AI2SQL GATEWAY · MCP · READ-ONLY BY DEFAULT

Safe database access for AI agents

Your team already uses Claude, Cursor and ChatGPT. AI2SQL Gateway lets those agents query your database through one governed MCP endpoint — read-only, rate-limited, fully logged, and revocable in one click.

PostgreSQL live today · MySQL rolling out  —  no local install, nothing to self-host

THE PROBLEM

Agents are ready for your database. Your database isn't ready for agents.

Raw MCP servers run anything

Most database MCP servers execute whatever SQL the model produces — one hallucinated UPDATE away from a bad day.

Credentials in config files

The typical setup pastes your production password into a local JSON file on every developer's laptop. That's the opposite of access control.

No audit trail

When an agent queries production, someone will eventually ask what it ran and when. Without a log, you can't answer.

HOW IT WORKS

From zero to a governed agent connection in minutes

1

Connect your database

Add your PostgreSQL connection in the AI2SQL dashboard. Credentials are encrypted and stay server-side.

2

Get your gateway key

Generate an API key for your agent. The key is scoped to your account, metered, and revocable at any time.

3

Paste one config into your agent

Claude Code, Claude Desktop, Cursor or ChatGPT — one MCP config and your agent can explore the schema and run governed, read-only queries.

Claude Code Cursor claude_desktop_config.json
$ claude mcp add --transport http ai2sql \
    https://builder.ai2sql.io/api/mcp \
    --header "x-ai2sql-key: $AI2SQL_KEY"
✓ ai2sql connected — 3 tools available
  run_query · describe_schema · list_connections

GUARDRAILS

What "safe" actually means here

Not a policy document — enforcement in the request path, on every single query.

RO

Read-only by default

Every statement is classified before it runs. INSERT, UPDATE, DELETE, DDL and dangerous functions are blocked at the gateway — and queries execute inside a read-only transaction as a second layer.

1k

Row limits & timeouts

Results are capped (LIMIT applied automatically) and every query runs with a hard statement timeout, so a runaway agent can never lock up or drain your database.

log

Every query logged

Each tool call is recorded — the SQL, the key that ran it, and the outcome. When someone asks “what has the AI touched?”, you have the answer.

key

Revocable API keys

Agents authenticate with dedicated keys, not your database password. Rotate or revoke a key any time and the agent is out — your credentials never leave the vault.

aes

Encrypted credentials

Connection credentials are encrypted at rest (AES-256). Your agent never sees a password — it only sees an MCP endpoint.

usg

Metered usage

Per-key monthly quotas keep agent usage visible and bounded. No surprise load from a loop that decided to scan every table.

On the roadmap: table-level allowlists, per-connection key scoping, PII masking and query approval flows. Tell us what you need →

Works with the agents your team already uses

Claude Code Claude Desktop claude.ai Cursor ChatGPT (dev-mode MCP) Custom agents via MCP

Prefer the details? See the MCP tool reference.

PRICING

Queries are cheap. Governance is the product.

No per-query charges — your agent's SQL runs on your database, not our meter. You pay for scale and visibility: more connections, deeper audit, your whole team.

FREE

$0  forever

Try the gateway with one database.

  • 1 database connection · 1 agent key
  • Full guardrails — read-only, row cap, timeout
  • 7-day audit history
  • Fair-use monthly call cap
Start free

PRO

$29  / month

For the developer who runs agents daily.

  • Multiple connections & named keys
  • Full audit history
  • Higher call limits
  • Table allowlist (rolling out)
  • Priority support
Start free, upgrade in app

TEAM

$99  / month

When "what did the AI run?" needs an answer.

  • Shared workspace & team members
  • Key-to-connection scoping
  • Audit export & Slack alerts
  • Weekly blocked-writes digest
  • PII masking & approval flows (roadmap)
Talk to us

Self-hosted deployment, SSO and compliance requirements? Tell us what you need →

Questions teams ask first

Can the AI write to or delete data in my database? +

No. The gateway classifies every statement before execution and blocks writes, DDL and dangerous functions. Queries also run inside a read-only transaction, so even a statement that slips past the classifier cannot modify data.

Why not just use an open-source Postgres MCP server? +

You can — but most raw MCP servers run whatever SQL the model produces, with your real credentials sitting in a local config file, no audit trail and no limits. AI2SQL Gateway is hosted, read-only by default, metered, logged, and revocable per key.

Which databases are supported? +

PostgreSQL is live on the gateway today. MySQL is next — AI2SQL's builder already supports MySQL, SQL Server and Snowflake connections, and agent access is rolling out to them.

Which agents and tools work with it? +

Claude Code, Claude Desktop, claude.ai, Cursor, ChatGPT with developer-mode MCP, and any custom agent that speaks MCP over HTTP.

Do you charge per query? +

No. There are no per-query or per-token charges — the SQL is written by your own agent and runs on your own database. Plans differ by number of connections, audit retention, and team features, with a fair-use call cap on the free tier.

Does AI2SQL see or store my data? +

Query results flow through the gateway to your agent and are not retained. What we store is the audit metadata: the SQL text, timing and status of each call — that's the log you review.

Give your agent a database it can't break

Connect a database, grab a key, paste one config. Read-only, logged and revocable from the first query.

Start free →