87% of users reported increased productivity after just one week
About Query MCP
What is Query MCP: Real-Time Replication & Lightning-Fast Queries?
Query MCP is a middleware solution designed to enhance Supabase's database and API management capabilities. It enables real-time data replication, optimizes query performance, and provides granular control over database operations through a safety framework. By abstracting low-level SQL execution and API interactions, it ensures secure, efficient, and auditable interactions with Supabase resources.
How to use Query MCP: Real-Time Replication & Lightning-Fast Queries?
To utilize Query MCP, developers first configure connection parameters such as SUPABASE_URL and API_KEY. Queries are executed via standardized tools with safety modes toggled for write/destructive operations. Real-time replication is managed through event listeners, while API requests leverage predefined safety rules to prevent unintended state changes. Explicit confirmations are required for high-risk actions like schema modifications.
Query MCP Features
Key Features of Query MCP: Real-Time Replication & Lightning-Fast Queries?
Safety Manager: Enforces risk-based execution modes for queries/API calls, categorizing operations into low/medium/high risk with enforced confirmation workflows.
Auto-Migration: Automatically generates versioned migration scripts for schema-altering SQL operations, ensuring traceability and rollbacks.
Real-Time Analytics: Provides instant access to Supabase logs across services like Auth, PostgREST, and Edge Functions with SQL-based filtering.
Auth Admin SDK Integration: Executes user management actions (create/delete users, send invites) without direct SQL exposure, adhering to SDK validation rules.
Use cases of Query MCP: Real-Time Replication & Lightning-Fast Queries?
Developers use Query MCP to:
Automate test data setup via Auth Admin methods for consistent QA environments
Perform live database audits with read-only query mode enabled
Deploy schema changes through versioned migrations while maintaining production safety
Debug API issues using granular log retrieval with temporal and field filters
Query MCP FAQ
FAQ from Query MCP: Real-Time Replication & Lightning-Fast Queries?
Q: How does safety mode prevent accidental data loss? A: By requiring explicit confirmation for DDL/DML operations and restricting destructive actions even in unsafe mode.
Q: Can I customize risk categorization for specific queries? A: Yes, through pattern-based safety rules matching SQL/API paths.
Q: What happens if migration scripts conflict? A: Versioned scripts are stored separately, allowing manual resolution during deployment.
Q: Does real-time replication support multi-region instances? A: Yes, region parameters are configurable in connection settings.
Content
Query MCP (Supabase MCP Server)
Enable your favorite IDE to safely execute SQL queries, manage your database end-to-end, access Management API, and handle user authentication with built-in safety controls.
🎉 The Future of Supabase MCP Server -> Query MCP
I'm thrilled to announce that Supabase MCP Server is evolving intothequery.dev!
While I have big plans for the future, I want to make these commitments super clear:
The core tool will stay free forever - free & open-source software is how I got into coding
Premium features will be added on top - enhancing capabilities without limiting existing functionality
First 2,000 early adopters will get special perks - join early for an exclusive treat!
Installing the server requires the following on your system:
Python 3.12+
If you plan to install via uv, ensure it's installed.
PostgreSQL Installation
PostgreSQL installation is no longer required for the MCP server itself, as it now uses asyncpg which doesn't depend on PostgreSQL development libraries.
However, you'll still need PostgreSQL if you're running a local Supabase instance:
Ensure "PostgreSQL Server" and "Command Line Tools" are selected during installation
Step 1. Installation
Since v0.2.0 I introduced support for package installation. You can use your favorite Python package manager to install the server via:
# if pipx is installed (recommended)
pipx install supabase-mcp-server
# if uv is installed
uv pip install supabase-mcp-server
pipx is recommended because it creates isolated environments for each package.
You can also install the server manually by cloning the repository and running pipx install -e . from the root directory.
Installing from source
If you would like to install from source, for example for local development:
uv venv
# On Mac
source .venv/bin/activate
# On Windows
.venv\Scripts\activate
# Install package in editable mode
uv pip install -e .
Installing via Smithery.ai
You can find the full instructions on how to use Smithery.ai to connect to this MCP server here.
Step 2. Configuration
The Supabase MCP server requires configuration to connect to your Supabase database, access the Management API, and use the Auth Admin SDK. This section explains all available configuration options and how to set them up.
Environment Variables
The server uses the following environment variables:
Variable
Required
Default
Description
SUPABASE_PROJECT_REF
Yes
127.0.0.1:54322
Your Supabase project reference ID (or local host:port)
SUPABASE_DB_PASSWORD
Yes
postgres
Your database password
SUPABASE_REGION
Yes*
us-east-1
AWS region where your Supabase project is hosted
SUPABASE_ACCESS_TOKEN
No
None
Personal access token for Supabase Management API
SUPABASE_SERVICE_ROLE_KEY
No
None
Service role key for Auth Admin SDK
Note : The default values are configured for local Supabase development. For remote Supabase projects, you must provide your own values for SUPABASE_PROJECT_REF and SUPABASE_DB_PASSWORD.
🚨 CRITICAL CONFIGURATION NOTE : For remote Supabase projects, you MUST specify the correct region where your project is hosted using SUPABASE_REGION. If you encounter a "Tenant or user not found" error, this is almost certainly because your region setting doesn't match your project's actual region. You can find your project's region in the Supabase dashboard under Project Settings.
Connection Types
Database Connection
The server connects to your Supabase PostgreSQL database using the transaction pooler endpoint
Local development uses a direct connection to 127.0.0.1:54322
Remote projects use the format: postgresql://postgres.[project_ref]:[password]@aws-0-[region].pooler.supabase.com:6543/postgres
⚠️ Important : Session pooling connections are not supported. The server exclusively uses transaction pooling for better compatibility with the MCP server architecture.
Management API Connection
Requires SUPABASE_ACCESS_TOKEN to be set
Connects to the Supabase Management API at https://api.supabase.com
Only works with remote Supabase projects (not local development)
Auth Admin SDK Connection
Requires SUPABASE_SERVICE_ROLE_KEY to be set
For local development, connects to http://127.0.0.1:54321
For remote projects, connects to https://[project_ref].supabase.co
Configuration Methods
The server looks for configuration in this order (highest to lowest priority):
Environment Variables : Values set directly in your environment
Local.env File: A .env file in your current working directory (only works when running from source)
Global Config File : * Windows: %APPDATA%\supabase-mcp\.env * macOS/Linux: ~/.config/supabase-mcp/.env
Default Settings : Local development defaults (if no other config is found)
⚠️ Important : When using the package installed via pipx or uv, local .env files in your project directory are not detected. You must use either environment variables or the global config file.
Set environment variables directly in your MCP client configuration (see client-specific setup instructions in Step 3). Most MCP clients support this approach, which keeps your configuration with your client settings.
Option 2: Global Configuration
Create a global .env configuration file that will be used for all MCP server instances:
# Create config directory
# On macOS/Linux
mkdir -p ~/.config/supabase-mcp
# On Windows (PowerShell)
mkdir -Force "$env:APPDATA\supabase-mcp"
# Create and edit .env file
# On macOS/Linux
nano ~/.config/supabase-mcp/.env
# On Windows (PowerShell)
notepad "$env:APPDATA\supabase-mcp\.env"
Service Role Key : Found in Project Settings → API → Project API keys
Supported Regions
The server supports all Supabase regions:
us-west-1 - West US (North California)
us-east-1 - East US (North Virginia) - default
us-east-2 - East US (Ohio)
ca-central-1 - Canada (Central)
eu-west-1 - West EU (Ireland)
eu-west-2 - West Europe (London)
eu-west-3 - West EU (Paris)
eu-central-1 - Central EU (Frankfurt)
eu-central-2 - Central Europe (Zurich)
eu-north-1 - North EU (Stockholm)
ap-south-1 - South Asia (Mumbai)
ap-southeast-1 - Southeast Asia (Singapore)
ap-northeast-1 - Northeast Asia (Tokyo)
ap-northeast-2 - Northeast Asia (Seoul)
ap-southeast-2 - Oceania (Sydney)
sa-east-1 - South America (São Paulo)
Limitations
No Self-Hosted Support : The server only supports official Supabase.com hosted projects and local development
No Connection String Support : Custom connection strings are not supported
No Session Pooling : Only transaction pooling is supported for database connections
API and SDK Features : Management API and Auth Admin SDK features only work with remote Supabase projects, not local development
Step 3. Usage
In general, any MCP client that supports stdio protocol should work with this MCP server. This server was explicitly tested to work with:
Cursor
Windsurf
Cline
Claude Desktop
Additionally, you can also use smithery.ai to install this server a number of clients, including the ones above.
Follow the guides below to install this MCP server in your client.
Cursor
Go to Settings -> Features -> MCP Servers and add a new server with this configuration:
# can be set to any name
name: supabase
type: command
# if you installed with pipx
command: supabase-mcp-server
# if you installed with uv
command: uv run supabase-mcp-server
# if the above doesn't work, use the full path (recommended)
command: /full/path/to/supabase-mcp-server # Find with 'which supabase-mcp-server' (macOS/Linux) or 'where supabase-mcp-server' (Windows)
If configuration is correct, you should see a green dot indicator and the number of tools exposed by the server.
Windsurf
Go to Cascade -> Click on the hammer icon -> Configure -> Fill in the configuration:
If configuration is correct, you should see green dot indicator and clickable supabase server in the list of available servers.
Claude Desktop
Claude Desktop also supports MCP servers through a JSON configuration. Follow these steps to set up the Supabase MCP server:
Find the full path to the executable (this step is critical):
On macOS/Linux
which supabase-mcp-server
# On Windows
where supabase-mcp-server
Copy the full path that is returned (e.g., /Users/username/.local/bin/supabase-mcp-server).
Configure the MCP server in Claude Desktop:
* Open Claude Desktop
* Go to Settings → Developer -> Edit Config MCP Servers
* Add a new configuration with the following JSON:
{
"mcpServers": {
"supabase": {
"command": "/full/path/to/supabase-mcp-server", // Replace with the actual path from step 1
"env": {
"SUPABASE_PROJECT_REF": "your-project-ref",
"SUPABASE_DB_PASSWORD": "your-db-password",
"SUPABASE_REGION": "us-east-1", // optional, defaults to us-east-1
"SUPABASE_ACCESS_TOKEN": "your-access-token", // optional, for management API
"SUPABASE_SERVICE_ROLE_KEY": "your-service-role-key" // optional, for Auth Admin SDK
}
}
}
}
⚠️ Important : Unlike Windsurf and Cursor, Claude Desktop requires the full absolute path to the executable. Using just the command name (supabase-mcp-server) will result in a "spawn ENOENT" error.
If configuration is correct, you should see the Supabase MCP server listed as available in Claude Desktop.
Cline
Cline also supports MCP servers through a similar JSON configuration. Follow these steps to set up the Supabase MCP server:
Find the full path to the executable (this step is critical):
On macOS/Linux
which supabase-mcp-server
# On Windows
where supabase-mcp-server
Copy the full path that is returned (e.g., /Users/username/.local/bin/supabase-mcp-server).
Configure the MCP server in Cline:
* Open Cline in VS Code
* Click on the "MCP Servers" tab in the Cline sidebar
* Click "Configure MCP Servers"
* This will open the `cline_mcp_settings.json` file
* Add the following configuration:
{
"mcpServers": {
"supabase": {
"command": "/full/path/to/supabase-mcp-server", // Replace with the actual path from step 1
"env": {
"SUPABASE_PROJECT_REF": "your-project-ref",
"SUPABASE_DB_PASSWORD": "your-db-password",
"SUPABASE_REGION": "us-east-1", // optional, defaults to us-east-1
"SUPABASE_ACCESS_TOKEN": "your-access-token", // optional, for management API
"SUPABASE_SERVICE_ROLE_KEY": "your-service-role-key" // optional, for Auth Admin SDK
}
}
}
}
If configuration is correct, you should see a green indicator next to the Supabase MCP server in the Cline MCP Servers list, and a message confirming "supabase MCP server connected" at the bottom of the panel.
Troubleshooting
Here are some tips & tricks that might help you:
Debug installation - run supabase-mcp-server directly from the terminal to see if it works. If it doesn't, there might be an issue with the installation.
MCP Server configuration - if the above step works, it means the server is installed and configured correctly. As long as you provided the right command, IDE should be able to connect. Make sure to provide the right path to the server executable.
"No tools found" error - If you see "Client closed - no tools available" in Cursor despite the package being installed:
Find the full path to the executable by running which supabase-mcp-server (macOS/Linux) or where supabase-mcp-server (Windows)
Use the full path in your MCP server configuration instead of just supabase-mcp-server
For example: /Users/username/.local/bin/supabase-mcp-server or C:\Users\username\.local\bin\supabase-mcp-server.exe
Environment variables - to connect to the right database, make sure you either set env variables in mcp_config.json or in .env file placed in a global config directory (~/.config/supabase-mcp/.env on macOS/Linux or %APPDATA%\supabase-mcp\.env on Windows).
Accessing logs - The MCP server writes detailed logs to a file:
If you are stuck or any of the instructions above are incorrect, please raise an issue.
MCP Inspector
A super useful tool to help debug MCP server issues is MCP Inspector. If you installed from source, you can run supabase-mcp-inspector from the project repo and it will run the inspector instance. Coupled with logs this will give you complete overview over what's happening in the server.
📝 Running supabase-mcp-inspector, if installed from package, doesn't work properly - I will validate and fix in the coming release.
Feature Overview
Database query tools
Since v0.3+ server provides comprehensive database management capabilities with built-in safety controls:
SQL Query Execution : Execute PostgreSQL queries with risk assessment
blocked: Destructive operations (delete project, etc.) - never allowed
Default safe mode prevents accidental state changes
Path-based pattern matching for precise safety rules
Note : Management API tools only work with remote Supabase instances and are not compatible with local Supabase development setups.
Auth Admin tools
I was planning to add support for Python SDK methods to the MCP server. Upon consideration I decided to only add support for Auth admin methods as I often found myself manually creating test users which was prone to errors and time consuming. Now I can just ask Cursor to create a test user and it will be done seamlessly. Check out the full Auth Admin SDK method docs to know what it can do.
Since v0.3.6 server supports direct access to Supabase Auth Admin methods via Python SDK:
Includes the following tools:
get_auth_admin_methods_spec to retrieve documentation for all available Auth Admin methods
call_auth_admin_method to directly invoke Auth Admin methods with proper parameter handling
Supported methods:
get_user_by_id: Retrieve a user by their ID
list_users: List all users with pagination
create_user: Create a new user
delete_user: Delete a user by their ID
invite_user_by_email: Send an invite link to a user's email
generate_link: Generate an email link for various authentication purposes
update_user_by_id: Update user attributes by ID
delete_factor: Delete a factor on a user (currently not implemented in SDK)
Why use Auth Admin SDK instead of raw SQL queries?
The Auth Admin SDK provides several key advantages over direct SQL manipulation:
Functionality : Enables operations not possible with SQL alone (invites, magic links, MFA)
Accuracy : More reliable then creating and executing raw SQL queries on auth schemas
Simplicity : Offers clear methods with proper validation and error handling
Response format:
All methods return structured Python objects instead of raw dictionaries
Object attributes can be accessed using dot notation (e.g., user.id instead of user["id"])
Edge cases and limitations:
UUID validation: Many methods require valid UUID format for user IDs and will return specific validation errors
Email configuration: Methods like invite_user_by_email and generate_link require email sending to be configured in your Supabase project
Link types: When generating links, different link types have different requirements:
signup links don't require the user to exist
magiclink and recovery links require the user to already exist in the system
Error handling: The server provides detailed error messages from the Supabase API, which may differ from the dashboard interface
Method availability: Some methods like delete_factor are exposed in the API but not fully implemented in the SDK
Logs & Analytics
The server provides access to Supabase logs and analytics data, making it easier to monitor and troubleshoot your applications:
Available Tool : retrieve_logs - Access logs from any Supabase service
Log Collections :
postgres: Database server logs
api_gateway: API gateway requests
auth: Authentication events
postgrest: RESTful API service logs
pooler: Connection pooling logs
storage: Object storage operations
realtime: WebSocket subscription logs
edge_functions: Serverless function executions
cron: Scheduled job logs
pgbouncer: Connection pooler logs
Features : Filter by time, search text, apply field filters, or use custom SQL queries
Simplifies debugging across your Supabase stack without switching between interfaces or writing complex queries.
Automatic Versioning of Database Changes
"With great power comes great responsibility." While execute_postgresql tool coupled with aptly named live_dangerously tool provide a powerful and simple way to manage your Supabase database, it also means that dropping a table or modifying one is one chat message away. In order to reduce the risk of irreversible changes, since v0.3.8 the server supports:
automatic creation of migration scripts for all write & destructive sql operations executed on the database
improved safety mode of query execution, in which all queries are categorized in:
safe type: always allowed. Includes all read-only ops.
writetype: requires write mode to be enabled by the user.
destructive type: requires write mode to be enabled by the user AND a 2-step confirmation of query execution for clients that do not execute tools automatically.
Universal Safety Mode
Since v0.3.8 Safety Mode has been standardized across all services (database, API, SDK) using a universal safety manager. This provides consistent risk management and a unified interface for controlling safety settings across the entire MCP server.
All operations (SQL queries, API requests, SDK methods) are categorized into risk levels:
Low risk: Read-only operations that don't modify data or structure (SELECT queries, GET API requests)
Medium risk: Write operations that modify data but not structure (INSERT/UPDATE/DELETE, most POST/PUT API requests)
High risk: Destructive operations that modify database structure or could cause data loss (DROP/TRUNCATE, DELETE API endpoints)
Extreme risk: Operations with severe consequences that are blocked entirely (deleting projects)
Safety controls are applied based on risk level:
Low risk operations are always allowed
Medium risk operations require unsafe mode to be enabled
High risk operations require unsafe mode AND explicit confirmation
Extreme risk operations are never allowed
How confirmation flow works
Any high-risk operations (be it a postgresql or api request) will be blocked even in unsafe mode. You will have to confirm and approve every high-risk operation explicitly in order for it to be executed.
Changelog
📦 Simplified installation via package manager - ✅ (v0.2.0)
🌎 Support for different Supabase regions - ✅ (v0.2.2)
🎮 Programmatic access to Supabase management API with safety controls - ✅ (v0.3.0)
👷♂️ Read and read-write database SQL queries with safety controls - ✅ (v0.3.0)
🔄 Robust transaction handling for both direct and pooled connections - ✅ (v0.3.2)
🐍 Support methods and objects available in native Python SDK - ✅ (v0.3.6)
🔍 Stronger SQL query validation ✅ (v0.3.8)
📝 Automatic versioning of database changes ✅ (v0.3.8)
📖 Radically improved knowledge and tools of api spec ✅ (v0.3.8)
✍️ Improved consistency of migration-related tools for a more organized database vcs ✅ (v0.3.10)
For a more detailed roadmap, please see this discussion on GitHub.
