Official MongoDB MCP server that connects Claude and other MCP clients to MongoDB databases and MongoDB Atlas for read-only analysis, schema metadata, aggregation, Atlas project operations, performance advisor data, exports, and MongoDB Assistant knowledge search.
MongoDB's README uses `--readOnly` in examples by default. Keep read-only mode enabled for analysis so create, update, and delete operation types are not registered with the server., Without read-only mode, the server can create collections and indexes, insert documents, update many documents, delete many documents, drop indexes, drop collections, drop databases, create Atlas projects and clusters, manage access lists, create database users, and manage stream processing resources., Use `disabledTools` to remove tool names, operation types, or categories such as `create`, `update`, `delete`, `atlas`, or `mongodb` when a client should only perform a narrow workflow., Confirmation-required tools depend on MCP client elicitation support. If a client does not support elicitation, review whether the server still executes those tools without a confirmation prompt., Use `indexCheck` and bounded query limits when letting an agent run find or aggregation operations against shared, large, or production-like datasets., HTTP transport is not recommended for production without authentication, HTTPS, firewalls or private networking, rate limiting, and a review of request headers, externally managed sessions, host binding, and port exposure., Atlas service account credentials should use the minimum required project-level roles. Avoid Organization Owner unless full organization administration is explicitly required., Connection strings and Atlas API credentials should be passed through environment variables or protected config files rather than command-line arguments, which can appear in process lists and logs.
Privacy notes
Tool results can expose database names, collection names, index metadata, schemas, document samples, aggregation results, exports, logs, Atlas organization and project metadata, cluster names, alerts, users, access lists, slow query samples, and performance advisor recommendations., Connection strings can include usernames, passwords, hosts, database names, auth sources, TLS options, and replica set details; keep them out of prompts, screenshots, shell history, command-line arguments, and shared MCP config files., Atlas API client IDs and client secrets grant Atlas access according to service account roles and should be short-lived, scoped, rotated, and kept out of logs and transcripts., Exported data is stored temporarily on the machine running the MCP server until cleanup, and export directories require restrictive filesystem permissions because exported documents may contain sensitive data., The default logger configuration can write logs to disk and send logs to the MCP client, so log paths, terminal output, AI transcripts, and client logs should be treated as sensitive., Telemetry is enabled by default according to the README and can be disabled with `MDB_MCP_TELEMETRY=disabled`, `--telemetry disabled`, or `DO_NOT_TRACK=1`.
Author
MongoDB
Submitted by
oktofeesh1
Claim status
unclaimed
Last verified
2026-06-04
Decision playbook
Review trust signals before you adopt
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
Compare context
Selected
0
Current score
78
Baseline
—
Delta
No baseline selected
No major trust-signal divergence detected in the current selection.
Source and provenance checks
Complete
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Done
Source provenance statusRequired
Marked as source-backed.
Done
Metadata reviewed
Registry metadata indicates a reviewed listing.
Done
Safety and privacy checks
Complete
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Done
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Done
Trust level risk gateRequired
Trust level does not block evaluation.
Done
Package and install checks
Needs review
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Done
Package verification flag
No package verification flag provided.
Pending
Checksum metadata
No checksum provided for downloaded artifact.
Pending
Compare-driven decision checks
Needs review
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
8 safety and 6 privacy notes across 7 risk areas. Review closely: credentials & tokens, permissions & scopes.
7 areas
SafetyGeneralMongoDB's README uses `--readOnly` in examples by default. Keep read-only mode enabled for analysis so create, update, and delete operation types are not registered with the server.
SafetyExecution & processesWithout read-only mode, the server can create collections and indexes, insert documents, update many documents, delete many documents, drop indexes, drop collections, drop databases, create Atlas projects and clusters, manage access lists, create database users, and manage stream processing resources.
SafetyGeneralUse `disabledTools` to remove tool names, operation types, or categories such as `create`, `update`, `delete`, `atlas`, or `mongodb` when a client should only perform a narrow workflow.
SafetyExecution & processesConfirmation-required tools depend on MCP client elicitation support. If a client does not support elicitation, review whether the server still executes those tools without a confirmation prompt.
SafetyExecution & processesUse `indexCheck` and bounded query limits when letting an agent run find or aggregation operations against shared, large, or production-like datasets.
SafetyCredentials & tokensHTTP transport is not recommended for production without authentication, HTTPS, firewalls or private networking, rate limiting, and a review of request headers, externally managed sessions, host binding, and port exposure.
SafetyCredentials & tokensAtlas service account credentials should use the minimum required project-level roles. Avoid Organization Owner unless full organization administration is explicitly required.
SafetyCredentials & tokensConnection strings and Atlas API credentials should be passed through environment variables or protected config files rather than command-line arguments, which can appear in process lists and logs.
PrivacyData retentionTool results can expose database names, collection names, index metadata, schemas, document samples, aggregation results, exports, logs, Atlas organization and project metadata, cluster names, alerts, users, access lists, slow query samples, and performance advisor recommendations.
PrivacyCredentials & tokensConnection strings can include usernames, passwords, hosts, database names, auth sources, TLS options, and replica set details; keep them out of prompts, screenshots, shell history, command-line arguments, and shared MCP config files.
PrivacyCredentials & tokensAtlas API client IDs and client secrets grant Atlas access according to service account roles and should be short-lived, scoped, rotated, and kept out of logs and transcripts.
PrivacyPermissions & scopesExported data is stored temporarily on the machine running the MCP server until cleanup, and export directories require restrictive filesystem permissions because exported documents may contain sensitive data.
PrivacyLocal filesThe default logger configuration can write logs to disk and send logs to the MCP client, so log paths, terminal output, AI transcripts, and client logs should be treated as sensitive.
PrivacyTelemetryTelemetry is enabled by default according to the README and can be disabled with `MDB_MCP_TELEMETRY=disabled`, `--telemetry disabled`, or `DO_NOT_TRACK=1`.
Safety notes
MongoDB's README uses `--readOnly` in examples by default. Keep read-only mode enabled for analysis so create, update, and delete operation types are not registered with the server.
Without read-only mode, the server can create collections and indexes, insert documents, update many documents, delete many documents, drop indexes, drop collections, drop databases, create Atlas projects and clusters, manage access lists, create database users, and manage stream processing resources.
Use `disabledTools` to remove tool names, operation types, or categories such as `create`, `update`, `delete`, `atlas`, or `mongodb` when a client should only perform a narrow workflow.
Confirmation-required tools depend on MCP client elicitation support. If a client does not support elicitation, review whether the server still executes those tools without a confirmation prompt.
Use `indexCheck` and bounded query limits when letting an agent run find or aggregation operations against shared, large, or production-like datasets.
HTTP transport is not recommended for production without authentication, HTTPS, firewalls or private networking, rate limiting, and a review of request headers, externally managed sessions, host binding, and port exposure.
Atlas service account credentials should use the minimum required project-level roles. Avoid Organization Owner unless full organization administration is explicitly required.
Connection strings and Atlas API credentials should be passed through environment variables or protected config files rather than command-line arguments, which can appear in process lists and logs.
Privacy notes
Tool results can expose database names, collection names, index metadata, schemas, document samples, aggregation results, exports, logs, Atlas organization and project metadata, cluster names, alerts, users, access lists, slow query samples, and performance advisor recommendations.
Connection strings can include usernames, passwords, hosts, database names, auth sources, TLS options, and replica set details; keep them out of prompts, screenshots, shell history, command-line arguments, and shared MCP config files.
Atlas API client IDs and client secrets grant Atlas access according to service account roles and should be short-lived, scoped, rotated, and kept out of logs and transcripts.
Exported data is stored temporarily on the machine running the MCP server until cleanup, and export directories require restrictive filesystem permissions because exported documents may contain sensitive data.
The default logger configuration can write logs to disk and send logs to the MCP client, so log paths, terminal output, AI transcripts, and client logs should be treated as sensitive.
Telemetry is enabled by default according to the README and can be disabled with `MDB_MCP_TELEMETRY=disabled`, `--telemetry disabled`, or `DO_NOT_TRACK=1`.
Prerequisites
Node.js 20.19 or later, Node.js 22.12 or later, or a supported newer Node.js version for running the npm package.
MongoDB connection string for a local, self-hosted, or Atlas cluster, or MongoDB Atlas service account credentials for Atlas tools.
MCP client configuration for Claude Desktop, Claude Code, Cursor, VS Code, GitHub Copilot CLI, OpenCode, Windsurf, or another compatible client.
Least-privilege Atlas service account roles and API access-list configuration when enabling Atlas operations.
Decision on read-only mode, disabled tool categories, confirmation-required tools, index-check enforcement, maximum documents or bytes per query, export location, logging, and telemetry.
Review process for any write-capable database, collection, index, Atlas cluster, database user, access-list, stream processing, or Atlas Local operation.
Schema details
Install type
cli
Troubleshooting
No
Source repository stats
Scope
Source repo
Runtime and command metadata
Script body
## Content
MongoDB MCP Server connects Claude and other MCP-capable clients to MongoDB
databases and MongoDB Atlas through a local stdio server, Docker container, or
HTTP transport. It gives an assistant tools for database inspection, find and
aggregation queries, schema and index metadata, Atlas project and cluster
operations, performance advisor data, exports, Atlas Local deployments, and
MongoDB Assistant knowledge search.
The safest default is to run it with `--readOnly`, pass credentials through
environment variables, and disable tool categories that are not needed for the
current task. MongoDB's own examples include read-only mode by default, and the
server exposes additional guardrails for disabled tools, confirmation-required
tools, index checking, query limits, export cleanup, logging, and telemetry.
## Features
- Local stdio MCP server through `npx -y mongodb-mcp-server@latest`.
- Docker-based setup with the official `mongodb/mongodb-mcp-server` image.
- Optional Streamable HTTP transport with configurable host, port, request
headers, response type, session handling, and monitoring endpoints.
- Connection through MongoDB connection strings or MongoDB Atlas service account
credentials.
- Read-only mode that restricts the server to read, connect, and metadata
operation types.
- Disabled tool configuration by tool name, operation type, or category.
- Confirmation-required tool configuration for destructive or sensitive tools
when the MCP client supports elicitation.
- MongoDB database tools for finding documents, running aggregations, listing
databases and collections, inspecting schema and indexes, explaining queries,
exporting results, and reading logs.
- Atlas tools for organizations, projects, clusters, database users, access
lists, alerts, performance advisor recommendations, Atlas Stream Processing,
and Atlas Local deployments.
- MongoDB Assistant tools for searching official documentation and curated
MongoDB guidance.
- Resources for redacted configuration, MongoDB debug information, and exported
data.
## Use Cases
- Ask Claude to list MongoDB databases and collections before touching
application data.
- Inspect collection schemas, indexes, and storage size while planning a model
or API change.
- Run bounded read-only find or aggregation queries against development or
staging data.
- Use Atlas Performance Advisor and slow query samples to investigate query
performance.
- Search MongoDB Assistant knowledge while implementing a driver, Atlas, or
schema-design workflow.
- Export query results for short-lived local analysis with explicit cleanup and
access controls.
- Manage Atlas projects, clusters, access lists, database users, or stream
processing resources only after narrowing roles and requiring human approval.
## Installation
### Read-only stdio setup
Pass the MongoDB connection string through an environment variable and keep
read-only mode enabled:
```json
{
"mcpServers": {
"MongoDB": {
"command": "npx",
"args": ["-y", "mongodb-mcp-server@latest", "--readOnly"],
"env": {
"MDB_MCP_CONNECTION_STRING": "mongodb://localhost:27017/myDatabase"
}
}
}
}
```
### Read-only Atlas setup
Use Atlas service account credentials when Atlas tools are required:
```json
{
"mcpServers": {
"MongoDB": {
"command": "npx",
"args": ["-y", "mongodb-mcp-server@latest", "--readOnly"],
"env": {
"MDB_MCP_API_CLIENT_ID": "ATLAS_SERVICE_ACCOUNT_CLIENT_ID",
"MDB_MCP_API_CLIENT_SECRET": "ATLAS_SERVICE_ACCOUNT_CLIENT_SECRET"
}
}
}
}
```
### Docker setup
Run the official Docker image with read-only mode and credentials supplied as
environment variables:
```json
{
"mcpServers": {
"MongoDB": {
"command": "docker",
"args": [
"run",
"--rm",
"-i",
"-e",
"MDB_MCP_CONNECTION_STRING",
"-e",
"MDB_MCP_READ_ONLY=true",
"mongodb/mongodb-mcp-server:latest"
],
"env": {
"MDB_MCP_CONNECTION_STRING": "mongodb://localhost:27017/myDatabase"
}
}
}
}
```
## Configuration
### Disable writes and expensive query patterns
```bash
export MDB_MCP_READ_ONLY=true
export MDB_MCP_DISABLED_TOOLS="create,update,delete"
export MDB_MCP_INDEX_CHECK=true
export MDB_MCP_MAX_DOCUMENTS_PER_QUERY=100
export MDB_MCP_TELEMETRY=disabled
```
### Protect logs and exports
```bash
export MDB_MCP_LOGGERS="mcp,stderr"
export MDB_MCP_EXPORTS_PATH="/path/to/restricted/mongodb-mcp-exports"
```
## Examples
### Inspect collections safely
```plaintext
Using MongoDB MCP in read-only mode, list databases and collections, then summarize likely application data boundaries without modifying anything.
```
### Review schema and indexes
```plaintext
Describe the schema and indexes for the orders collection, then identify queries that may need a supporting index.
```
### Run a bounded aggregation
```plaintext
Run a read-only aggregation that counts orders by status and returns only aggregate totals, not raw customer documents.
```
### Check Atlas performance recommendations
```plaintext
Use Atlas Performance Advisor for the selected project and summarize suggested indexes and slow query samples without creating resources.
```
### Search MongoDB guidance
```plaintext
Search MongoDB Assistant knowledge for schema design guidance related to time-series data and summarize the official recommendations.
```
## Source notes
- The official repository describes MongoDB MCP Server as a Model Context
Protocol server for interacting with MongoDB databases and MongoDB Atlas.
- The README says the server will not start unless configured with either a
MongoDB connection string or Atlas API credentials.
- The README lists Node.js requirements and documents setup for MCP clients,
`npx`, Docker, HTTP transport, Copilot CLI, and OpenCode.
- The README states that examples include `--readOnly` by default and says to
remove it only when write operations are needed.
- The README recommends environment variables for sensitive configuration such
as connection strings and Atlas API credentials instead of command-line
arguments because command-line arguments can appear in process lists and
logs.
- The README lists MongoDB database tools such as `find`, `aggregate`,
`collection-schema`, `collection-indexes`, `explain`, `export`, `insert-many`,
`update-many`, `delete-many`, `drop-collection`, and `drop-database`.
- The README lists Atlas tools for organizations, projects, clusters, alerts,
access lists, database users, performance advisor, stream processing, and
Atlas Local deployments.
- The README documents `MDB_MCP_READ_ONLY` and `--readOnly`, saying read-only
mode allows only read, connect, and metadata operation types.
- The README documents `disabledTools`, operation-type categories, default
confirmation-required tools, `indexCheck`, max document and byte limits,
export cleanup, loggers, and telemetry opt-out.
- The README warns that HTTP transport is not recommended for production use
without authentication, HTTPS or TLS, private networking or firewalls, rate
limiting, and not exposing it directly to the internet.
- The README's Atlas API permissions section recommends least-privilege service
account roles and warns that Organization Owner is rarely necessary.
- The repository is `mongodb-js/mongodb-mcp-server`, is Apache-2.0 licensed,
active, and maintained by MongoDB.
## Duplicate check
Checked current `content/mcp/`, `content/tools/`, guides, skills, agents, hooks,
open pull requests, live issue state, and repository-wide content for `MongoDB
MCP`, `mongodb-js/mongodb-mcp-server`, `mongodb-mcp-server`,
`www.mongodb.com/docs/mcp-server`, `MDB_MCP_CONNECTION_STRING`,
`MDB_MCP_READ_ONLY`, `Atlas service account`, `MongoDB Atlas MCP`, and
`MongoDB Assistant`. No dedicated MongoDB MCP entry, target file, exact source
URL duplicate, issue duplicate, semantic duplicate, or open duplicate PR was
found.
## Disclosure
Editorial listing. No paid placement or affiliate link is used. MongoDB MCP
Server is Apache-2.0 open-source software maintained by MongoDB; MongoDB Atlas,
MongoDB databases, cloud providers, Docker, MCP clients, API credentials,
telemetry, logs, exports, and downstream storage or analysis systems may have
separate licenses, billing, terms, privacy obligations, and access controls.
MongoDB MCP Server connects Claude and other MCP-capable clients to MongoDB
databases and MongoDB Atlas through a local stdio server, Docker container, or
HTTP transport. It gives an assistant tools for database inspection, find and
aggregation queries, schema and index metadata, Atlas project and cluster
operations, performance advisor data, exports, Atlas Local deployments, and
MongoDB Assistant knowledge search.
The safest default is to run it with --readOnly, pass credentials through
environment variables, and disable tool categories that are not needed for the
current task. MongoDB's own examples include read-only mode by default, and the
server exposes additional guardrails for disabled tools, confirmation-required
tools, index checking, query limits, export cleanup, logging, and telemetry.
Features
Local stdio MCP server through npx -y mongodb-mcp-server@latest.
Docker-based setup with the official mongodb/mongodb-mcp-server image.
Optional Streamable HTTP transport with configurable host, port, request
headers, response type, session handling, and monitoring endpoints.
Connection through MongoDB connection strings or MongoDB Atlas service account
credentials.
Read-only mode that restricts the server to read, connect, and metadata
operation types.
Disabled tool configuration by tool name, operation type, or category.
Confirmation-required tool configuration for destructive or sensitive tools
when the MCP client supports elicitation.
MongoDB database tools for finding documents, running aggregations, listing
databases and collections, inspecting schema and indexes, explaining queries,
exporting results, and reading logs.
Atlas tools for organizations, projects, clusters, database users, access
lists, alerts, performance advisor recommendations, Atlas Stream Processing,
and Atlas Local deployments.
MongoDB Assistant tools for searching official documentation and curated
MongoDB guidance.
Resources for redacted configuration, MongoDB debug information, and exported
data.
Use Cases
Ask Claude to list MongoDB databases and collections before touching
application data.
Inspect collection schemas, indexes, and storage size while planning a model
or API change.
Run bounded read-only find or aggregation queries against development or
staging data.
Use Atlas Performance Advisor and slow query samples to investigate query
performance.
Search MongoDB Assistant knowledge while implementing a driver, Atlas, or
schema-design workflow.
Export query results for short-lived local analysis with explicit cleanup and
access controls.
Manage Atlas projects, clusters, access lists, database users, or stream
processing resources only after narrowing roles and requiring human approval.
Installation
Read-only stdio setup
Pass the MongoDB connection string through an environment variable and keep
read-only mode enabled:
Using MongoDB MCP in read-only mode, list databases and collections, then summarize likely application data boundaries without modifying anything.
Review schema and indexes
Describe the schema and indexes for the orders collection, then identify queries that may need a supporting index.
Run a bounded aggregation
Run a read-only aggregation that counts orders by status and returns only aggregate totals, not raw customer documents.
Check Atlas performance recommendations
Use Atlas Performance Advisor for the selected project and summarize suggested indexes and slow query samples without creating resources.
Search MongoDB guidance
Search MongoDB Assistant knowledge for schema design guidance related to time-series data and summarize the official recommendations.
Source notes
The official repository describes MongoDB MCP Server as a Model Context
Protocol server for interacting with MongoDB databases and MongoDB Atlas.
The README says the server will not start unless configured with either a
MongoDB connection string or Atlas API credentials.
The README lists Node.js requirements and documents setup for MCP clients,
npx, Docker, HTTP transport, Copilot CLI, and OpenCode.
The README states that examples include --readOnly by default and says to
remove it only when write operations are needed.
The README recommends environment variables for sensitive configuration such
as connection strings and Atlas API credentials instead of command-line
arguments because command-line arguments can appear in process lists and
logs.
The README lists MongoDB database tools such as find, aggregate,
collection-schema, collection-indexes, explain, export, insert-many,
update-many, delete-many, drop-collection, and drop-database.
The README lists Atlas tools for organizations, projects, clusters, alerts,
access lists, database users, performance advisor, stream processing, and
Atlas Local deployments.
The README documents MDB_MCP_READ_ONLY and --readOnly, saying read-only
mode allows only read, connect, and metadata operation types.
The README documents disabledTools, operation-type categories, default
confirmation-required tools, indexCheck, max document and byte limits,
export cleanup, loggers, and telemetry opt-out.
The README warns that HTTP transport is not recommended for production use
without authentication, HTTPS or TLS, private networking or firewalls, rate
limiting, and not exposing it directly to the internet.
The README's Atlas API permissions section recommends least-privilege service
account roles and warns that Organization Owner is rarely necessary.
The repository is mongodb-js/mongodb-mcp-server, is Apache-2.0 licensed,
active, and maintained by MongoDB.
Duplicate check
Checked current content/mcp/, content/tools/, guides, skills, agents, hooks,
open pull requests, live issue state, and repository-wide content for MongoDB MCP, mongodb-js/mongodb-mcp-server, mongodb-mcp-server,
www.mongodb.com/docs/mcp-server, MDB_MCP_CONNECTION_STRING,
MDB_MCP_READ_ONLY, Atlas service account, MongoDB Atlas MCP, and
MongoDB Assistant. No dedicated MongoDB MCP entry, target file, exact source
URL duplicate, issue duplicate, semantic duplicate, or open duplicate PR was
found.
Disclosure
Editorial listing. No paid placement or affiliate link is used. MongoDB MCP
Server is Apache-2.0 open-source software maintained by MongoDB; MongoDB Atlas,
MongoDB databases, cloud providers, Docker, MCP clients, API credentials,
telemetry, logs, exports, and downstream storage or analysis systems may have
separate licenses, billing, terms, privacy obligations, and access controls.
Show that MongoDB MCP Server for Claude is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/mcp/mongodb-mcp-server)
How it compares
MongoDB MCP Server for Claude side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
1 trust signal differ across this comparison (Submitter).
Official MongoDB MCP server that connects Claude and other MCP clients to MongoDB databases and MongoDB Atlas for read-only analysis, schema metadata, aggregation, Atlas project operations, performance advisor data, exports, and MongoDB Assistant knowledge search.
Connect Claude to your Elasticsearch cluster — search indices, inspect mappings, run ES|QL, and check shard health — with Elastic's official Model Context Protocol server.
Open source MCP server and tool framework from Google for connecting AI agents, IDEs, and applications to databases through prebuilt or custom database tools.
Official Neon MCP server that connects Claude and other MCP clients to Neon Postgres projects, branches, schemas, SQL queries, migrations, performance tuning, Neon Auth, Data API setup, and Neon documentation through a hosted Streamable HTTP endpoint.
✓MongoDB's README uses `--readOnly` in examples by default. Keep read-only mode enabled for analysis so create, update, and delete operation types are not registered with the server.
Without read-only mode, the server can create collections and indexes, insert documents, update many documents, delete many documents, drop indexes, drop collections, drop databases, create Atlas projects and clusters, manage access lists, create database users, and manage stream processing resources.
Use `disabledTools` to remove tool names, operation types, or categories such as `create`, `update`, `delete`, `atlas`, or `mongodb` when a client should only perform a narrow workflow.
Confirmation-required tools depend on MCP client elicitation support. If a client does not support elicitation, review whether the server still executes those tools without a confirmation prompt.
Use `indexCheck` and bounded query limits when letting an agent run find or aggregation operations against shared, large, or production-like datasets.
HTTP transport is not recommended for production without authentication, HTTPS, firewalls or private networking, rate limiting, and a review of request headers, externally managed sessions, host binding, and port exposure.
Atlas service account credentials should use the minimum required project-level roles. Avoid Organization Owner unless full organization administration is explicitly required.
Connection strings and Atlas API credentials should be passed through environment variables or protected config files rather than command-line arguments, which can appear in process lists and logs.
✓Search, ES|QL, and shard tools run live read queries against the configured cluster; a broad or expensive query can add load.
Scope the Elasticsearch API key to least privilege (read-only on the indices Claude should see) before connecting.
✓Database tools can expose sensitive schemas and data, and some custom tools can modify data if configured that way.
Prefer least-privilege accounts, read-only roles for exploration, query limits, and approved toolsets.
Review every `tools.yaml` statement, parameter, source, and toolset before giving it to an agent.
Avoid broad `execute_sql` access in production; expose structured, parameterized tools where possible.
Query loops can create high database load, unexpected cloud costs, lock contention, or noisy audit logs.
✓Neon documents the MCP server as intended for development and testing only, and warns users to review and authorize LLM-requested actions before execution.
Full-access mode can create and delete projects, create and delete branches, reset branches from parents, run SQL, run SQL transactions, prepare and complete migrations, tune queries, provision Neon Auth, and provision the Neon Data API.
Prefer OAuth read-only mode or `readonly=true` for exploration. In read-only mode, write tools are unavailable and SQL execution is constrained to read-only queries.
Use `projectId` scoping and tool category filters when an agent should work inside one project or only use schema, querying, docs, or branch tools.
API keys created by `neonctl init` or stored in MCP headers grant Neon account or organization access. Revoke unused keys, avoid committing bearer tokens, and do not expose API keys in prompts, logs, screenshots, or shared config files.
Database rows, docs pages, migration output, SQL errors, and query plans are model-visible context. Treat returned data as untrusted input that may contain prompt injection, stale assumptions, secrets, or customer records.
Migration and query-tuning workflows use temporary branches before applying changes, but the final complete actions can affect the original branch and should require explicit human review.
The deprecated SSE endpoint exists for clients without Streamable HTTP support; prefer the documented `https://mcp.neon.tech/mcp` endpoint when the client supports it.
Privacy notes
✓Tool results can expose database names, collection names, index metadata, schemas, document samples, aggregation results, exports, logs, Atlas organization and project metadata, cluster names, alerts, users, access lists, slow query samples, and performance advisor recommendations.
Connection strings can include usernames, passwords, hosts, database names, auth sources, TLS options, and replica set details; keep them out of prompts, screenshots, shell history, command-line arguments, and shared MCP config files.
Atlas API client IDs and client secrets grant Atlas access according to service account roles and should be short-lived, scoped, rotated, and kept out of logs and transcripts.
Exported data is stored temporarily on the machine running the MCP server until cleanup, and export directories require restrictive filesystem permissions because exported documents may contain sensitive data.
The default logger configuration can write logs to disk and send logs to the MCP client, so log paths, terminal output, AI transcripts, and client logs should be treated as sensitive.
Telemetry is enabled by default according to the README and can be disabled with `MDB_MCP_TELEMETRY=disabled`, `--telemetry disabled`, or `DO_NOT_TRACK=1`.
✓Index data, field mappings, and query results enter the MCP client context and the model's prompt.
ES_URL and ES_API_KEY are secrets — store them in the client config or environment, never in shared repositories.
✓Schema names, table names, query text, query results, connection metadata, and business data may pass through the MCP server and AI client.
Database passwords, IAM credentials, service account keys, and connection strings are secrets and should never be committed or pasted into prompts.
Logs, traces, and metrics can include tool names, query metadata, error messages, and database identifiers.
✓Tool results can expose Neon organization IDs, project IDs, branch IDs, compute endpoints, database names, table names, schemas, SQL text, query results, query plans, slow query details, connection strings, documentation content, and Neon Console links.
OAuth authorization can disclose the Neon account identity and grants the connected MCP client access according to the approved scopes and URL parameters.
API-key setup stores bearer credentials in MCP client configuration or process arguments when configured that way; protect local config files, shell history, CI variables, and agent transcripts.
Generated migrations, SQL errors, query tuning suggestions, logs, client debug output, and AI chat transcripts can retain database schema and sample data outside Neon.
ChatGPT connectors, hosted IDEs, remote agents, MCP proxies, and other clients may have separate logging, retention, connector trust, and data-use policies from Neon.
Connection string tools may return credentials or connection details for a Neon database. Avoid exposing those values to untrusted clients or shared conversations.
Prerequisites
Node.js 20.19 or later, Node.js 22.12 or later, or a supported newer Node.js version for running the npm package.
MongoDB connection string for a local, self-hosted, or Atlas cluster, or MongoDB Atlas service account credentials for Atlas tools.
MCP client configuration for Claude Desktop, Claude Code, Cursor, VS Code, GitHub Copilot CLI, OpenCode, Windsurf, or another compatible client.
Least-privilege Atlas service account roles and API access-list configuration when enabling Atlas operations.
Docker installed (the server is distributed as the docker.elastic.co/mcp/elasticsearch image).
An Elasticsearch cluster URL (ES_URL) you can reach.
An Elasticsearch API key (ES_API_KEY) or username/password (ES_USERNAME + ES_PASSWORD).
An MCP client such as Claude Code or Claude Desktop.
Node.js and npx for the npm server path, or another documented Toolbox runtime.
Database credentials scoped to the exact database, schema, and permissions needed.
Environment variables or secret storage for database connection settings.
A reviewed prebuilt database target or `tools.yaml` file before exposing tools to an agent.
Neon account with access to the projects, branches, databases, organizations, or shared projects Claude should inspect or manage.
MCP-capable client that supports remote Streamable HTTP MCP servers, OAuth, `mcp-remote`, or Neon-supported configuration through `add-mcp`.
Authentication plan using Neon OAuth for local clients, an API key for remote or headless agents, or `neonctl init` when intentionally creating a local API key and editor configuration.
Access-control plan for OAuth scopes, `readonly=true`, project scoping with `projectId`, tool categories, organization access, and API key ownership.
Install
npx -y mongodb-mcp-server@latest --readOnly
claude mcp add elasticsearch -- docker run -i --rm -e ES_URL=<your-cluster-url> -e ES_API_KEY=<your-api-key> docker.elastic.co/mcp/elasticsearch stdio
claude mcp add toolbox-postgres -- npx -y @toolbox-sdk/server --prebuilt=postgres --stdio