Connect a Database

Add a database connection to your agent. Connection strings are encrypted client-side before being stored — conexor.io never sees your credentials in plaintext.

How credentials are protected

When you submit a connection string in the dashboard, it is encrypted with AES-256 in your browser before being transmitted. The encrypted blob is stored server-side. The decryption key is held only by your agent — the cloud control plane has no way to read your credentials.

TIPThis means even a full breach of conexor.io's servers exposes only encrypted blobs. Without your agent's local encryption key, they are useless.

Adding a connection from the dashboard

Navigate to Agents → [your agent] → Data Sources → Add Data Source. Select your database type and paste the connection string.

SQL Server

text

# Windows Authentication
Server=myserver.local;Database=mydb;Integrated Security=True;TrustServerCertificate=True

# SQL Authentication
Server=myserver.local;Database=mydb;User Id=sa;Password=mypassword;TrustServerCertificate=True

# Named instance
Server=myserver.local\SQLEXPRESS;Database=mydb;User Id=sa;Password=mypassword

NOTESQL Server requires TrustServerCertificate=True if your server uses a self-signed certificate. For production, configure a valid TLS certificate instead.

PostgreSQL

text

# Basic
Host=localhost;Port=5432;Database=mydb;Username=myuser;Password=mypassword

# SSL required
Host=myhost.rds.amazonaws.com;Database=mydb;Username=admin;Password=pass;SSL Mode=Require

# Connection pooling (Npgsql)
Host=localhost;Port=5432;Database=mydb;Username=myuser;Password=mypassword;Maximum Pool Size=20

MySQL / MariaDB

text

# MySQL
Server=localhost;Port=3306;Database=mydb;Uid=root;Pwd=mypassword;

# With SSL
Server=myhost;Database=mydb;Uid=user;Pwd=pass;SslMode=Required;

# MariaDB (same format)
Server=localhost;Port=3306;Database=mydb;Uid=root;Pwd=mypassword;

Least-privilege database user

conexor.io only ever executes SELECT queries (write operations are blocked at the protocol layer). We strongly recommend creating a read-only database user specifically for conexor.io.

PostgreSQL

sql

-- Create read-only user
CREATE USER conexor_reader WITH PASSWORD 'strong-password-here';

-- Grant connect
GRANT CONNECT ON DATABASE mydb TO conexor_reader;

-- Grant usage on schema
GRANT USAGE ON SCHEMA public TO conexor_reader;

-- Grant SELECT on all existing tables
GRANT SELECT ON ALL TABLES IN SCHEMA public TO conexor_reader;

-- Grant SELECT on future tables
ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT SELECT ON TABLES TO conexor_reader;

SQL Server

sql

-- Create login and user
CREATE LOGIN conexor_reader WITH PASSWORD = 'StrongPassword123!';
USE mydb;
CREATE USER conexor_reader FOR LOGIN conexor_reader;

-- Grant read-only access
EXEC sp_addrolemember 'db_datareader', 'conexor_reader';

MySQL

sql

-- Create read-only user
CREATE USER 'conexor_reader'@'%' IDENTIFIED BY 'strong-password-here';

-- Grant SELECT only
GRANT SELECT ON mydb.* TO 'conexor_reader'@'%';
FLUSH PRIVILEGES;

Testing the connection

After saving, click Test Connection. The control plane sends a test message to your agent, which attempts to open a connection to the database and returns the result. A successful test shows the database name and server version.

INFOThe test connection runs from your agent — so it validates network reachability from the machine where your agent is deployed, not from conexor.io's servers.

Allow all queries (advanced)

By default, conexor.io enforces SELECT-only at the protocol layer. If you have an advanced use case that requires INSERT or UPDATE access, you can enable Allow All Queries per data source.

NOTEEnabling this setting removes the write-protection guarantee. Only enable it if you fully understand the implications and trust all models and users with access to this MCP server.

Install the Agent Use with Claude

All systems operational