Cloudflare Remote PostgreSQL Database MCP Server + GitHub OAuth

This is a Model Context Protocol (MCP) server that enables you to chat with your PostgreSQL database, deployable as a remote MCP server with GitHub OAuth through Cloudflare. This is production ready MCP.

Key Features

🗄️ Database Integration with Lifespan: Direct PostgreSQL database connection for all MCP tool calls
🛠️ Modular, Single Purpose Tools: Following best practices around MCP tools and their descriptions
🔐 Role-Based Access: GitHub username-based permissions for database write operations
📊 Schema Discovery: Automatic table and column information retrieval
🛡️ SQL Injection Protection: Built-in validation and sanitization
📈 Monitoring: Optional Sentry integration for production monitoring
☁️ Cloud Native: Powered by Cloudflare Workers for global scale

Transport Protocols

This MCP server supports both modern and legacy transport protocols:

/mcp - Streamable HTTP (recommended): Uses a single endpoint with bidirectional communication, automatic connection upgrades, and better resilience for network interruptions
/sse - Server-Sent Events (legacy): Uses separate endpoints for requests/responses, maintained for backward compatibility

For new implementations, use the /mcp endpoint as it provides better performance and reliability.

How It Works

The MCP server provides three main tools for database interaction:

listTables - Get database schema and table information (all authenticated users)
queryDatabase - Execute read-only SQL queries (all authenticated users)
executeDatabase - Execute write operations like INSERT/UPDATE/DELETE (privileged users only)

Authentication Flow: Users authenticate via GitHub OAuth → Server validates permissions → Tools become available based on user's GitHub username.

Security Model:

All authenticated GitHub users can read data
Only specific GitHub usernames can write/modify data
SQL injection protection and query validation built-in

Simple Example First

Want to see a basic MCP server before diving into the full database implementation? Check out src/simple-math.ts - a minimal MCP server with a single calculate tool that performs basic math operations (add, subtract, multiply, divide). This example demonstrates the core MCP components: server setup, tool definition with Zod schemas, and dual transport support (/mcp and /sse endpoints). You can run it locally with wrangler dev --config wrangler-simple.jsonc and test at http://localhost:8789/mcp.

Prerequisites

Node.js installed on your machine
A Cloudflare account (free tier works)
A GitHub account for OAuth setup
A PostgreSQL database (local or hosted)

Getting Started

Step 1: Install Wrangler CLI

Install Wrangler globally to manage your Cloudflare Workers:

npm install -g wrangler

Step 2: Authenticate with Cloudflare

wrangler login

This will open a browser window where you can authenticate with your Cloudflare account.

Step 3: Clone and Setup

Clone the repo directly & install dependencies: npm install.

Environment Variables Setup

Before running the MCP server, you need to configure several environment variables for authentication and database access.

Create Environment Variables File

Create your .dev.vars file from the example:
```
cp .dev.vars.example .dev.vars
```

Configure all required environment variables in .dev.vars:

# GitHub OAuth (for authentication)
GITHUB_CLIENT_ID=your_github_client_id
GITHUB_CLIENT_SECRET=your_github_client_secret
COOKIE_ENCRYPTION_KEY=your_random_encryption_key

# Database Connection
DATABASE_URL=postgresql://username:password@localhost:5432/database_name

# Optional: Sentry monitoring
SENTRY_DSN=https://[email protected]/project-id
NODE_ENV=development

Getting GitHub OAuth Credentials

Create a GitHub OAuth App for local development:
- Go to GitHub Developer Settings
- Click "New OAuth App"
- Application name: MCP Server (Local Development)
- Homepage URL: http://localhost:8788
- Authorization callback URL: http://localhost:8788/callback
- Click "Register application"
Copy your credentials:
- Copy the Client ID and paste it as GITHUB_CLIENT_ID in .dev.vars
- Click "Generate a new client secret", copy it, and paste as GITHUB_CLIENT_SECRET in .dev.vars

Generate Encryption Key

Generate a secure random encryption key for cookie encryption:

openssl rand -hex 32

Copy the output and paste it as COOKIE_ENCRYPTION_KEY in .dev.vars.

Database Setup

Set up PostgreSQL using a hosted service like:
- Supabase (recommended for beginners)
- Neon
- Or use local PostgreSQL/Supabase

Update the DATABASE_URL in .dev.vars with your connection string:

DATABASE_URL=postgresql://username:password@host:5432/database_name

Connection String Examples:

Local: postgresql://myuser:mypass@localhost:5432/mydb
Supabase: postgresql://postgres:[email protected]:5432/postgres

Database Schema Setup

The MCP server works with any PostgreSQL database schema. It will automatically discover:

All tables in the public schema
Column names, types, and constraints
Primary keys and indexes

Testing the Connection: Once you have your database set up, you can test it by asking the MCP server "What tables are available in the database?" and then querying those tables to explore your data.

Local Development & Testing

Run the server locally:

wrangler dev

This makes the server available at http://localhost:8788

Testing with MCP Inspector

Use the MCP Inspector to test your server:

Install and run Inspector:

npx @modelcontextprotocol/inspector@latest

Connect to your local server:
- Preferred: Enter URL: http://localhost:8788/mcp (streamable HTTP transport - newer, more robust)
- Alternative: Enter URL: http://localhost:8788/sse (SSE transport - legacy support)
- Click "Connect"
- Follow the OAuth prompts to authenticate with GitHub
- Once connected, you'll see the available tools
Test the tools:
- Use listTables to see your database structure
- Use queryDatabase to run SELECT queries
- Use executeDatabase (if you have write access) for INSERT/UPDATE/DELETE operations

Production Deployment

For Production

Create a new GitHub OAuth App:

For the Homepage URL, specify https://mcp-github-oauth.<your-subdomain>.workers.dev
For the Authorization callback URL, specify https://mcp-github-oauth.<your-subdomain>.workers.dev/callback
Note your Client ID and generate a Client secret.
Set all required secrets via Wrangler:

wrangler secret put GITHUB_CLIENT_ID
wrangler secret put GITHUB_CLIENT_SECRET
wrangler secret put COOKIE_ENCRYPTION_KEY  # use: openssl rand -hex 32
wrangler secret put DATABASE_URL
wrangler secret put SENTRY_DSN  # optional (more on Sentry setup below)

Set up a KV namespace

Create the KV namespace:wrangler kv namespace create "OAUTH_KV"
Update the wrangler.jsonc file with the KV ID (replace )

Deploy & Test

Deploy the MCP server to make it available on your workers.dev domain

wrangler deploy

Test the remote server using Inspector:

npx @modelcontextprotocol/inspector@latest

Enter https://mcp-github-oauth.<your-subdomain>.workers.dev/mcp (preferred) or https://mcp-github-oauth.<your-subdomain>.workers.dev/sse (legacy) and hit connect. Once you go through the authentication flow, you'll see the Tools working:

You now have a remote MCP server deployed!

Database Tools & Access Control

Available Tools

1. `listTables` (All Users)

Purpose: Discover database schema and structure Access: All authenticated GitHub users Usage: Always run this first to understand your database structure

Example output:
- Tables: users, products, orders
- Columns: id (integer), name (varchar), created_at (timestamp)
- Constraints and relationships

2. `queryDatabase` (All Users)

Purpose: Execute read-only SQL queries Access: All authenticated GitHub users Restrictions: Only SELECT statements and read operations allowed

-- Examples of allowed queries:
SELECT * FROM users WHERE created_at > '2024-01-01';
SELECT COUNT(*) FROM products;
SELECT u.name, o.total FROM users u JOIN orders o ON u.id = o.user_id;

3. `executeDatabase` (Privileged Users Only)

Purpose: Execute write operations (INSERT, UPDATE, DELETE, DDL) Access: Restricted to specific GitHub usernames Capabilities: Full database write access including schema modifications

-- Examples of allowed operations:
INSERT INTO users (name, email) VALUES ('New User', '[email protected]');
UPDATE products SET price = 29.99 WHERE id = 1;
DELETE FROM orders WHERE status = 'cancelled';
CREATE TABLE new_table (id SERIAL PRIMARY KEY, data TEXT);

Access Control Configuration

Database write access is controlled by GitHub username in the ALLOWED_USERNAMES configuration:

// Add GitHub usernames for database write access
const ALLOWED_USERNAMES = new Set([
  'yourusername',    // Replace with your GitHub username
  'teammate1',       // Add team members who need write access
  'database-admin'   // Add other trusted users
]);

To update access permissions:

Edit src/index.ts and src/index_non_sentry.ts
Update the ALLOWED_USERNAMES set with GitHub usernames
Redeploy the worker: wrangler deploy

Typical Workflow

🔍 Discover: Use listTables to understand database structure
📊 Query: Use queryDatabase to read and analyze data
✏️ Modify: Use executeDatabase (if you have write access) to make changes

Security Features

SQL Injection Protection: All queries are validated before execution
Operation Type Detection: Automatic detection of read vs write operations
User Context Tracking: All operations are logged with GitHub user information
Connection Pooling: Efficient database connection management
Error Sanitization: Database errors are cleaned before being returned to users

Access the remote MCP server from Claude Desktop

Open Claude Desktop and navigate to Settings -> Developer -> Edit Config. This opens the configuration file that controls which MCP servers Claude can access.

Replace the content with the following configuration. Once you restart Claude Desktop, a browser window will open showing your OAuth login page. Complete the authentication flow to grant Claude access to your MCP server. After you grant access, the tools will become available for you to use.

{
  "mcpServers": {
    "math": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp-github-oauth.<your-subdomain>.workers.dev/mcp"
      ]
    }
  }
}

Once the Tools (under 🔨) show up in the interface, you can ask Claude to interact with your database. Example commands:

"What tables are available in the database?" → Uses listTables tool
"Show me all users created in the last 30 days" → Uses queryDatabase tool
"Add a new user named John with email [email protected]" → Uses executeDatabase tool (if you have write access)

Using Claude and other MCP Clients

When using Claude to connect to your remote MCP server, you may see some error messages. This is because Claude Desktop doesn't yet support remote MCP servers, so it sometimes gets confused. To verify whether the MCP server is connected, hover over the 🔨 icon in the bottom right corner of Claude's interface. You should see your tools available there.

Using Cursor and other MCP Clients

To connect Cursor with your MCP server, choose Type: "Command" and in the Command field, combine the command and args fields into one (e.g. npx mcp-remote https://<your-worker-name>.<your-subdomain>.workers.dev/sse).

Note that while Cursor supports HTTP+SSE servers, it doesn't support authentication, so you still need to use mcp-remote (and to use a STDIO server, not an HTTP one).

You can connect your MCP server to other MCP clients like Windsurf by opening the client's configuration file, adding the same JSON that was used for the Claude setup, and restarting the MCP client.

Sentry Integration (Optional)

This project includes optional Sentry integration for comprehensive error tracking, performance monitoring, and distributed tracing. There are two versions available:

src/index.ts - Standard version without Sentry
src/index_sentry.ts - Version with full Sentry integration

Setting Up Sentry

Create a Sentry Account: Sign up at sentry.io if you don't have an account.
Create a New Project: Create a new project in Sentry and select "Cloudflare Workers" as the platform (search in the top right).
Get Your DSN: Copy the DSN from your Sentry project settings.

Using Sentry in Production

To deploy with Sentry monitoring:

Set the Sentry DSN secret:
```
wrangler secret put SENTRY_DSN
```
Enter your Sentry DSN when prompted.
Update your wrangler.toml to use the Sentry-enabled version:
```
main = "src/index_sentry.ts"
```
Deploy with Sentry:
```
wrangler deploy
```

Using Sentry in Development

Add Sentry DSN to your .dev.vars file:

SENTRY_DSN=https://[email protected]/project-id
NODE_ENV=development

Run with Sentry enabled:
```
wrangler dev
```

Sentry Features Included

Error Tracking: Automatic capture of all errors with context
Performance Monitoring: Full request tracing with 100% sample rate
User Context: Automatically binds GitHub user information to events
Tool Tracing: Each MCP tool call is traced with parameters
Custom Error Handling: User-friendly error messages with Event IDs
Context Enrichment: Automatic tagging and context for better debugging

How does it work?

OAuth Provider

The OAuth Provider library serves as a complete OAuth 2.1 server implementation for Cloudflare Workers. It handles the complexities of the OAuth flow, including token issuance, validation, and management. In this project, it plays the dual role of:

Authenticating MCP clients that connect to your server
Managing the connection to GitHub's OAuth services
Securely storing tokens and authentication state in KV storage

Durable MCP

Durable MCP extends the base MCP functionality with Cloudflare's Durable Objects, providing:

Persistent state management for your MCP server
Secure storage of authentication context between requests
Access to authenticated user information via this.props
Support for conditional tool availability based on user identity

MCP Remote

The MCP Remote library enables your server to expose tools that can be invoked by MCP clients like the Inspector. It:

Defines the protocol for communication between clients and your server
Provides a structured way to define tools
Handles serialization and deserialization of requests and responses
Maintains the Server-Sent Events (SSE) connection between clients and your server