GateSQL sits between your AI agents and PostgreSQL. Short-lived sessions, read-only enforcement, table allowlists, query budgets. Every query governed, every access explained.
Long-lived database passwords can be leaked via prompt injection. One compromised agent exposes everything.
Agents run queries in loops, retry failures, and scan entire tables. No built-in way to cap the damage.
PostgreSQL roles are static and hard to manage programmatically. You can't spin up per-agent permissions on the fly.
Queries hit the database but nobody knows why. When something goes wrong, there's no audit trail of intent.
The entity spawning the agent gets a short-lived JWT. The agent uses it as a standard PostgreSQL password.
Native PostgreSQL wire protocol from end to end. No ORMs, no middleware.
Agents declare intent with every query. No purpose, no results.
"check low-stock items for reorder alert"
/* <agent_purpose>check low-stock items for reorder alert</agent_purpose> */
SELECT product, qty FROM inventory WHERE qty < 10
No purpose provided
SELECT * FROM users
Parent creates a session, gets a JWT with hard expiry. Agent never sees real database credentials.
Enforce read-only access per session. Writes are rejected at the proxy before reaching the database.
Restrict which tables an agent can access per session. Enforced via AST analysis. Covers JOINs, subqueries, and CTEs.
Block DROP, TRUNCATE, DELETE without WHERE, UPDATE without WHERE. Configurable: block, warn, or allow.
Every query must include a purpose comment. Queries without one are rejected. Builds an audit trail of why, not just what.
Set a max query count per session. When the budget is exhausted, the connection is closed.
Every query parsed by PostgreSQL's actual parser (libpg_query). Catches CTEs with hidden writes, multi-statement injections, and more.
JSON-lines query logs with agent ID, session ID, purpose, query text, and timing. Every query attributed.
Create, list, and revoke sessions over HTTP. Live dashboard shows active sessions, queries, and governance rejections.
Sliding-window idle timeout with configurable duration. Plus a hard cap on total session lifetime.
Works with psql, psycopg, asyncpg, pgx, node-postgres, JDBC, or any PostgreSQL client. No custom SDK required.
Zero-allocation relay with ArrayPool. Flush at sync points only. Less overhead than the REST API you'd build instead.
Run EXPLAIN before forwarding. Estimate affected rows before UPDATE/DELETE. Reject queries that would be too expensive or touch too many rows.
Agent hits a permission boundary, proxy pauses and asks a human. Approve or deny from the dashboard or Slack.
GateSQL as an MCP server. Any MCP client (Claude, Cursor, Windsurf) gets governed database access with zero custom code.
Point it at your PostgreSQL and set an API key.
docker run -p 15432:15432 -p 8080:8080 \ -e GATESQL_UPSTREAM_HOST=my-pg.example.com \ -e GATESQL_UPSTREAM_PASSWORD=secret \ -e GATESQL_API_KEY=pk_prod_abc123 \ gatesql/gatesql
Define what the agent can do. Read-only, specific tables, query budget.
curl -X POST http://localhost:8080/api/sessions \
-H "X-Api-Key: pk_prod_abc123" \
-d '{"agentId":"my-agent", "task":"inventory-check",
"readOnly":true, "allowedTables":["inventory","products"]}'
Pass the token to your agent. It connects with any PG client and writes SQL.
DATABASE_URL="postgresql://agent:eyJhbG...@127.0.0.1:15432/mydb" \ opencode run "What sales trends do we have over the past 2 weeks?"
Full support. MD5, SCRAM-SHA-256, SSL/TLS. 14+ tested.
AvailableVia ClickHouse's PostgreSQL-compatible wire interface.
AvailableWire protocol proxy with the same governance model.
Get notifiedTDS protocol proxy for Microsoft SQL Server.
Get notifiedNeed a different database? Let us know