SYSTEM Cited by 1 source
PlanetScale MCP server¶
What it is¶
The PlanetScale MCP server is a hosted Model Context Protocol server that exposes PlanetScale organisations, databases, branches, schema, and Insights data to any MCP-compatible client — Claude, Cursor, Open Code, Goose, etc. Launched 2026-01-29 (Source: sources/2026-04-21-planetscale-introducing-the-planetscale-mcp-server).
Shape: hosted HTTP MCP server, OAuth-authenticated, per-branch permission scoping. Runs on PlanetScale's infrastructure — this is the hosted-over-local shape for a vendor SaaS.
Tool surface¶
Always available (OAuth token scope sufficient):
get_insightslist_organizations/get_organizationlist_databases/get_databaselist_branches/get_branch/get_branch_schemalist_regions_for_organizationlist_cluster_size_skussearch_documentation
Permission-gated:
execute_read_query— auto-routed to replica when availableexecute_write_query— subject to destructive-query + DDL checkslist_invoices/get_invoice_line_items— billing scope
Note: the read/write split is encoded in the tool surface itself
rather than as a parameter on a single execute_query — read-only
agents never see execute_write_query. This is
tool-surface minimization
pressed into service as an authorisation mechanism.
Safeguards¶
Five production-oriented safeguards ship in-server, not as external gateway policy:
- Automatic replica routing — read queries hit a read replica when one is configured. concepts/read-write-splitting implemented at the MCP boundary rather than at the application.
- Ephemeral credentials — every query creates short-lived credentials on demand and deletes them immediately after. This is per-tool-call rotation, stricter than the usual per-session-token shape. See concepts/ephemeral-credentials.
- Built-in query tagging — all queries include
source=planetscale-mcpSQL comments (SQLCommenter format) so Insights can attribute MCP-originated traffic as its own workload class via actor-tagged query observability. - Destructive-query protection —
UPDATEorDELETEwithoutWHEREblocked;TRUNCATEnot allowed. Server-side static check on the SQL string before execution. Canonicalised as concepts/destructive-query-protection. - Human confirmation for DDL — any
CREATE/DROP/ALTERtriggers an MCP elicitation asking the human to confirm before the server executes the change.
The composite design is canonicalised in patterns/mcp-safeguards-over-raw-db-access.
Permission model¶
Permissions are OAuth-scoped, settable per branch (production vs development) with read-only or full-access granularity. This follows PlanetScale's deploy-request-shaped branching model: the authorisation boundary is the branch, not the database or the organisation. A common configuration is "full access to dev branches, read-only to production."
Why hosted, not local¶
The MCP server runs on PlanetScale's infrastructure. This is the hosted-over-local shape and avoids the local MCP server risk of a cloud LLM orchestrating code on the operator's workstation. Authentication is OAuth, not workstation-credential inheritance — the MCP server itself holds the relationship with the PlanetScale API, and the human / agent drives it via OAuth-delegated permissions.
Relationship to existing PlanetScale platform primitives¶
- Insights is the observability
backend. The
source=planetscale-mcptag makes MCP traffic attributable without new plumbing — Insights was already designed around actor-tagged query observability. - concepts/deploy-request is the branch-promotion unit; per-branch permissions let MCP scope ride on it.
- Vitess / MySQL-protocol — the MCP server speaks MCP outward and PlanetScale's standard API / MySQL protocol inward. Destructive-query parsing is presumably done on the SQL string before handing it to the executor (parser mechanism not documented in the launch post).
- PlanetScale Postgres — the
MCP server covers both MySQL and Postgres PlanetScale clusters;
the tool surface is engine-agnostic (all introspection is by
branch, and
execute_read_query/execute_write_queryare generic).
Seen in¶
- sources/2026-04-21-planetscale-introducing-the-planetscale-mcp-server — launch announcement, canonical reference for the tool surface and safeguard list.
Related¶
- systems/model-context-protocol — the protocol.
- systems/planetscale — the underlying platform.
- systems/planetscale-insights — the observability sink that consumes MCP query tags.
- patterns/mcp-safeguards-over-raw-db-access — the composite safeguard pattern extracted from this launch.
- concepts/ephemeral-credentials — the per-query credential rotation shape.
- concepts/destructive-query-protection — the destructive-query block as a named concept.
- concepts/hosted-vs-local-mcp-server — the deployment-shape framing.
- concepts/sqlcommenter-query-tagging — the tagging convention.
- patterns/hosted-mcp-ecosystem — the ecosystem shape.
- patterns/tool-surface-minimization — read/write split via tool inventory not tool arguments.
- companies/planetscale — company index.