# Altinity MCP Server [![Coverage Status](https://coveralls.io/repos/github/Altinity/altinity-mcp/badge.svg)](https://coveralls.io/github/Altinity/altinity-mcp) A Model Context Protocol (MCP) server that provides tools for interacting with ClickHouse® databases. This server enables AI assistants and other MCP clients to query, analyze, and interact with ClickHouse® databases through a standardized protocol. ## Features - **Multiple Transport Options**: Support for STDIO, HTTP, and Server-Sent Events (SSE) transports - **OAuth 2.0 Authorization**: Forward Bearer tokens to ClickHouse for token-based authentication via OIDC providers (see [OAuth 2.0 Documentation](docs/oauth_authorization.md)) - **JWE Authentication**: Optional JWE-based authentication with encryption for secure database access - **TLS Support**: Full TLS encryption support for both ClickHouse® connections and MCP server endpoints - **Comprehensive Tools**: Built-in tools for listing tables, describing schemas, and executing queries - **Dynamic Tools**: Automatically generate MCP tools from ClickHouse® views and tables (see [Tools Documentation](docs/tools.md)) - **Resource Templates**: Dynamic resource discovery for database schemas and table information - **Query Prompts**: AI-assisted query building and optimization prompts - **Configuration Management**: Flexible configuration via files, environment variables, or CLI flags - **Hot Reload**: Dynamic configuration reloading without server restart ## Table of Contents - [Quick Start](#quick-start) - [Integration Guide](#integration-guide) - [Installation & Deployment](#installation--deployment) - [Configuration](#configuration) - [Available Tools](#available-tools) - [Available Resources](#available-resources) - [Available Prompts](#available-prompts) - [OpenAI GPTs Integration](#openai-gpts-integration) - [OAuth 2.0 Authorization](#oauth-20-authorization) - [JWE Authentication](#jwe-authentication) - [TLS Configuration](#tls-configuration) - [Development & Testing](#development--testing) - [CLI Reference](#cli-reference) - [Contributing](#contributing) - [License](#license) - [Support](#support) ## Quick Start ### Using STDIO Transport (Default) ```bash # Basic usage with default settings ./altinity-mcp --clickhouse-host localhost --clickhouse-port 8123 # With custom database and credentials ./altinity-mcp \ --clickhouse-host clickhouse.example.com \ --clickhouse-port 9000 \ --clickhouse-protocol tcp \ --clickhouse-database analytics \ --clickhouse-username reader \ --clickhouse-password secret123 \ --clickhouse-limit 5000 ``` ### Using HTTP Transport with OpenAPI ```bash ./altinity-mcp \ --transport http \ --address 0.0.0.0 \ --port 8080 \ --clickhouse-host localhost \ --openapi http ``` ### Using SSE Transport with JWE Authentication and OpenAPI ```bash ./altinity-mcp \ --transport sse \ --port 8080 \ --allow-jwe-auth \ --jwe-secret-key "your-jwe-encryption-secret" \ --jwt-secret-key "your-jwt-signing-secret" \ --clickhouse-host localhost \ --openapi http ``` ## Integration Guide For detailed instructions on integrating Altinity MCP with various AI tools and platforms, see our [Integration Guide](docs/howto_integrate.md). ## Installation & Deployment ### Using Docker ```bash docker run -it --rm ghcr.io/altinity/altinity-mcp:latest --clickhouse-host clickhouse ``` ### Kubernetes with Helm From OCI helm registry (recommended) ```bash # Install from OCI registry helm install altinity-mcp oci://ghcr.io/altinity/altinity-mcp/helm/altinity-mcp \ --set config.clickhouse.host=clickhouse.example.com \ --set config.clickhouse.database=default \ --set config.clickhouse.limit=5000 ``` From local helm chart ```bash git clone https://github.com/Altinity/altinity-mcp cd altinity-mcp helm install altinity-mcp ./helm/altinity-mcp \ --set config.clickhouse.host=clickhouse-service \ --set config.clickhouse.database=analytics \ --set config.server.transport=http \ --set config.server.port=8080 ``` From a tag-published GHCR image ```bash helm install altinity-mcp oci://ghcr.io/altinity/altinity-mcp/helm/altinity-mcp \ --set image.tag= \ --set config.clickhouse.host=clickhouse.example.com \ --set config.clickhouse.database=default ``` For detailed Helm chart configuration options, see [Helm Chart README](helm/altinity-mcp/README.md). ### Docker Compose ```yaml version: '3.8' services: altinity-mcp: build: . ports: - "8080:8080" environment: - CLICKHOUSE_HOST=clickhouse - MCP_TRANSPORT=http - MCP_PORT=8080 depends_on: - clickhouse entrypoint: ["/bin/sh", "-c", "/bin/altinity-mcp"] clickhouse: image: clickhouse/clickhouse-server:latest ports: - "8123:8123" ``` ### With installed golang ```bash go install github.com/altinity/altinity-mcp/cmd/altinity-mcp@latest $(go env GOPATH)/bin/altinity-mcp --help ``` ### From Source ```bash git clone https://github.com/altinity/altinity-mcp.git cd altinity-mcp go build -o altinity-mcp ./cmd/altinity-mcp ``` ## Configuration ### Configuration File Create a YAML or JSON configuration file: ```yaml # config.yaml clickhouse: host: "localhost" port: 8123 database: "default" username: "default" password: "" protocol: "http" read_only: false max_execution_time: 600 tls: enabled: false ca_cert: "" client_cert: "" client_key: "" insecure_skip_verify: false server: transport: "stdio" address: "0.0.0.0" port: 8080 tls: enabled: false cert_file: "" key_file: "" ca_cert: "" jwt: enabled: false secret_key: "" openapi: enabled: false tls: false dynamic_tools: - regexp: "mydb\\..*" prefix: "db_" - name: "get_user_data" regexp: "users\\.user_info_view" logging: level: "info" ``` > **Note**: For detailed information about dynamic tools configuration, see the [Tools Documentation](docs/tools.md). Use the configuration file: ```bash ./altinity-mcp --config config.yaml ``` ### Environment Variables Every configuration field with a `flag:` tag in [pkg/config/config.go](pkg/config/config.go) is settable via CLI flag or env var. The CLI flag and env-var name are listed in the field's `flag:` and `env:` tags. `altinity-mcp --help` prints the full surface. Common examples: ```bash export CLICKHOUSE_HOST=localhost export CLICKHOUSE_PORT=8123 export CLICKHOUSE_DATABASE=analytics export CLICKHOUSE_LIMIT=5000 export MCP_TRANSPORT=http export MCP_PORT=8080 export LOG_LEVEL=debug # OAuth — env-var injection lets operators pull secrets from a Kubernetes # Secret via `valueFrom.secretKeyRef` instead of committing them to YAML. export MCP_OAUTH_ENABLED=true export MCP_OAUTH_MODE=gating export MCP_OAUTH_ISSUER=https://accounts.example.com export MCP_OAUTH_SIGNING_SECRET=... ./altinity-mcp ``` Special flags that don't follow this pattern: `--config` (config file path), `--config-reload-time`, `--openapi` (one flag → two struct fields). See `altinity-mcp --help`. ## Available Tools ### `execute_query` Executes SQL queries against ClickHouse® with optional result limiting. MCP tool safety annotations: - When the server runs with `--read-only`, `execute_query` is exposed as read-only. - Otherwise `execute_query` is marked as potentially destructive. **Parameters:** - `query` (required): The SQL query to execute - `limit` (optional): Maximum number of rows to return (default: server configured limit, max: 10,000) ### Dynamic Tools Dynamic tools generated from ClickHouse views are always exposed as read-only MCP tools with explicit safety hints. View `COMMENT` supports either: - A plain string description. - A strict JSON object with top-level `title`, `description`, and `annotations`. See [Tools Documentation](docs/tools.md) for examples and supported metadata. ## Available Resources ### `clickhouse://schema` Provides complete schema information for the ClickHouse® database in JSON format. ### `clickhouse://table/{database}/{table}` Provides detailed information about a specific table including schema, sample data, and statistics. ## Available Prompts No prompts currently available ## OpenAI GPTs Integration The Altinity MCP Server supports seamless integration with OpenAI GPTs through its OpenAPI-compatible endpoints. These endpoints enable GPT assistants to perform ClickHouse® database operations directly. OpenAI MCP/tooling references: - [Apps SDK Reference](https://developers.openai.com/apps-sdk/reference) - [Define tools](https://developers.openai.com/apps-sdk/plan/tools) - [Build your MCP server](https://developers.openai.com/apps-sdk/build/mcp-server) - [MCP concepts / server docs](https://developers.openai.com/apps-sdk/concepts/mcp-server) ### Authentication - **With JWE**: Add the JWE token to either: 1. Path parameter: `/{jwe_token}/openapi/...` (now required) 2. Authorization header: `Bearer {token}` (alternative) 3. `x-altinity-mcp-key` header (alternative) - **Without JWE**: Use server-configured credentials (no auth needed in requests) ### Available Actions #### 1. Execute SQL Query **Path**: `/openapi/execute_query` **Parameters**: - `jwe_token` (path param): JWE authentication token - `query` (query param): SQL query to execute (required) - `limit` (query param): Maximum rows to return (optional, default 1000, max 10000) **Example OpenAPI Path**: ``` GET /{jwe_token}/openapi/execute_query?query=SELECT%20*%20FROM%20table&limit=500 ``` ### Configuration Example for GPTs ```json { "openapi": "3.1.0", "info": { "title": "ClickHouse® SQL Interface", "version": "1.0.0" }, "servers": [ {"url": "https://your-server:8080/{token}"} ], "paths": { "/{jwe_token}/openapi/execute_query": { "get": { "operationId": "execute_query", "parameters": [ { "name": "jwe_token", "in": "path", "required": true, "schema": {"type": "string"} }, { "name": "query", "in": "query", "required": true, "schema": {"type": "string"} }, { "name": "limit", "in": "query", "schema": {"type": "integer"} } ] } } } } ``` > **Note**: For Altinity Cloud deployments, use the provided endpoint URL with your organization-specific token. ## Authentication and Authorization JWE takes priority — if present and valid and has valid credentials, use it and skip OAuth. If JWE is absent or has no credentials, fall through to OAuth. ### OAuth 2.0 Authorization The MCP server supports OAuth 2.0/OpenID Connect authentication, with token forwarding to ClickHouse or token verification locally. This enables MCP clients to authenticate via an Identity Provider (Keycloak, Azure AD, Google, AWS Cognito) and have their Bearer tokens forwarded to ClickHouse for token-based authentication via `token_processors`. For full setup instructions, provider-specific guides, and ClickHouse configuration, see the [OAuth 2.0 Authorization Documentation](docs/oauth_authorization.md). ### JWE Authentication When JWE authentication is enabled, the server expects tokens encrypted using AES Key Wrap (A256KW) and AES-GCM (A256GCM). These tokens contain ClickHouse® connection parameters: ```json { "host": "clickhouse.example.com", "port": 8123, "database": "analytics", "username": "user123", "password": "secret", "protocol": "http", "secure": "false" } ``` Generate tokens using the provided utility. ```bash go run ./cmd/jwe_auth/jwe_token_generator.go \ --jwe-secret-key "your-jwe-encryption-secret" \ --jwt-secret-key "your-jwt-signing-secret" \ --host "clickhouse.example.com" \ --port 8123 \ --database "analytics" \ --username "user123" \ --password "password123" \ --expiry 86400 ``` More details in [jwe_authentication.md](docs/jwe_authentication.md) ## TLS Configuration ### ClickHouse® TLS ```bash ./altinity-mcp \ --clickhouse-tls \ --clickhouse-tls-ca-cert /path/to/ca.crt \ --clickhouse-tls-client-cert /path/to/client.crt \ --clickhouse-tls-client-key /path/to/client.key ``` ### Server TLS ```bash ./altinity-mcp \ --transport https \ --server-tls \ --server-tls-cert-file /path/to/server.crt \ --server-tls-key-file /path/to/server.key ``` ## Development & Testing Development workflow, build commands, test tiers, and the optional OAuth Docker e2e flow are documented in [docs/development_and_testing.md](docs/development_and_testing.md). For the full OAuth setup and ClickHouse-specific details, see the [OAuth 2.0 Authorization Documentation](docs/oauth_authorization.md). ## CLI Reference ### Global Flags - `--config`: Path to configuration file (YAML or JSON) - `--log-level`: Logging level (debug/info/warn/error) - `--clickhouse-limit`: Default limit for query results (default: 1000) - `--openapi`: Enable OpenAPI endpoints (disable/http/https) (default: disable) ### ClickHouse® Flags - `--clickhouse-host`: ClickHouse® server host - `--clickhouse-port`: ClickHouse® server port - `--clickhouse-database`: Database name - `--clickhouse-username`: Username - `--clickhouse-password`: Password - `--clickhouse-protocol`: Protocol (http/tcp) - `--read-only`: Read-only mode (prevents non-read SQL and avoids setting session variables) - `--clickhouse-max-execution-time`: Query timeout in seconds - `--clickhouse-http-headers`: HTTP headers for ClickHouse requests (key=value pairs) ### Server Flags - `--transport`: Transport type (stdio/http/sse) - `--address`: Server address - `--port`: Server port - `--allow-jwe-auth`: Enable JWE authentication - `--jwe-secret-key`: Secret key for JWE token decryption (must be 32 bytes for A256KW). - `--jwt-secret-key`: Secret key for JWT signature verification ### Commands - `version`: Show version information - `test-connection`: Test ClickHouse® connection ## Contributing 1. Fork the repository 2. Create a feature branch 3. Make your changes 4. Add tests 5. Run the test suite 6. Submit a pull request ## License This project is licensed under the Apache License 2.0. See the LICENSE file for details. ## Support For support and questions: - GitHub Issues: [https://github.com/altinity/altinity-mcp/issues](https://github.com/altinity/altinity-mcp/issues) - Email: support@altinity.com