FutrixData logo FutrixData
MCP database security

MCP Database Security — Wrap Model Context Protocol DB Servers

MCP database servers give AI agents direct database access — and most ship without masking, RBAC, or audit. FutrixData wraps your MCP database access with masking on the agent result path, query guardrails, per-agent identity, and a local hash-chained audit log (with a built-in audit verify CLI) — without changing how Claude Code, Cursor, or Codex connect. Local verification only; trust and limitations pages document the full scope.

What is MCP, and what's the risk?

The Model Context Protocol (MCP) is an open standard that lets AI agents discover and call external tools — including databases. Reference MCP servers exist for Postgres, MySQL, MongoDB, and others. They make agent integration easy. They also tend to give every connected agent the same database privileges, with no per-agent identity, no field-level masking, and no centralized audit trail.

If your only database boundary is "the MCP server is on a private port," you have a perimeter — not a policy.

Five gaps in raw MCP database servers

  1. Shared credentials. Every agent connected to the MCP server uses the same DB user.
  2. Unrestricted SQL. No static rules, no pre-flight EXPLAIN — the agent's query goes through.
  3. No PII masking. Raw rows enter agent context, then flow on to the LLM provider.
  4. No identity per agent. When something goes wrong, you can't answer "which agent did this."
  5. No audit log. Or only stdout output — not retained, not queryable, not exportable.

How FutrixData wraps MCP

FutrixData speaks MCP as one of several entry points (alongside Skill, HTTP, and CLI). From Claude Code or Cursor it looks like an MCP server with the standard tools (list_data_sources, execute_query, etc.). Internally, every call passes through:

  1. Per-agent key validation.
  2. Statement parsing by data source type.
  3. Static rule + pre-execution EXPLAIN evaluation.
  4. Trust-mode reconciliation.
  5. Database execution.
  6. Field-level masking at egress.
  7. Audit entry creation.

The agent's tool surface is the same. The behavior — and the assurance you can give a security team — is not.

Connecting Claude Code, Cursor, Codex via MCP

Configuration is the same as any MCP server: a JSON entry in the agent's MCP config pointing at the FutrixData binary or the Enterprise Edition HTTP endpoint, plus a per-agent access key. Each installation gets its own key, so revocation is precise.

Examples

Claude Code MCP config
{
  "mcpServers": {
    "futrixdata": {
      "command": "futrixdata",
      "args": ["mcp"],
      "env": {
        "FUTRIXDATA_AGENT_KEY": "fxd_live_..."
      }
    }
  }
}
Enterprise Edition over HTTP
{
  "mcpServers": {
    "futrixdata": {
      "url": "https://futrixdata.internal.example.com/mcp",
      "headers": { "Authorization": "Bearer fxd_live_..." }
    }
  }
}

Frequently asked questions

What is MCP?

The Model Context Protocol — an open standard for connecting AI agents to external tools. Anthropic shipped reference servers for several databases. MCP defines the wire protocol, not the security model.

Is FutrixData an MCP server?

FutrixData speaks MCP as one entry point. It's also reachable via Skill, HTTP, and CLI — all sharing the same risk engine and audit pipeline. From the agent's side, it looks and behaves like an MCP server.

What about Anthropic's reference MCP servers?

They're great for getting started and risky as a long-term production posture. They have no per-agent identity, no field-level masking, no risk engine, and minimal audit. FutrixData is what you put in front of (or in place of) them once an actual production database is in scope.

Does it work with non-Anthropic agents?

Yes. Any MCP-compliant client connects (Cursor, Codex, Windsurf, OpenCode, custom). For agents that don't speak MCP, the Skill and HTTP entry points cover everything else.

Can I use both MCP and HTTP/CLI?

Yes — they're entry points to the same gateway. An organization commonly uses MCP for IDE-side agents (Claude Code, Cursor) and HTTP for backend automation, with one audit log covering both.

Try FutrixData on your own database

Free desktop app on macOS, Windows, and Linux. Self-hosted Enterprise Edition for production deployments.