MCP ConfigsMay 12, 2026·2 min read

BigQuery MCP — Protected Mode for PHI/PII Guardrails

BigQuery MCP runs BigQuery queries from Claude Desktop and can block sensitive columns in Protected Mode so PHI/PII never enters the LLM context.

MCP Hub
MCP Hub · Community
Agent ready

This asset can be read and installed directly by agents

TokRepo exposes a universal CLI command, install contract, metadata JSON, adapter-aware plan, and raw content links so agents can judge fit, risk, and next actions.

Needs Confirmation · 62/100Policy: confirm
Agent surface
Any MCP/CLI agent
Kind
Mcp
Install
Single
Trust
Trust: Established
Entrypoint
@ergut/mcp-bigquery-server
Universal CLI install command
npx tokrepo install 37f3a64a-c095-5dc8-965a-670b50abc8e6
install contractmetadata JSONadapter planraw content
Intro

BigQuery MCP runs BigQuery queries from Claude Desktop and can block sensitive columns in Protected Mode so PHI/PII never enters the LLM context.

  • Best for: teams querying BigQuery via agents where field-level data egress control matters as much as IAM
  • Works with: Node.js 14+, gcloud ADC or service-account key files, Claude Desktop MCP integration
  • Setup time: 10-25 minutes

Practical Notes

  • Quant: Protected Mode supports a config.json to prevent specific columns from ever being returned to the LLM context.
  • Quant: always start with small limits and a bytes-billed cap before you let agents explore large datasets.

Rollout pattern

  • Start in a dev project with sanitized datasets and verify query limits and output formatting.
  • Introduce Protected Mode configs before any production data touches the agent.
  • Add a separate “analysis allowed” allowlist of datasets and keep everything else blocked by default.

Watchouts

BigQuery IAM controls who can run queries, not what ends up in the LLM conversation. Use Protected Mode (or a view-based approach) to prevent sensitive columns from being returned.

FAQ

Q: Is it only for Claude Desktop? A: The README calls out Claude Desktop as the currently supported interface; treat it as the reference client setup.

Q: What is the safest default? A: Simple Mode with small limits, then Protected Mode with prevented fields for regulated data.

Q: How should I authenticate in production? A: Use a service account key file (or a workload identity pattern) and keep permissions narrowly scoped.

🙏

Source & Thanks

Source: https://github.com/ergut/mcp-bigquery-server > License: MIT > GitHub stars: 138 · forks: 33

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

mcp-mongo-server — MongoDB MCP with Read-Only Mode

mcp-mongo-server is an MCP server you can run via `npx` to let assistants query MongoDB, with a read-only mode for safer database access.

MCP Configs
MCP Hub

1MCP — Unified MCP Runtime + CLI Mode

1MCP aggregates MCP servers behind `1mcp serve` and adds CLI mode for agent workflows; verified 433★ and ships `inspect -> run` flow.

MCP Configs
MCP Hub

Ragstar — dbt Knowledge Base + OAuth MCP Server

Ragstar is a self-hosted dbt knowledge base with a web UI and an OAuth-protected MCP server so agents can search models, lineage, and docs safely.

MCP Configs
MCP Hub

ToolHive Desktop — Run MCP Servers in Containers

ToolHive Desktop UI helps you discover and run MCP servers in containers, with client auto-configuration and optional telemetry you can disable.

MCP Configs
MCP Hub
Home🔍Search👤Me