Skip to main content

Set up the BigQuery MCP server

Google's BigQuery MCP server lets AI agents list datasets and tables, read schema metadata, and run SQL queries against BigQuery. This guide walks through enabling the BigQuery API, granting IAM roles to users, creating an OAuth client in Google Cloud, and connecting the server to MintMCP.

Prerequisites

Enable the BigQuery API

  1. Go to console.cloud.google.com/apis/enableflow?apiid=bigquery.googleapis.com and select your project.
  2. On Confirm project, check that the correct project is selected and click Next.
Enable access to API wizard on the Confirm project step
  1. On Enable API, click Enable.
Enable access to API wizard on the Enable API step showing the Enable button

Grant IAM roles

Each user who connects to BigQuery through MintMCP needs three IAM roles on the Google Cloud project.

  1. Go to console.cloud.google.com/iam-admin/iam and select your project.
  2. To add roles to a user already listed, click the edit (pencil) icon on their row. To add a new user, click Grant access and enter their email address or a Google Group.
IAM permissions page with the edit icon highlighted on a principal row
  1. Add all three roles, clicking + Add another role for each:
    • BigQuery Data Viewer (roles/bigquery.dataViewer) to read BigQuery data
    • MCP Tool User (roles/mcp.toolUser) to make MCP tool calls
    • BigQuery Job User (roles/bigquery.jobUser) to run BigQuery jobs
Role selectors set to BigQuery Data Viewer, MCP Tool User, and BigQuery Job User
  1. Click Save.

For more granular access control, grant roles/bigquery.dataViewer at the dataset or table level rather than the project level.

Create an OAuth client

The OAuth client gives MintMCP a Client ID and secret to broker each user's Google sign-in. Create one Web application client and point its redirect URI at MintMCP's callback.

  1. Go to console.cloud.google.com/auth/clients and select your project.

  2. If prompted to configure the OAuth consent screen, set the user type to Internal (Google Workspace organizations only). This restricts access to users in your org and skips Google app verification, which is otherwise required for the bigquery scope.

  3. Click Create client.

  4. Set Application type to Web application and give it a name (for example, MintMCP OAuth).

    Create OAuth client ID form with application type set to Web application and a name field
  5. Under Authorized redirect URIs, click Add URI and enter:

    https://app.mintmcp.com/oauth/callback

    Leave Authorized JavaScript origins empty. This URI must match the Redirect URL in the connector's OAuth settings exactly, or sign-in fails with redirect_uri_mismatch.

    Authorized redirect URIs field set to the MintMCP OAuth callback URL
  6. Click Create. Google shows the Client ID and Client secret once — copy both now, because you can't view the secret again after closing the dialog.

    OAuth client created dialog showing the Client ID and Client secret

Reopen the client anytime from the Clients list to edit its redirect URIs or rotate the secret.

OAuth client detail page showing Client ID, redirect URIs, and the client secret with rotation options

Add BigQuery to MintMCP

  1. In MintMCP, go to MCP storeManage store.

  2. Find the BigQuery connector and click to install it.

  3. Open the connector's OAuth settings and enter the Client ID and Client secret from the OAuth client you created. The recommended connector pre-fills the authorization URL, token URL, and scope.

  4. Confirm the Redirect URL shown in the connector's OAuth settings matches the URI you added to the OAuth client (https://app.mintmcp.com/oauth/callback). They must be identical, or sign-in fails with redirect_uri_mismatch.

  5. Click Save.

The first time a user calls a tool, MintMCP directs them to sign in with Google and consent to the bigquery scope. MintMCP stores and refreshes their token automatically on every subsequent call.

Security considerations

  • Access is controlled by Google Cloud IAM — users without the required roles receive an authorization error when connecting.
  • Each user authenticates individually with their own Google account, so all queries run under their identity and appear in BigQuery audit logs.
  • Grant roles/bigquery.dataViewer at the dataset or table level rather than project level to restrict which data users can query.
  • BigQuery logs all MCP operations through Cloud Audit Logs. Enable Data Access audit logs on the BigQuery API to capture read operations.
  • To block write operations (DML/DDL), use IAM deny policies on the execute_sql tool — see Control MCP use with IAM.
  • Query results are capped at 3,000 rows and queries time out after 3 minutes. Results exceeding the row cap are truncated without an error.

Next steps