Skip to main content

Set up the MySQL Toolbox MCP server

MySQL Toolbox is a hosted MintMCP connector, built on Google's MCP Toolbox, that exposes SQL and database-introspection tools against a single MySQL database. You decide exactly which tools the connector exposes — ready-made tools like listing tables or analyzing query plans, plus your own parameterized SQL — by declaring them in a configuration value.

This guide covers creating a least-privilege database user, allowing MintMCP to reach your database, defining your tools, and connecting the connector.

Prerequisites

  • A MintMCP admin account
  • A MySQL database reachable from MintMCP's runtime — a managed cloud MySQL (Amazon RDS, Cloud SQL, PlanetScale, etc.) or any host MintMCP can reach over the network.
  • Credentials for a database user

Create a connector user

All users of this connector share a single database connection using the user you configure, so create a dedicated, least-privilege user rather than reusing an admin account.

  1. Connect to your MySQL server as a user with sufficient privileges and create the connector user. Replace mydb with your database name and choose a strong password:
CREATE USER 'mintmcp_ro'@'%' IDENTIFIED BY 'choose-a-strong-password';
GRANT SELECT ON mydb.* TO 'mintmcp_ro'@'%';

The '%' host wildcard allows connections from any IP; narrow it to MintMCP's egress IP (see Allow MintMCP to reach the database) once you know it.

  1. To enable the mysql-list-active-queries tool, which reads information_schema.processlist and innodb_trx, also grant PROCESS:
GRANT PROCESS ON *.* TO 'mintmcp_ro'@'%';

PROCESS is the MySQL analog of PostgreSQL's pg_monitor — it lets the user see all running queries and transactions, not just their own.

  1. To enable the mysql-list-table-stats tool, which reads performance_schema, also grant SELECT on it:
GRANT SELECT ON performance_schema.* TO 'mintmcp_ro'@'%';

performance_schema must also be enabled on the server — it is on by default on managed providers like Amazon RDS and Cloud SQL, but some self-hosted builds turn it off.

A few things to keep in mind:

  • GRANT SELECT ON mydb.* covers only the named database. If your data lives in multiple databases, add a grant for each one.
  • PROCESS is a global privilege required only if you enable the mysql-list-active-queries tool. Skip it if you don't need active-query monitoring.
  • SELECT ON performance_schema.* is required only if you enable the mysql-list-table-stats tool. Skip it otherwise.
  • The user is the real boundary on what the connector can do. If you expose write or arbitrary-SQL tools (see below), they can only run what this user is granted — so keep it read-only unless write access is explicitly intended.

Allow MintMCP to reach the database

MySQL Toolbox uses a dedicated egress IP shown on its MintMCP connector settings page.

  1. In MintMCP, go to MCP store > Manage store and open the MySQL Toolbox connector page.
  2. Note the Egress IP shown there.
  3. If your database or its firewall / security group restricts inbound traffic, add that IP to the allowlist and confirm port 3306 is open. For managed providers like Amazon RDS or Cloud SQL, add it to the instance's authorized networks.

Define the tools

The connector exposes only the tools you declare in the TOOLBOX_TOOLS environment variable. You define tools, not data sources — every tool runs against the database you configure in the next section, and the connector wires that connection in for you, so you never set a source. Each tool has a kind and an optional description; group tools into named toolsets.

There are two categories of tools:

  • Ready-made tools — built-in introspection and monitoring tools. Declare the kind and a description; the tool's query is built in, and it exposes its own input parameters automatically (for example, mysql-list-tables accepts an optional list of table names to filter by). These never take a statement.
  • Custom SQL toolsmysql-sql runs a fixed, parameterized statement you write; mysql-execute-sql runs an arbitrary statement supplied by the caller.
{
  "tools": {
    "list_tables": { "kind": "mysql-list-tables", "description": "List tables in the database." },
    "get_customer": {
      "kind": "mysql-sql",
      "description": "Look up a customer by id.",
      "statement": "SELECT id, name, created_at FROM customers WHERE id = ?",
      "parameters": [
        { "name": "id", "type": "integer", "description": "Customer id." }
      ]
    },
    "execute_sql": { "kind": "mysql-execute-sql", "description": "Execute an arbitrary SQL statement." }
  },
  "toolsets": {
    "read": ["list_tables", "get_customer"],
    "write": ["execute_sql"]
  }
}

Available tools

Pick a category to see what each tool returns, then expand Copy as JSON to grab a ready-to-paste config for that category. Ready-made tools need only a kind and a description; mysql-sql and mysql-execute-sql are the custom SQL tools.

KindRequired fieldsPurpose
mysql-sqlstatement, plus parameters (bound ?) and/or templateParameters ({{.name}})A fixed query you define and expose as a single tool
mysql-execute-sqlnoneRun an arbitrary SQL statement passed by the caller (read or write)
Copy as JSON
{
  "tools": {
    "top_customers": {
      "kind": "mysql-sql",
      "description": "Highest-spending customers.",
      "statement": "SELECT name, total FROM customers ORDER BY total DESC LIMIT ?",
      "parameters": [
        { "name": "limit", "type": "integer", "description": "Number of rows to return.", "default": 10 }
      ]
    },
    "execute_sql": { "kind": "mysql-execute-sql", "description": "Execute an arbitrary SQL statement." }
  },
  "toolsets": { "sql": ["top_customers", "execute_sql"] }
}

MySQL-only lock

This connector is MySQL-only by design. You cannot declare your own sources or use a non-mysql-* tool kind — the connector rejects them and refuses to start, with the reason in its logs, rather than silently connecting somewhere unexpected. The database your tools run against is always the one you configure below.

Add MySQL Toolbox to MintMCP

  1. Go to app.mintmcp.com/vmcps?tab=manage-store.
  2. Find MySQL Toolbox and click to install it.
  3. Set the following environment variables:
VariableDescriptionRequired
MYSQL_HOSTDatabase hostname or IPYes
MYSQL_PORTPort (default: 3306)No
MYSQL_DATABASEDatabase nameYes
MYSQL_USERDatabase user (e.g., mintmcp_ro)Yes
MYSQL_PASSWORDUser password — stored as a secretYes
MYSQL_TLSTLS mode: false, preferred (default), skip-verify, or trueNo
TOOLBOX_TOOLSThe tool definitions (see Define the tools)Yes

For managed databases that require TLS — which most do — set MYSQL_TLS to true to verify the server certificate, or skip-verify to encrypt the connection without certificate verification. The default, preferred, attempts TLS and falls back to an unencrypted connection if the server does not offer it.

  1. Click Save. The connector connects to your database and loads your tools on startup, and becomes available once it can reach the database. If the database is unreachable or TOOLBOX_TOOLS is invalid, the connector fails to start — check its logs for the reason.

Security considerations

  • Every user queries your database as the single configured user — use a read-only, least-privilege user unless write access is explicitly intended.
  • The MySQL-only lock prevents the connector from reaching other databases or services, but it does not restrict SQL operations. The mysql-execute-sql tool and any write mysql-sql tools can run whatever the user is granted, so the database user is the real guardrail. Omit those tools, or keep the user read-only, to prevent writes.
  • Connection details are stored as MintMCP global environment variables; the password is held as a secret.
  • Prefer MYSQL_TLS=true (or skip-verify) for managed or remote databases.
  • Combine the dedicated egress IP with a database firewall allowlist so only MintMCP can reach the database.

Next steps