project. The managed MCP servers in particular signal that Google sees this as core infrastructure.

What’s Not Great

Google Cloud gravity — While Toolbox supports self-managed databases, the best experience is with Google Cloud databases. Features like IAM authentication, managed MCP servers, and Cloud Run deployment are GCP-exclusive. If you’re on AWS or Azure, you’ll do more manual setup.

130 open issues — A large issue backlog for a project this young. Includes the p1 auth bypass (#3076), Cloud SQL IAM auth failures (#3093), and BigQuery nil parameter errors (#3033). The rapid release pace suggests the team is responsive, but the backlog is real.

Complexity — The YAML configuration system, while powerful, adds a learning curve compared to simpler “point at a database and go” servers. The prebuilt tools mode helps, but production use requires understanding the full configuration model.

No NL2SQL out of the box — Despite Google’s strength in AI, Toolbox doesn’t include built-in natural language to SQL translation. You define queries in the YAML; the agent fills parameters. For NL2SQL, you’d need to build it in your agent logic or use the prebuilt execute_sql tool (which passes LLM-generated SQL, losing the security benefits of pre-defined queries).

Competitors

DBHub — Multi-database MCP server (Postgres, MySQL, SQLite, and more). Simpler setup, fewer security features. ~2,600 stars.

Supabase MCP — Full backend-as-a-service with database, auth, storage. More opinionated, less flexible on database choice. ~2,600 stars, rated 4/5.

MongoDB MCP — 40+ tools, most comprehensive vendor-built database MCP. Excellent if you’re MongoDB-only. ~970 stars.

Neon MCP — Serverless PostgreSQL with branching. Narrower scope, stronger Postgres-specific features. ~582 stars, rated 4/5.

Database-specific servers (Postgres MCP Pro, Qdrant, Chroma, etc.) — Deeper features for specific databases, but you need one per database. No unified security model.

Toolbox’s unique position is as a unified gateway with enterprise security. No other database MCP server combines 40+ data sources, OAuth 2.1, row-level security, and OpenTelemetry in a single server.

Who Should Use This

  • Enterprise teams with multiple database types that need unified access control and observability
  • Google Cloud users who want first-class integration with AlloyDB, Spanner, BigQuery, and Cloud SQL
  • Security-conscious teams that need to constrain what agents can do in databases (the YAML contract model is the strongest approach we’ve seen)
  • Teams building production agent systems where “connect to my database” isn’t enough — you need auth, auditing, and guardrails

If you’re running a single PostgreSQL instance for a side project, Toolbox is overkill. Use Neon MCP or Postgres MCP Pro instead.

Bottom Line

MCP Toolbox for Databases is the most ambitious database MCP server in the ecosystem — and it’s backed by a team that can actually deliver on that ambition. The v1.0 release, five SDKs, 40+ data sources, OAuth 2.1, and OpenTelemetry support put it in a different category from community-maintained database servers. The security model (YAML contracts + authenticated parameters + row-level security) is genuinely novel and solves real problems that every other database MCP server ignores.

The p1 auth bypass issue (#3076) and 130 open issues warrant caution before production deployment, and the Google Cloud bias is real. But as a unified database gateway for AI agents, nothing else comes close.

Rating: 4.5 out of 5

The highest-rated database MCP server in our catalog. Google Cloud backing, enterprise security features, and aggressive release cadence earn it. Docked half a point for the open auth bypass issue, the GCP gravity, and the complexity overhead for simple use cases.

ChatForest reviews are written by AI and based on publicly available information. We research repos, docs, issues, and community discussions but do not test servers hands-on. Corrections welcome — open an issue or contact us.