Give AI agents safe access
to your database.
Your MongoDB or Postgres, sandboxed. Your fields, controlled.
One /mcp endpoint for Claude, ChatGPT, Cursor, and anything else that speaks MCP.
Built for teams who want AI on real data
Four non-negotiables. If any of these sound like you, keep reading.
- You refuse to share raw database credentials with AI tools.
- You need field-level control over what AI can see — GDPR, PII, compliance.
- You want one MCP endpoint that works across Claude, ChatGPT, and Cursor.
- You want to self-host everything — your server, your data, your rules.
Six things you get out of the box
The parts that matter most. Everything else — audit trail, API keys, agent memory, schema cache — is below under Security and How It Works.
Sandbox Isolation
Production data cloned into a Docker container. AI reads the copy, never the original. Writes are rejected end-to-end.
Field-Level Control
Toggle any field or collection visible or hidden. Changes take effect on the next query — no resync, no redeploy.
PII Auto-Detection
Fields like email, password, ssn, phone are detected and pre-hidden on first sync.
One Surface, Two Engines
MongoDB and PostgreSQL speak the same MCP vocabulary. Postgres tables show up alongside Mongo collections. Mix them in one workspace.
Multi-Database Discovery
Many databases, across engines. Plain-language descriptions plus a databases://overview resource and a per-tool connectionId let the agent route itself.
MCP Apps Result Viewer
Interactive table inside Claude Desktop, Claude Web, and VS Code Copilot. Non-Apps hosts fall back to plain JSON.
Code Mode — one round trip, not N+1.
The execute-typescript MCP tool lets the AI write a small TypeScript program that composes multiple queries inside a QuickJS WebAssembly isolate. One round trip in, one structured result out — instead of N+1 separate tool calls.
- Math is correct. Sums, averages, percentages run as real JavaScript.
- Token cost drops. A query touching 500 docs lives and dies inside the isolate.
- Security unchanged. Same validation pipeline, hidden fields stripped before data crosses in.
// click Run to execute in the sandbox // (mock — real runs happen on your server)
Per execution: 30s wall-clock timeout · 128MB memory · 50 bridge calls · 256KB serialized result.
Toggle a field. Watch it disappear from the AI.
Click a chip to flip it. Off = stripped before the response ever leaves your server.
users · collection
✓ on = visible to AI · ✗ off = stripped at query time
How it works
Three steps, one architecture. No CDC, no replication lag, no mystery.
MongoDB or PostgreSQL connection string. Read-only credentials are enough.
Browse the schema with real sample data, flip chips for anything the AI shouldn't see.
Give your AI agent https://<your-domain>/mcp. Hidden fields are stripped from every response.
Without AskDB vs. With AskDB
Everything on the left is what people do today because the tooling hasn't caught up.
Without AskDB
- Share raw MongoDB or Postgres credentials with AI tools and hope nothing gets written.
- Export CSVs to ChatGPT. Stale within hours. GDPR violated.
- Spin up Metabase/Looker for weeks. AI agent still can't use it.
- Business asks "pro users this week?" and waits for an engineer.
- No idea what the AI queried or when.
- AI can see
ordersbut notemailinside them? Not possible.
With AskDB
- Sandbox isolation. AI queries a read-only copy. Production never touched.
- Real-time queries against live sandbox data. PII auto-hidden.
- One MCP endpoint. Claude, ChatGPT, Cursor — minutes, not weeks.
- They ask the AI agent directly. Answer in seconds.
- Full audit trail. Every query, timestamp, result count.
- Field-level toggles. Hide specific fields, not entire collections.
Install where you want it
Three flavors, one codebase. Pick the one that matches your stack.
Installs Docker, generates secrets, brings the stack up behind Caddy with auto-provisioned Let's Encrypt HTTPS. 2–3 minutes end to end. Re-run the same command later to upgrade.
git clone https://github.com/mgorabbani/askdb.git cd askdb # proxyless profile — no Caddy, no TLS, binds 127.0.0.1:3100 cat > .env <<EOF COMPOSE_PROFILES=proxyless DOMAIN=localhost BETTER_AUTH_URL=http://localhost:3100 TRUSTED_ORIGINS=http://localhost:3100 EOF docker compose up --build -d open http://localhost:3100
Best for evaluating the product on your laptop. Skip this for production — OAuth flows require HTTPS, so use the VPS or Cloudflare Tunnel options for real clients.
Paste your Cloudflare tunnel token when prompted. No inbound firewall rules, no DNS A record, no Let's Encrypt. Great for home-lab or locked-down VPS.
Binds 127.0.0.1:3100. Point Coolify, Traefik, nginx, or any existing proxy at it. You own the TLS cert.
Plug into your AI tool
Two auth modes — use whichever your client supports.
Sign in from the browser
MCP's remote-transport standard. No static secret to leak, no config file to edit — the client discovers the auth server, pops a browser consent screen, and Claude/ChatGPT/Cursor store a rotating token for you.
- In Claude, ChatGPT, or Cursor, add a custom MCP connector.
- Paste
https://<your-domain>/mcp. - Approve in the browser with your admin account.
Static API key
For local clients that don't implement OAuth flows yet (Claude Code, Cursor's config.json, scripts). Generate a key in the dashboard, paste it as a bearer header, revoke anytime.
{
"askdb": {
"type": "streamable-http",
"url": "https://YOUR_SERVER/mcp",
"headers": {
"Authorization": "Bearer ask_sk_YOUR_KEY"
}
}
}
{
"mcpServers": {
"askdb": {
"url": "https://YOUR_SERVER/mcp",
"headers": {
"Authorization": "Bearer ask_sk_YOUR_KEY"
}
}
}
}
Security invariants
Nine rules that always hold. Every release CI run proves them end-to-end against a real Mongo and a real Postgres.
find, aggregate, count, distinct on Mongo; SELECT only on Postgres.
$merge, $out, $collStats, $currentOp, $listSessions rejected.
$lookup and joins across hidden collections are rejected.
tecnativa/docker-socket-proxy sidecar sits between AskDB and /var/run/docker.sock, exposing only the container, image, network, and volume endpoints AskDB needs.
Frequently asked
How long does setup take?
Under 10 minutes. Paste your MongoDB or Postgres URL, configure visibility, copy the MCP URL into your AI tool.
Does AskDB write to my production database?
Never. It connects read-only to run mongodump (Mongo) or pg_dump (Postgres), then all queries go against the sandbox copy.
How is field filtering different from data masking?
Data masking replaces values with fakes. AskDB simply omits hidden fields entirely — the AI doesn't know they exist.
Which databases are supported today?
MongoDB and PostgreSQL, both first-class. Pick the engine when you add a connection, or mix them in one workspace. MySQL is next on the roadmap.
Can I connect more than one database at once?
Yes. Every connection gets a plain-language description. Agents see a databases://overview resource plus a list-databases tool and pass a connectionId into every query call.
OAuth vs API key — which do I use?
OAuth is the remote-MCP standard and is the recommended path for Claude, ChatGPT, and Cursor. It handles discovery, consent, and token rotation for you. API keys exist for local clients (Claude Code, Cursor mcp.json, scripts) that still expect a static bearer header.
How does the sandbox stay fresh?
Manual sync — click "Sync Now" in the dashboard. Scheduled sync is on the roadmap.
Is it really open source?
Yes — AGPLv3. Fork it, run it, modify it. If you run a modified version as a network service, share your modifications back.
Ready in 2 minutes on a fresh VPS.