AI2SQL GATEWAY · MCP · READ-ONLY BY DEFAULT
Safe database access
for AI agents
Your team already uses Claude, Cursor and ChatGPT. AI2SQL Gateway lets those agents query your database through one governed MCP endpoint — read-only, rate-limited, fully logged, and revocable in one click.
PostgreSQL live today · MySQL rolling out — no local install, nothing to self-host
THE PROBLEM
Agents are ready for your database. Your database isn't ready for agents.
Raw MCP servers run anything
Most database MCP servers execute whatever SQL the model produces — one hallucinated
UPDATE
away from a bad day.
Credentials in config files
The typical setup pastes your production password into a local JSON file on every developer's laptop. That's the opposite of access control.
No audit trail
When an agent queries production, someone will eventually ask what it ran and when. Without a log, you can't answer.
HOW IT WORKS
From zero to a governed agent connection in minutes
Connect your database
Add your PostgreSQL connection in the AI2SQL dashboard. Credentials are encrypted and stay server-side.
Get your gateway key
Generate an API key for your agent. The key is scoped to your account, metered, and revocable at any time.
Paste one config into your agent
Claude Code, Claude Desktop, Cursor or ChatGPT — one MCP config and your agent can explore the schema and run governed, read-only queries.
$ claude mcp add --transport http ai2sql \
https://builder.ai2sql.io/api/mcp \
--header "x-ai2sql-key: $AI2SQL_KEY" ✓ ai2sql connected — 3 tools available
run_query · describe_schema · list_connections GUARDRAILS
What "safe" actually means here
Not a policy document — enforcement in the request path, on every single query.
Read-only by default
Every statement is classified before it runs. INSERT, UPDATE, DELETE, DDL and dangerous functions are blocked at the gateway — and queries execute inside a read-only transaction as a second layer.
Row limits & timeouts
Results are capped (LIMIT applied automatically) and every query runs with a hard statement timeout, so a runaway agent can never lock up or drain your database.
Every query logged
Each tool call is recorded — the SQL, the key that ran it, and the outcome. When someone asks “what has the AI touched?”, you have the answer.
Revocable API keys
Agents authenticate with dedicated keys, not your database password. Rotate or revoke a key any time and the agent is out — your credentials never leave the vault.
Encrypted credentials
Connection credentials are encrypted at rest (AES-256). Your agent never sees a password — it only sees an MCP endpoint.
Metered usage
Per-key monthly quotas keep agent usage visible and bounded. No surprise load from a loop that decided to scan every table.
On the roadmap: table-level allowlists, per-connection key scoping, PII masking and query approval flows. Tell us what you need →
Works with the agents your team already uses
Prefer the details? See the MCP tool reference.
PRICING
Queries are cheap. Governance is the product.
No per-query charges — your agent's SQL runs on your database, not our meter. You pay for scale and visibility: more connections, deeper audit, your whole team.
FREE
$0 forever
Try the gateway with one database.
- ✓ 1 database connection · 1 agent key
- ✓ Full guardrails — read-only, row cap, timeout
- ✓ 7-day audit history
- ✓ Fair-use monthly call cap
PRO
$29 / month
For the developer who runs agents daily.
- ✓ Multiple connections & named keys
- ✓ Full audit history
- ✓ Higher call limits
- ✓ Table allowlist (rolling out)
- ✓ Priority support
TEAM
$99 / month
When "what did the AI run?" needs an answer.
- ✓ Shared workspace & team members
- ✓ Key-to-connection scoping
- ✓ Audit export & Slack alerts
- ✓ Weekly blocked-writes digest
- ✓ PII masking & approval flows (roadmap)
Self-hosted deployment, SSO and compliance requirements? Tell us what you need →
Questions teams ask first
Can the AI write to or delete data in my database? +
No. The gateway classifies every statement before execution and blocks writes, DDL and dangerous functions. Queries also run inside a read-only transaction, so even a statement that slips past the classifier cannot modify data.
Why not just use an open-source Postgres MCP server? +
You can — but most raw MCP servers run whatever SQL the model produces, with your real credentials sitting in a local config file, no audit trail and no limits. AI2SQL Gateway is hosted, read-only by default, metered, logged, and revocable per key.
Which databases are supported? +
PostgreSQL is live on the gateway today. MySQL is next — AI2SQL's builder already supports MySQL, SQL Server and Snowflake connections, and agent access is rolling out to them.
Which agents and tools work with it? +
Claude Code, Claude Desktop, claude.ai, Cursor, ChatGPT with developer-mode MCP, and any custom agent that speaks MCP over HTTP.
Do you charge per query? +
No. There are no per-query or per-token charges — the SQL is written by your own agent and runs on your own database. Plans differ by number of connections, audit retention, and team features, with a fair-use call cap on the free tier.
Does AI2SQL see or store my data? +
Query results flow through the gateway to your agent and are not retained. What we store is the audit metadata: the SQL text, timing and status of each call — that's the log you review.
Give your agent a database it can't break
Connect a database, grab a key, paste one config. Read-only, logged and revocable from the first query.
Start free →