Skip to content
← Docs

Agent access (MCP)

Give an AI agent — Claude Desktop, Cursor, Claude Code or any MCP client — scoped, time-boxed, fully recorded access to your databases, through the same guardrails and recording a human goes through.

Agent credentials are managed from Agent access in the console at app.subnomic.com.

Agent access uses no AI of its own — you are exposing governed access to an agent; the agent brings its own intelligence. (Session summaries and audit search are a separate, optional add-on — see AI insights.)

Mint an agent credential

  1. Go to Agent access → Create agent (owner / admin only).
  2. Name it, then choose its capabilities: database.read (discover targets) and database.query_read (run read-only queries).
  3. Pick the allowed databases — the agent can only ever reach the targets you select, nothing else.
  4. Set an expiry (7 / 30 / 90 days). Agents are always time-boxed.
  5. On save you get a one-time token, the MCP endpoint URL and a ready-to-paste client config. The token is shown once — store it safely.

Connect a client

Clients that support remote (Streamable HTTP) MCP — Cursor, Claude Code — take the URL + bearer token directly:

{
  "mcpServers": {
    "subnomic": {
      "url": "https://app.subnomic.com/mcp",
      "headers": { "Authorization": "Bearer subnomic_live_agt_…" }
    }
  }
}

For a stdio-only client, bridge it with mcp-remote:

{ "mcpServers": { "subnomic": {
  "command": "npx",
  "args": ["mcp-remote", "https://app.subnomic.com/mcp",
           "--header", "Authorization: Bearer subnomic_live_agt_…"]
}}}

Verify the endpoint before wiring a client in:

curl -s https://app.subnomic.com/mcp \
  -H "Authorization: Bearer subnomic_live_agt_…" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

What the agent can do

  • list_targets — list the databases the credential is scoped to.
  • query_database — run a read-only SQL query (SELECT / SHOW / EXPLAIN) against an allowed target. Writes and DDL are refused.

Every query is guardrail-evaluated and recorded as a database session you can replay, attributed to the agent. A query a guardrail would deny — or one needing human approval — is refused: an agent has no interactive-approval path.

The target's agent must be online and its database credential configured, exactly as for the human console. Revoke a credential any time from the Agent access list — the token stops working immediately.

Permissions

mcp.read mcp.manage

mcp.read views credentials; mcp.manage mints and revokes them — both owner/admin-level. A credential's scopes can never exceed the permissions of the admin who minted it.