MCP Toolbox v1.0:
The Open-Source Framework for Secure Agentic Data Access
Written by:
- Kurtis Van Gent, Senior Staff Software Engineer @ Google (Linkedin)
- Averi Kitsch, Staff Software Engineer @ Google (Linkedin)
Building reliable AI agents requires a strict separation between reasoning logic and system execution. Large language models (LLMs) can plan and process information effectively, but their utility in production environments depends entirely on a secure, standardized way to interact with enterprise data.
This is the core problem solved by the Model Context Protocol (MCP). Acting as a universal interface between AI models and external tools, MCP allows developers to connect agents to real-world systems without building bespoke integrations for every new model. The importance of this standard was underscored recently when MCP joined the Agentic AI Foundation (AAIF) under the Linux Foundation, marking a shift toward interoperable agentic infrastructure.
Today, we are announcing that the open-source MCP Toolbox for Databases has reached version 1.0.
Built in the open and hardened by real-world developer feedback, this framework connects your AI agents directly to over 40 enterprise data sources. With the 1.0 release, the Toolbox provides a stable, backwards-compatible foundation for building agentic applications, giving you the strict control and customization required for true production workloads.
What’s New in v1.0: Built for Production Workloads
When we announced the public Beta for MCP Toolbox for Databases just over a year ago, the goal was straightforward: provide a reliable bridge between language models and enterprise data. Since then, the project has evolved into a multi-database MCP framework for customizable tools. The v1.0 release means the Toolbox has reached a stable, backwards-compatible foundation suitable for production workloads.
Here is what is new and hardened in this release:
- Expanded Ecosystem (40+ Data Sources): Driven by community contributions, Toolbox 1.0 now supports over 40 data sources. This includes native connectivity for Google Cloud databases like AlloyDB, Spanner, BigQuery, and Cloud SQL, alongside third-party systems including Oracle, MongoDB, Snowflake, and open-source PostgreSQL.
- Client SDKs & Framework Integrations: Developers can integrate Toolbox natively using our Python, Go, and TypeScript/JavaScript SDKs, and most recently, our Java SDK to cover the most common enterprise backend environments. We’ve also built deeper integrations into popular frameworks, allowing you to connect Toolbox directly to LangChain, LlamaIndex, and the Agent Development Kit (ADK) with minimal boilerplate.
- End-to-End Telemetry: Production environments require observability. Toolbox 1.0 includes built-in OpenTelemetry support adhering to the official MCP semantic conventions. This ensures every agent-to-database interaction is traceable with standardized metrics and logs.
- Skills Autogeneration: This release introduces “Skills,” a modular way to package and reuse operational tasks (like database troubleshooting). The Toolbox can autogenerate Skills, instantly turning any toolset you build into a package of scripts and resources ready to be deployed.
- MCP Authorization Support: Toolbox 1.0 implements MCP’s latest spec for Authorization, functioning as a fully compliant OAuth 2.1 resource server. This provides a standardized way to protect sensitive tools and data through automated discovery and rigorous token validation.
Bridging the Trust Gap with Custom Tools
The open-source MCP Toolbox is designed for developers building custom agentic applications who require full control over system execution. When you deploy the Toolbox — whether locally, in a container, or via services like Cloud Run — you are prioritizing deep customization.
The Toolbox lets you explicitly define which tools are exposed to the agent. You can tightly modify almost everything — including resources the tool can access, descriptions to improve the language model’s prompt routing, or construct highly customized, bounded tools that execute exact, pre-approved business logic against your specific data schemas.
Consider a customer support chatbot. To allow a user to look up their order status, you wouldn’t just hand the language model your raw database connection strings and unfiltered access to your database. Doing so creates a massive “trust gap” between a probabilistic model and your strict, deterministic production database. It opens the door to unoptimized queries, hallucinated table names, and severe security risks.
MCP Toolbox provides a framework for developers to bridge this gap. Instead of granting an agent unrestricted schema access, you use a declarative configuration file to define specific, safe actions.
This framework allows you to wrap complex business logic into fixed SQL queries with precise parameter bindings. The Toolbox acts as a protective gateway — validating inputs and ensuring the agent can only execute the exact logic you’ve pre-approved. This approach keeps the agent flexible during user conversations while keeping your data layer completely locked down.
Practical Example: Secure Tool Definition
Let’s look at a practical example. Consider a multi-tenant SaaS application where users can ask an AI agent to analyze their recent API usage.
The agent needs to fetch usage logs, but you must ensure strict tenant isolation. You absolutely cannot grant the language model generic read access and trust it to filter by the correct tenant ID. With MCP Toolbox, you define the allowed action and its strict boundaries in a config.yaml file:
kind: tool
name: get_tenant_usage
type: postgres-sql
source: postgres-prod
description: "Retrieve API usage statistics for the current billing period."
parameters:
- name: limit
type: integer
default: 10
maxValue: 50
- name: tenant_id # Bound at runtime, not agent-controlled!
type: string
statement: |
SELECT endpoint, request_count, error_rate, last_accessed
FROM api_usage_logs
WHERE tenant_id = $2
ORDER BY request_count DESC
LIMIT $1;
In this configuration, the query structure is entirely fixed. The limit parameter is capped at a maximum value to prevent massive data pulls, and tenant_id is defined as a required parameter.
When you initialize the Toolbox in your backend application using one of our SDKs (like Python), you bind this sensitive parameter server-side so it remains completely outside of the language model’s control:
from toolbox_core import ToolboxClient
# Initialize the client and bind the strict tenant isolation parameter
async with ToolboxClient("http://127.0.0.1:5000") as client:
tools = await client.load_toolset(
"tenant_analytics",
bound_params={
# This is securely injected by your backend auth layer, not the LLM
"tenant_id": "org_7b89fA21",
}
)
# 'tools' are now securely bounded and ready to be passed to your agent framework
This setup ensures the agent remains flexible during user interactions, while your database layer is securely locked behind deterministic execution.
Conclusion & Next Steps
The v1.0 release of MCP Toolbox is a sign of our stability, and the confidence developers can feel in building their applications on top of it. Engineering teams can now build and deploy secure agentic applications without the risk of upstream breaking changes.
Ready to get started?
- Explore the Code: Star and fork the MCP Toolbox repository on GitHub to see how it works under the hood and explore the growing ecosystem of community-contributed tools.
- Read the Docs: Visit mcp-toolbox.dev for quickstarts, SDK references, and advanced configuration guides.
- Join the Community: Join our Community Discord, file an issue or feature request, or send us a PR.
See us at Google Cloud Next 2026: If you are heading to Las Vegas, don’t miss the session Power Intelligent Agents with AI-Native Databases. Join MCP co-creator David Soria Parra (Anthropic) alongside Amit Ganesh and Yannis Papakonstantinou (Google) to hear what’s next for MCP and how AI-native databases are shaping the future of agentic infrastructure.
MCP Toolbox v1.0:
The Open-Source Framework for Secure Agentic Data Access was originally published in Google Cloud – Community on Medium, where people are continuing the conversation by highlighting and responding to this story.
Source Credit: https://medium.com/google-cloud/mcp-toolbox-v1-0-the-open-source-framework-for-secure-agentic-data-access-3c2199546ba8?source=rss—-e52cf94d98af—4
About the Author
