What this is
A production-ready Model Context Protocol (MCP) server for Google BigQuery
that you deploy to your own GCP project. AI agents — Claude, ChatGPT, Cursor,
Gemini, or anything else that speaks MCP — connect over HTTPS and can do exactly
two things: read the schemas of tables you explicitly allowlist, and run SELECT
queries against them, subject to a configurable scan budget, a result-row cap,
and a token-bucket rate limit. Nothing else.
Why pick this over Google’s official BigQuery MCP server
Google’s official server is excellent if you trust the agent absolutely. This one is for everywhere else — customer-facing chatbots, multi-tenant deployments, agents handling untrusted input. Three differences matter most:
| This server | Google official | |
|---|---|---|
| Table access control | Hard allowlist of (dataset, table) pairs, enforced in the SQL parser before a job runs |
IAM only — any reachable table |
| Per-query scan cap | Yes — MAX_SCAN_MB, enforced via dry-run |
No (relies on IAM / BQ quotas) |
| Rate limiting | Built-in token bucket + burst | None (per Google’s docs) |
A full feature-by-feature comparison is in the repository README.
Architecture
┌─────────────┐ HTTPS + x-api-key ┌────────────────────┐ IAM ┌──────────┐
│ MCP client │ ──────────────────────▶ │ Cloud Run service │ ───────▶ │ BigQuery │
│ (Claude, │ │ • SQL allowlist │ │ tables │
│ Cursor, │ │ • Dry-run cap │ │ + views │
│ ChatGPT) │ │ • Rate limiter │ └──────────┘
└─────────────┘ └────────────────────┘
Scales to zero on Cloud Run, so it costs roughly nothing at idle.
Get it
The full source, deployment guide, and security model are on GitHub. License is MIT.