Official Neon MCP server that connects Claude and other MCP clients to Neon Postgres projects, branches, schemas, SQL queries, migrations, performance tuning, Neon Auth, Data API setup, and Neon documentation through a hosted Streamable HTTP endpoint.
Neon documents the MCP server as intended for development and testing only, and warns users to review and authorize LLM-requested actions before execution., Full-access mode can create and delete projects, create and delete branches, reset branches from parents, run SQL, run SQL transactions, prepare and complete migrations, tune queries, provision Neon Auth, and provision the Neon Data API., Prefer OAuth read-only mode or `readonly=true` for exploration. In read-only mode, write tools are unavailable and SQL execution is constrained to read-only queries., Use `projectId` scoping and tool category filters when an agent should work inside one project or only use schema, querying, docs, or branch tools., API keys created by `neonctl init` or stored in MCP headers grant Neon account or organization access. Revoke unused keys, avoid committing bearer tokens, and do not expose API keys in prompts, logs, screenshots, or shared config files., Database rows, docs pages, migration output, SQL errors, and query plans are model-visible context. Treat returned data as untrusted input that may contain prompt injection, stale assumptions, secrets, or customer records., Migration and query-tuning workflows use temporary branches before applying changes, but the final complete actions can affect the original branch and should require explicit human review., The deprecated SSE endpoint exists for clients without Streamable HTTP support; prefer the documented `https://mcp.neon.tech/mcp` endpoint when the client supports it.
Privacy notes
Tool results can expose Neon organization IDs, project IDs, branch IDs, compute endpoints, database names, table names, schemas, SQL text, query results, query plans, slow query details, connection strings, documentation content, and Neon Console links., OAuth authorization can disclose the Neon account identity and grants the connected MCP client access according to the approved scopes and URL parameters., API-key setup stores bearer credentials in MCP client configuration or process arguments when configured that way; protect local config files, shell history, CI variables, and agent transcripts., Generated migrations, SQL errors, query tuning suggestions, logs, client debug output, and AI chat transcripts can retain database schema and sample data outside Neon., ChatGPT connectors, hosted IDEs, remote agents, MCP proxies, and other clients may have separate logging, retention, connector trust, and data-use policies from Neon., Connection string tools may return credentials or connection details for a Neon database. Avoid exposing those values to untrusted clients or shared conversations.
Author
Neon
Submitted by
oktofeesh1
Claim status
unclaimed
Last verified
2026-06-04
Decision playbook
Review trust signals before you adopt
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
Compare context
Selected
0
Current score
78
Baseline
—
Delta
No baseline selected
No major trust-signal divergence detected in the current selection.
Source and provenance checks
Complete
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Done
Source provenance statusRequired
Marked as source-backed.
Done
Metadata reviewed
Registry metadata indicates a reviewed listing.
Done
Safety and privacy checks
Complete
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Done
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Done
Trust level risk gateRequired
Trust level does not block evaluation.
Done
Package and install checks
Needs review
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Done
Package verification flag
No package verification flag provided.
Pending
Checksum metadata
No checksum provided for downloaded artifact.
Pending
Compare-driven decision checks
Needs review
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
8 safety and 6 privacy notes across 5 risk areas. Review closely: credentials & tokens, permissions & scopes, network access.
5 areas
SafetyPermissions & scopesNeon documents the MCP server as intended for development and testing only, and warns users to review and authorize LLM-requested actions before execution.
SafetyExecution & processesFull-access mode can create and delete projects, create and delete branches, reset branches from parents, run SQL, run SQL transactions, prepare and complete migrations, tune queries, provision Neon Auth, and provision the Neon Data API.
SafetyCredentials & tokensPrefer OAuth read-only mode or `readonly=true` for exploration. In read-only mode, write tools are unavailable and SQL execution is constrained to read-only queries.
SafetyGeneralUse `projectId` scoping and tool category filters when an agent should work inside one project or only use schema, querying, docs, or branch tools.
SafetyCredentials & tokensAPI keys created by `neonctl init` or stored in MCP headers grant Neon account or organization access. Revoke unused keys, avoid committing bearer tokens, and do not expose API keys in prompts, logs, screenshots, or shared config files.
SafetyCredentials & tokensDatabase rows, docs pages, migration output, SQL errors, and query plans are model-visible context. Treat returned data as untrusted input that may contain prompt injection, stale assumptions, secrets, or customer records.
SafetyGeneralMigration and query-tuning workflows use temporary branches before applying changes, but the final complete actions can affect the original branch and should require explicit human review.
SafetyNetwork accessThe deprecated SSE endpoint exists for clients without Streamable HTTP support; prefer the documented `https://mcp.neon.tech/mcp` endpoint when the client supports it.
PrivacyCredentials & tokensOAuth authorization can disclose the Neon account identity and grants the connected MCP client access according to the approved scopes and URL parameters.
PrivacyCredentials & tokensAPI-key setup stores bearer credentials in MCP client configuration or process arguments when configured that way; protect local config files, shell history, CI variables, and agent transcripts.
PrivacyExecution & processesGenerated migrations, SQL errors, query tuning suggestions, logs, client debug output, and AI chat transcripts can retain database schema and sample data outside Neon.
PrivacyNetwork accessChatGPT connectors, hosted IDEs, remote agents, MCP proxies, and other clients may have separate logging, retention, connector trust, and data-use policies from Neon.
PrivacyCredentials & tokensConnection string tools may return credentials or connection details for a Neon database. Avoid exposing those values to untrusted clients or shared conversations.
Safety notes
Neon documents the MCP server as intended for development and testing only, and warns users to review and authorize LLM-requested actions before execution.
Full-access mode can create and delete projects, create and delete branches, reset branches from parents, run SQL, run SQL transactions, prepare and complete migrations, tune queries, provision Neon Auth, and provision the Neon Data API.
Prefer OAuth read-only mode or `readonly=true` for exploration. In read-only mode, write tools are unavailable and SQL execution is constrained to read-only queries.
Use `projectId` scoping and tool category filters when an agent should work inside one project or only use schema, querying, docs, or branch tools.
API keys created by `neonctl init` or stored in MCP headers grant Neon account or organization access. Revoke unused keys, avoid committing bearer tokens, and do not expose API keys in prompts, logs, screenshots, or shared config files.
Database rows, docs pages, migration output, SQL errors, and query plans are model-visible context. Treat returned data as untrusted input that may contain prompt injection, stale assumptions, secrets, or customer records.
Migration and query-tuning workflows use temporary branches before applying changes, but the final complete actions can affect the original branch and should require explicit human review.
The deprecated SSE endpoint exists for clients without Streamable HTTP support; prefer the documented `https://mcp.neon.tech/mcp` endpoint when the client supports it.
OAuth authorization can disclose the Neon account identity and grants the connected MCP client access according to the approved scopes and URL parameters.
API-key setup stores bearer credentials in MCP client configuration or process arguments when configured that way; protect local config files, shell history, CI variables, and agent transcripts.
Generated migrations, SQL errors, query tuning suggestions, logs, client debug output, and AI chat transcripts can retain database schema and sample data outside Neon.
ChatGPT connectors, hosted IDEs, remote agents, MCP proxies, and other clients may have separate logging, retention, connector trust, and data-use policies from Neon.
Connection string tools may return credentials or connection details for a Neon database. Avoid exposing those values to untrusted clients or shared conversations.
Prerequisites
Neon account with access to the projects, branches, databases, organizations, or shared projects Claude should inspect or manage.
MCP-capable client that supports remote Streamable HTTP MCP servers, OAuth, `mcp-remote`, or Neon-supported configuration through `add-mcp`.
Authentication plan using Neon OAuth for local clients, an API key for remote or headless agents, or `neonctl init` when intentionally creating a local API key and editor configuration.
Access-control plan for OAuth scopes, `readonly=true`, project scoping with `projectId`, tool categories, organization access, and API key ownership.
Database safety plan for SQL execution, schema inspection, migrations, branch resets, query tuning, Neon Auth setup, Data API provisioning, and destructive project or branch actions.
Client configuration review for Claude Code, Claude Desktop, Cursor, VS Code, ChatGPT connectors, Codex, Zed, Cline, Windsurf, Kiro, Goose, or other supported MCP clients.
The Neon MCP server connects Claude and other MCP-capable clients to Neon
Postgres through Neon's hosted Streamable HTTP endpoint at
https://mcp.neon.tech/mcp. It lets an assistant list projects, inspect
branches and schemas, run SQL, compare database schemas, work with migrations,
find slow queries, provision Neon Auth or the Neon Data API, and fetch Neon
documentation without building a custom database integration.
The conservative default is to start with OAuth, read-only mode, and a single
project scope. Neon supports broader write-capable workflows, but those should
be reserved for development or testing environments with explicit human review.
Features
Hosted remote MCP endpoint at https://mcp.neon.tech/mcp.
Quick setup through npx neonctl@latest init or MCP-only setup through
npx add-mcp https://mcp.neon.tech/mcp.
OAuth setup for local IDEs and API-key setup for remote or headless agents.
Read-only mode through OAuth scope selection or the readonly=true query
parameter.
Project scoping through the projectId query parameter.
Tool category filtering for projects, branches, schema, querying, Neon Auth,
Data API, and docs capabilities.
Project and organization discovery, shared project lookup, and detailed
project and branch descriptions.
Branch-based migration and query-tuning flows that prepare changes on
temporary branches before a separate completion step.
Neon documentation search and fetch tools backed by the Neon docs index.
Client setup coverage for Claude Code, Claude Desktop, Cursor, VS Code,
ChatGPT connectors, Codex, Zed, Cline, Windsurf, Kiro, Goose, and other MCP
clients supported by add-mcp.
Use Cases
Ask Claude to inspect a Neon project and summarize branches, databases, and
tables before making schema changes.
Explore schemas in read-only mode before writing SQL or application code.
Run bounded read-only SQL to understand test data, development fixtures, or
staging data.
Prepare a migration on a temporary Neon branch, test it, and require human
approval before applying it to the original branch.
Compare schemas between branches before merging a migration.
Investigate slow queries and explain plans in a development database.
Fetch Neon docs into the conversation when building with Neon Auth, Data API,
Postgres branching, or framework integrations.
Installation
MCP-only hosted setup
Use Neon's documented add-mcp flow to add the hosted MCP endpoint to detected
clients in the current workspace:
npx add-mcp https://mcp.neon.tech/mcp
Restart or refresh the MCP client, then complete the Neon OAuth authorization
flow when prompted.
Full Neon editor setup
Use neonctl init when you intentionally want Neon to configure supported
editors, create an API key, and install Neon agent skills as part of the setup:
npx neonctl@latest init
Review generated API keys in the Neon Console afterward and revoke any key that
is no longer needed.
Using the Neon MCP server in read-only mode, list my projects and summarize the branches and databases without changing anything.
Inspect a schema
For project PROJECT_ID, describe the default branch schema and list the tables that look relevant to user accounts.
Run a bounded query
Run a read-only SQL query against project PROJECT_ID to count rows in the users table and return only aggregate results.
Prepare a migration safely
Prepare a migration on a temporary Neon branch that adds an indexed created_at column, then stop and show the diff before completing it.
Fetch Neon docs
Search Neon docs for branch-based migrations and summarize the official guidance before proposing database changes.
Source notes
The official Neon docs describe the Neon MCP Server as an open-source tool
for managing Neon Postgres projects through natural language.
Neon documents the hosted endpoint as https://mcp.neon.tech/mcp and the
fastest MCP-only setup as npx add-mcp https://mcp.neon.tech/mcp.
Neon documents npx neonctl@latest init as a broader setup flow that creates
a Neon API key, configures supported clients, and installs Neon agent skills.
The docs describe supported clients including Claude Code, Claude Desktop,
Cursor, VS Code with GitHub Copilot, ChatGPT connectors, Codex, Zed, Cline,
Windsurf, Kiro, Goose, and other clients supported by add-mcp.
The README says the MCP server bridges natural language requests to the Neon
API for project management, branch management, SQL queries, and database
migrations.
The README and docs warn that the Neon MCP server grants powerful database
management capabilities and is intended for local development, IDE
integrations, development, and testing rather than production environments.
The README documents OAuth authentication, API-key authentication, read-only
mode, readonly=true, project scoping with projectId, category filtering,
and the deprecated SSE transport fallback.
The README lists read-only tools such as project listing, branch description,
schema comparison, read-only SQL, table listing, table schema description,
slow query listing, explain plans, docs search, and docs fetch.
The README lists write-access tools including project creation and deletion,
branch creation and deletion, branch reset, Neon Auth provisioning, Data API
provisioning, migration preparation and completion, and query-tuning
preparation and completion.
The README describes the remote server as a Next.js App Router application
running on Vercel at mcp.neon.tech.
The repository is neondatabase/mcp-server-neon, is MIT licensed, active,
and maintained by Neon.
Duplicate check
Checked current content/mcp/, content/tools/, guides, skills, agents, hooks,
open pull requests, live issue state, and repository-wide content for Neon MCP,
neondatabase/mcp-server-neon, mcp-server-neon, mcp.neon.tech,
neon.com/docs/ai/neon-mcp-server, neonctl init, Neon Postgres,
branch-based migrations, and read-only Neon MCP. No dedicated Neon MCP entry,
target file, exact source URL duplicate, issue duplicate, semantic duplicate, or
open duplicate PR was found.
Disclosure
Editorial listing. No paid placement or affiliate link is used. Neon MCP Server
is MIT-licensed open-source software maintained by Neon; Neon accounts, Neon
compute and storage usage, Postgres databases, API keys, OAuth providers, MCP
clients, hosted IDEs, ChatGPT connectors, remote agents, and downstream logs or
artifact stores may have separate licenses, billing, terms, privacy obligations,
and access controls.
Show that Neon MCP Server for Claude is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/mcp/neon-mcp-server)
How it compares
Neon MCP Server for Claude side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
Official Neon MCP server that connects Claude and other MCP clients to Neon Postgres projects, branches, schemas, SQL queries, migrations, performance tuning, Neon Auth, Data API setup, and Neon documentation through a hosted Streamable HTTP endpoint.
Open source MCP server and tool framework from Google for connecting AI agents, IDEs, and applications to databases through prebuilt or custom database tools.
✓Neon documents the MCP server as intended for development and testing only, and warns users to review and authorize LLM-requested actions before execution.
Full-access mode can create and delete projects, create and delete branches, reset branches from parents, run SQL, run SQL transactions, prepare and complete migrations, tune queries, provision Neon Auth, and provision the Neon Data API.
Prefer OAuth read-only mode or `readonly=true` for exploration. In read-only mode, write tools are unavailable and SQL execution is constrained to read-only queries.
Use `projectId` scoping and tool category filters when an agent should work inside one project or only use schema, querying, docs, or branch tools.
API keys created by `neonctl init` or stored in MCP headers grant Neon account or organization access. Revoke unused keys, avoid committing bearer tokens, and do not expose API keys in prompts, logs, screenshots, or shared config files.
Database rows, docs pages, migration output, SQL errors, and query plans are model-visible context. Treat returned data as untrusted input that may contain prompt injection, stale assumptions, secrets, or customer records.
Migration and query-tuning workflows use temporary branches before applying changes, but the final complete actions can affect the original branch and should require explicit human review.
The deprecated SSE endpoint exists for clients without Streamable HTTP support; prefer the documented `https://mcp.neon.tech/mcp` endpoint when the client supports it.
✓DBHub can execute SQL queries against configured databases.
SQL execution can read, create, update, delete, or otherwise modify data depending on database permissions and requested queries.
Configure read-only mode, row limits, query timeouts, least-privilege credentials, and human review before using DBHub with production or sensitive databases.
Custom tools can wrap reusable parameterized SQL, so review their definitions before allowing agents to call them.
✓MCP Alchemy exposes database table discovery, schema inspection, relationship mapping, and SQL execution.
The execute_query tool can run arbitrary SQL text against the configured SQLAlchemy database.
The source creates SQLAlchemy connections with AUTOCOMMIT, so successful write, DDL, or administrative statements can commit immediately.
The server does not enforce read-only SQL; use database permissions, read-only users, and human review to constrain writes.
Query results are truncated by EXECUTE_QUERY_MAX_CHARS unless Claude Local Files output is configured.
When CLAUDE_LOCAL_FILES_PATH is set, full result sets can be written to local files for artifact access.
✓Database tools can expose sensitive schemas and data, and some custom tools can modify data if configured that way.
Prefer least-privilege accounts, read-only roles for exploration, query limits, and approved toolsets.
Review every `tools.yaml` statement, parameter, source, and toolset before giving it to an agent.
Avoid broad `execute_sql` access in production; expose structured, parameterized tools where possible.
Query loops can create high database load, unexpected cloud costs, lock contention, or noisy audit logs.
Privacy notes
✓Tool results can expose Neon organization IDs, project IDs, branch IDs, compute endpoints, database names, table names, schemas, SQL text, query results, query plans, slow query details, connection strings, documentation content, and Neon Console links.
OAuth authorization can disclose the Neon account identity and grants the connected MCP client access according to the approved scopes and URL parameters.
API-key setup stores bearer credentials in MCP client configuration or process arguments when configured that way; protect local config files, shell history, CI variables, and agent transcripts.
Generated migrations, SQL errors, query tuning suggestions, logs, client debug output, and AI chat transcripts can retain database schema and sample data outside Neon.
ChatGPT connectors, hosted IDEs, remote agents, MCP proxies, and other clients may have separate logging, retention, connector trust, and data-use policies from Neon.
Connection string tools may return credentials or connection details for a Neon database. Avoid exposing those values to untrusted clients or shared conversations.
✓Database connection strings, hostnames, schemas, table names, column names, row data, query text, query results, traces, and errors may be visible to the MCP client and model provider.
Databases can contain personal data, customer records, credentials, business metrics, audit logs, payment data, healthcare data, and proprietary operational state.
Avoid exposing production databases or regulated data unless the database, MCP client, and model session are approved for that access.
✓DB_URL can contain database hostnames, usernames, passwords, database names, driver names, and connection options.
Schemas, table names, column names, foreign keys, SQL text, query results, errors, row counts, and generated local result files may be visible to the MCP client and model provider.
SQLAlchemy-compatible databases can contain customer records, credentials, analytics, payment data, healthcare data, source-code metadata, or other regulated information.
DB_URL, DB_ENGINE_OPTIONS, CLAUDE_LOCAL_FILES_PATH, result files, and database credentials should stay out of prompts, issues, logs, screenshots, and committed files.
✓Schema names, table names, query text, query results, connection metadata, and business data may pass through the MCP server and AI client.
Database passwords, IAM credentials, service account keys, and connection strings are secrets and should never be committed or pasted into prompts.
Logs, traces, and metrics can include tool names, query metadata, error messages, and database identifiers.
Prerequisites
Neon account with access to the projects, branches, databases, organizations, or shared projects Claude should inspect or manage.
MCP-capable client that supports remote Streamable HTTP MCP servers, OAuth, `mcp-remote`, or Neon-supported configuration through `add-mcp`.
Authentication plan using Neon OAuth for local clients, an API key for remote or headless agents, or `neonctl init` when intentionally creating a local API key and editor configuration.
Access-control plan for OAuth scopes, `readonly=true`, project scoping with `projectId`, tool categories, organization access, and API key ownership.
Node.js and npx available to the MCP client runtime.
A PostgreSQL, MySQL, MariaDB, SQL Server, or SQLite database connection.
Database credentials with the minimum privileges needed for the workflow.
Read-only permissions or DBHub guardrails configured before connecting production data.
Python 3.10 and uvx available to the MCP client runtime.
SQLAlchemy-compatible database URL for an approved database.
Database driver selected with uvx `--with` when the target database requires one.
Least-privilege database user with only the schemas and operations Claude should access.
Node.js and npx for the npm server path, or another documented Toolbox runtime.
Database credentials scoped to the exact database, schema, and permissions needed.
Environment variables or secret storage for database connection settings.
A reviewed prebuilt database target or `tools.yaml` file before exposing tools to an agent.