Your MCP database server should not use an admin key

Against using admin-level database credentials for AI agents, as this poses significant security risks. Instead, it recommends granting each AI agent a narrowly scoped credential tailored to its specific task, with read-only access as the default and separate credentials for write operations. The key principle is to define the job first, then issue the minimal credential necessary to perform that job.

The fastest way to make an AI database agent dangerous is to connect it with the same credential a senior engineer uses in production. The model does not need your admin key. It needs a narrow, explicit operating lane. A safer MCP database setup starts with the job: Each job deserves its own credential scope. Read-only should be the default. Usually against approved views, not raw application tables. Writes need a different lane entirely: Longer version: Scoped credentials for MCP database servers The practical rule: Do not expose a database connection first and decide policy later. Define the job, then issue the smallest credential that can do that job.