// SCAN REPORT

PostgREST

32 tools. 11 can modify or destroy data without limits.

3 destructive tools with no built-in limits. Policy required.

Last updated:

11 can modify or destroy data
21 read-only
32 tools total

Community server · catalogue entry verified 10/06/2026

How to control PostgREST ↓

TOOL MAP

Read (21) Write / Execute (8) Destructive / Financial (3)

MOST DANGEROUS TOOLS

Critical Risk
Financial · High confirm_cost This tool confirms financial commitment to incurring costs for new projects or branches. Destructive · High delete_branch Deletion of a branch is an irreversible operation that cannot be undone without external recovery tools or backups. Destructive · High reset_branch The tool performs a reset of migrations, which is inherently a destructive operation that cannot be undone. Execute · High deploy_edge_function This tool triggers external operations (deployment of serverless functions) whose effects depend on the function code being deployed.

11 of PostgREST's 32 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

HOW TO CONTROL POSTGREST

PolicyLayer is an MCP gateway — it sits between your AI agents and PostgREST, and nothing reaches the server without passing your rules. These are the rules we recommend:

Block financial tools by default
{
  "confirm_cost": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Requires human approval."
      }
    ]
  }
}

Financial tools should be explicitly enabled per use case, not open by default.

Deny destructive operations
{
  "delete_branch": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
{
  "create_branch": {
    "limits": [
      {
        "counter": "create_branch_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "get_advisors": {
    "limits": [
      {
        "counter": "get_advisors_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register PostgREST — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON POSTGREST →

Free to start. No card required.

ALL 32 POSTGREST TOOLS

FINANCIAL 1 tools
Financial confirm_cost Confirms the user's understanding of new project or branch costs. This is required to create a new project or
DESTRUCTIVE 2 tools
Destructive delete_branch Deletes a development branch. Destructive reset_branch Resets migrations of a development branch to a prior version.
EXECUTE 4 tools
Execute deploy_edge_function Deploys a new Edge Function to a Supabase project. LLMs can use this to deploy new functions or update existin Execute execute_sql Executes raw SQL in the database. LLMs should use this for regular queries that don't change the schema. Execute apply_migration Applies a SQL migration to the database. SQL passed to this tool will be tracked within the database, so LLMs Execute merge_branch Merges migrations and edge functions from a development branch to production.
WRITE 4 tools
Write create_branch Creates a development branch with migrations from production branch. Write create_project Creates a new Supabase project. Write restore_project Restores a project. Write update_storage_config Updates the storage config for a Supabase project (requires a paid plan).
READ 21 tools
Read get_advisors Gets a list of advisory notices for a Supabase project. LLMs can use this to check for security vulnerabilitie Read get_cost Gets the cost of a new project or branch for an organization. Read get_edge_function Retrieves file contents for an Edge Function in a Supabase project. Read get_logs Gets logs for a Supabase project by service type (api, postgres, edge functions, auth, storage, realtime). LLM Read get_organization Gets details for an organization. Read get_project Gets details for a project. Read get_project_url Gets the API URL for a project. Read get_publishable_keys Gets the anonymous API keys for a project. Returns an array of client-safe API keys including legacy anon keys Read get_storage_config Gets the storage config for a Supabase project. Read list_branches Lists all development branches. Read list_edge_functions Lists all Edge Functions in a Supabase project. Read list_extensions Lists all extensions in the database. Read list_migrations Lists all migrations in the database. Read list_organizations Lists all organizations that the user is a member of. Read list_projects Lists all Supabase projects for the user. Read list_storage_buckets Lists all storage buckets in a Supabase project. Read list_tables Lists all tables within the specified schemas. Read pause_project Pauses a project. Read rebase_branch Rebases development branch on production to handle migration drift. Read search_docs Searches the Supabase documentation for up-to-date information. LLMs can use this to find answers to questions Read generate_typescript_types Generates TypeScript types based on the database schema. LLMs can save this to a file and use it in their code

RELATED SERVERS

Other MCP servers with similar tools — same risk classification, starter policies for each.

BNB Chain MCP 1240 tools
adminautomation
Binance MCP Server 734 tools
adminautomation
Nodebench 724 tools
adminautomation
GoHighLevel MCP Server 566 tools
adminautomation
UnClick 451 tools
adminautomation
NowAIKit — ServiceNow AI Toolkit 446 tools
adminautomation
Mcp Windows 441 tools
adminautomation
0nmcp 407 tools
adminautomation

FAQ

Can an AI agent move money through the PostgREST MCP server? +

Yes. The PostgREST server exposes 1 financial tools including confirm_cost. Without a policy, an autonomous agent can call these with no spend caps, no rate limits, and no approval flow. PolicyLayer lets you block financial tools by default, require human approval, or set per-tool rate limits — enforced on every call.

Can an AI agent delete data through the PostgREST MCP server? +

Yes. The PostgREST server exposes 2 destructive tools including delete_branch, reset_branch. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through PostgREST? +

The PostgREST server has 4 write tools including create_branch, create_project, restore_project. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach PostgREST.

How many tools does the PostgREST MCP server expose? +

32 tools across 4 categories: Destructive, Execute, Read, Write. 21 are read-only. 11 can modify, create, or delete data.

How do I enforce a policy on PostgREST? +

Register the PostgREST MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every PostgREST tool call.

Deterministic rules across all 32 PostgREST tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

ENFORCE POLICY ON POSTGREST →

Free to start. No card required.

32 PostgREST tools catalogued and risk-classified — across an index of 42,500+ MCP servers.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.