SYSTEM Cited by 1 source

PlanetScale MCP server

What it is

The PlanetScale MCP server is a hosted Model Context Protocol server that exposes PlanetScale organisations, databases, branches, schema, and Insights data to any MCP-compatible client — Claude, Cursor, Open Code, Goose, etc. Launched 2026-01-29 (Source: sources/2026-04-21-planetscale-introducing-the-planetscale-mcp-server).

Shape: hosted HTTP MCP server, OAuth-authenticated, per-branch permission scoping. Runs on PlanetScale's infrastructure — this is the hosted-over-local shape for a vendor SaaS.

Tool surface

Always available (OAuth token scope sufficient):

• get_insights
• list_organizations / get_organization
• list_databases / get_database
• list_branches / get_branch / get_branch_schema
• list_regions_for_organization
• list_cluster_size_skus
• search_documentation

Permission-gated:

• execute_read_query — auto-routed to replica when available
• execute_write_query — subject to destructive-query + DDL checks
• list_invoices / get_invoice_line_items — billing scope

Note: the read/write split is encoded in the tool surface itself rather than as a parameter on a single execute_query — read-only agents never see execute_write_query. This is tool-surface minimization pressed into service as an authorisation mechanism.

Safeguards

Five production-oriented safeguards ship in-server, not as external gateway policy:

1. Automatic replica routing — read queries hit a read replica when one is configured. concepts/read-write-splitting implemented at the MCP boundary rather than at the application.
2. Ephemeral credentials — every query creates short-lived credentials on demand and deletes them immediately after. This is per-tool-call rotation, stricter than the usual per-session-token shape. See concepts/ephemeral-credentials.
3. Built-in query tagging — all queries include source=planetscale-mcp SQL comments (SQLCommenter format) so Insights can attribute MCP-originated traffic as its own workload class via actor-tagged query observability.
4. Destructive-query protection — UPDATE or DELETE without WHERE blocked; TRUNCATE not allowed. Server-side static check on the SQL string before execution. Canonicalised as concepts/destructive-query-protection.
5. Human confirmation for DDL — any CREATE / DROP / ALTER triggers an MCP elicitation asking the human to confirm before the server executes the change.

The composite design is canonicalised in patterns/mcp-safeguards-over-raw-db-access.

Permission model

Permissions are OAuth-scoped, settable per branch (production vs development) with read-only or full-access granularity. This follows PlanetScale's deploy-request-shaped branching model: the authorisation boundary is the branch, not the database or the organisation. A common configuration is "full access to dev branches, read-only to production."

Why hosted, not local

The MCP server runs on PlanetScale's infrastructure. This is the hosted-over-local shape and avoids the local MCP server risk of a cloud LLM orchestrating code on the operator's workstation. Authentication is OAuth, not workstation-credential inheritance — the MCP server itself holds the relationship with the PlanetScale API, and the human / agent drives it via OAuth-delegated permissions.

Relationship to existing PlanetScale platform primitives

• Insights is the observability backend. The source=planetscale-mcp tag makes MCP traffic attributable without new plumbing — Insights was already designed around actor-tagged query observability.
• concepts/deploy-request is the branch-promotion unit; per-branch permissions let MCP scope ride on it.
• Vitess / MySQL-protocol — the MCP server speaks MCP outward and PlanetScale's standard API / MySQL protocol inward. Destructive-query parsing is presumably done on the SQL string before handing it to the executor (parser mechanism not documented in the launch post).
• PlanetScale Postgres — the MCP server covers both MySQL and Postgres PlanetScale clusters; the tool surface is engine-agnostic (all introspection is by branch, and execute_read_query/execute_write_query are generic).

Seen in

• sources/2026-04-21-planetscale-introducing-the-planetscale-mcp-server — launch announcement, canonical reference for the tool surface and safeguard list.

Related

• systems/model-context-protocol — the protocol.
• systems/planetscale — the underlying platform.
• systems/planetscale-insights — the observability sink that consumes MCP query tags.
• patterns/mcp-safeguards-over-raw-db-access — the composite safeguard pattern extracted from this launch.
• concepts/ephemeral-credentials — the per-query credential rotation shape.
• concepts/destructive-query-protection — the destructive-query block as a named concept.
• concepts/hosted-vs-local-mcp-server — the deployment-shape framing.
• concepts/sqlcommenter-query-tagging — the tagging convention.
• patterns/hosted-mcp-ecosystem — the ecosystem shape.
• patterns/tool-surface-minimization — read/write split via tool inventory not tool arguments.
• companies/planetscale — company index.