Provides read-only SQL query access to Postgres and DuckDB databases via MCP tools, with extensive security hardening for public endpoints.
Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.
Install from
M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.
process.env. You'll be asked to provide them before it can run.SUPABASE_POSTGRES— Yes — Postgres connection string (use a read-only user)DUCKDB_FILE— Yes ./data/t20_cricket.duckdb Path to .duckdb fileRATE_LIMIT— No 30/minute Per-IP rate limit (SlowAPI format, e.g. 60/hour, 100/minute)PG_STATEMENT_TIMEOUT_MS— Set statement_timeout on application roles (matches your )DUCKDB_QUERY_TIMEOUT_MS— No 15000 DuckDB query timeout in millisecondsMAX_JSON_ROWS— 11. Auto-append LIMIT — queries without an outer LIMIT automatically get one (configurable via / MAX_TSV_ROWS)MAX_TSV_ROWS— 11. Auto-append LIMIT — queries without an outer LIMIT automatically get one (configurable via MAX_JSON_ROWS / )MAX_RESPONSE_BYTES— 12. Response size limit — responses exceeding the byte limit are rejected with HTTP 413 (configurable via , default: 1MB)PG_POOL_MIN— No 3 Postgres connection pool minimum sizePG_POOL_MAX— No 6 Postgres connection pool maximum sizePG_POOL_ACQUIRE_TIMEOUT— No 15 Seconds to wait for a pool connection before returning 503MAX_CONCURRENT_PER_IP— No 4 Max simultaneous queries per IPMAX_CONCURRENT_GLOBAL— No 10 Max simultaneous queries server-wideGLOBAL_RATE_LIMIT— No 200/minute Global rate limit across all IPsDUCKDB_MEMORY_LIMIT— No 512MB DuckDB memory limitDUCKDB_THREADS— No 2 DuckDB thread limitDUCKDB_TEMP_DIR— No /tmp/duckdb DuckDB temporary directoryDUCKDB_MAX_TEMP_DIR_SIZE— No 2GB DuckDB temp directory size capCORS_ALLOW_ORIGINS— No Comma-separated allowed originsLOG_LEVEL— No INFO Logging levelAUTH0_DOMAIN— No — Auth0 tenant domain (enables /mcp-secure when set)AUTH0_AUDIENCE— No — Auth0 API identifierAUTH0_CLIENT_ID— No — Auth0 application client IDAUTH0_CLIENT_SECRET— No — Auth0 application client secretAPI_MONITOR_APP_NAMEAUTH_FAIL_MAX— 24. Failed-auth rate limiter — in-memory counter blocks IPs after repeated failed JWT attempts on /mcp-secure (configurable via and AUTH_FAIL_WINDOW)AUTH_FAIL_WINDOW— 24. Failed-auth rate limiter — in-memory counter blocks IPs after repeated failed JWT attempts on /mcp-secure (configurable via AUTH_FAIL_MAX and )[](https://m8ven.ai/mcp/amararun-shared-fastapi-database-mcp-ly3xsr)