Scoped tokens, per connection
Each agent gets its own Bearer token with an explicit connection allowlist — an empty allowlist reaches nothing. Tokens are read-only by default, revocable instantly, and stored only as hashes.
QueryGlow is a self-hosted database GUI with a built-in MCP endpoint. Point Claude Code, Cursor, or any MCP client at it, and your agents inherit the safety layer your team already uses — scoped tokens, read-only by default, every query audited.
A raw database MCP server hands agents a connection string. QueryGlow hands them a scoped token. $79 once. Lifetime license.
When engineers discuss giving LLMs database access on Hacker News, the verdicts are blunt — and they're right.
“an insane thing to do”
“In application security, 99% is a failing grade”
“asking an LLM nicely”
The story of an AI agent wiping a production database made the rounds for a reason: when the only thing between an agent and your data is an instruction it was asked to follow, the failure mode is total.
The same threads converge on the accepted answer: schema-only access, read-only enforcement, scoped credentials. QueryGlow ships exactly that pattern — as a checkbox, with the enforcement living in the database and the driver, not in a prompt.
Every guarantee below is enforced by the database or the driver protocol. No layer depends on the agent behaving.
Each agent gets its own Bearer token with an explicit connection allowlist — an empty allowlist reaches nothing. Tokens are read-only by default, revocable instantly, and stored only as hashes.
A read-only token executes inside a database-enforced read-only transaction. The database rejects any write no matter how the SQL is phrased — the token cannot write; the database enforces it.
Every agent statement runs through the driver’s single-statement (prepared) protocol, which rejects multi-command strings. A benign-looking read cannot smuggle a second statement behind it.
A write token may run a single INSERT, UPDATE, or DELETE — never DDL. Exceed the row cap and the database rolls the write back. Dry-run previews the affected-row count before anything commits.
Per-statement timeouts are enforced in the database, so a runaway query cannot freeze the server. The MCP endpoint itself is rate-limited.
The enforcement layer ships with an adversarial test suite — statement smuggling, writes hidden inside reads, over-limit writes — built by attacking it, not just describing it.
Agent Access — New Token
Token name
Connections this token may use
Two token modes. The "never" column doesn't change no matter what the agent asks for.
| Action | Read-Only Token (Default) | Write Token (Opt-In) |
|---|---|---|
| Browse schema (tables, columns) | Yes | Yes |
| Run SELECT queries | Yes — row-capped | Yes — row-capped |
| EXPLAIN a query without running it | Yes | Yes |
| See query history for its connections | Yes | Yes |
| INSERT / UPDATE / DELETE | No — the database rejects it | One statement per call, row-capped |
| DROP, TRUNCATE, or any DDL | Never | Never |
| Chain multiple statements in one call | Never — driver rejects it | Never — driver rejects it |
| See hosts, ports, or credentials | Never — names only | Never — names only |
| Reach a connection off its allowlist | Never | Never |
Read-Only (Default)
Yes
Write (Opt-In)
Yes
Read-Only (Default)
Yes — row-capped
Write (Opt-In)
Yes — row-capped
Read-Only (Default)
Yes
Write (Opt-In)
Yes
Read-Only (Default)
Yes
Write (Opt-In)
Yes
Read-Only (Default)
No — the database rejects it
Write (Opt-In)
One statement per call, row-capped
Read-Only (Default)
Never
Write (Opt-In)
Never
Read-Only (Default)
Never — driver rejects it
Write (Opt-In)
Never — driver rejects it
Read-Only (Default)
Never — names only
Write (Opt-In)
Never — names only
Read-Only (Default)
Never
Write (Opt-In)
Never
Every agent query lands in the same Query History your team uses, tagged with the token's name. That includes blocked attempts — when the guard rejects a statement, the rejection is logged too, so you can review exactly what an agent tried, not just what succeeded.
Nothing runs unrecorded. Agent queries and plan requests are written to Query History, every time.
Blocked attempts included. A rejected statement is evidence, not noise — it stays in the trail.
Errors are redacted before the agent sees them, so a failed query doesn't leak infrastructure details.
Query History
SELECT id, email FROM users ORDER BY created_at DESC LIMIT 50EXPLAIN SELECT * FROM orders WHERE status = ?UPDATE orders SET status = ? WHERE id = ?DROP TABLE usersQueryGlow exposes a standard MCP endpoint. Paste the config, and the agent gets exactly five tools — no more surface than the token allows.
{
"mcpServers": {
"queryglow": {
"url": "https://your-domain.com/api/mcp",
"headers": {
"Authorization": "Bearer qg_your_token"
}
}
}
}list_connections
The connections this token may use — names and environments, never hosts or credentials.
get_schema
Tables and columns of a connection, so the agent writes correct SQL.
run_query
Runs SQL and returns rows. Read-only tokens: reads only. Write tokens: also a single INSERT/UPDATE/DELETE, with dry-run preview.
explain_query
Returns the query plan without executing anything.
get_query_history
Recent queries — human and agent — for the allowed connections.
Honest note: Agent Access is disabled in the public live demo, so you can't poke at it there. The setup guide walks through the full setup; the fastest way to evaluate it is a local deployment against a test database.
You genuinely can. A competent developer can wire up a read-only MCP server against Postgres in an afternoon — people have, and it works. If that's all you need, build it.
The catch is the tail. A hand-rolled server is a weekend project with an unbounded security surface: your own SQL classifier, your own statement-splitting rules, your own row caps, your own audit log — each one a thing you now maintain and each one a place to be 99% right. Even the deprecated reference Postgres MCP server carried a documented SQL-injection case study.
QueryGlow's answer is to make the accepted safety pattern a checkbox instead of a codebase: read-only transactions enforced by the database, single statements enforced by the driver protocol, row-cap rollback, one audit trail — already built, already adversarially tested, attached to a GUI your team uses anyway.
The same token model and enforcement layers work across every engine QueryGlow supports.
One lifetime license covers the GUI and the agent layer — $79 once, pay never again. The live demo shows the GUI (Agent Access is disabled there); the docs cover the rest.