How to add BigQuery MCP Server to Claude Desktop

Secure, read-only access to Google BigQuery datasets for LLMs, with field-level PII/PHI protection. Paste the config into ~/Library/Application Support/Claude/claude_desktop_config.json and restart Claude Desktop.

Last updated June 14, 2026 · 142★ · stdio · no auth

Claude Desktop config for BigQuery MCP Server

npx -y @ergut/mcp-bigquery-server --project-id your-project-id

{
  "mcpServers": {
    "bigquery-mcp-server": {
      "command": "npx",
      "args": [
        "-y",
        "@ergut/mcp-bigquery-server",
        "--project-id",
        "your-project-id"
      ]
    }
  }
}

Setup steps

1Open Claude Desktop → Settings → Developer → Edit Config (this opens ~/Library/Application Support/Claude/claude_desktop_config.json).
2Paste the BigQuery MCP Server config below under the top-level "mcpServers" key.
3Fill in any placeholder secrets (API keys, paths) in the snippet.
4Save the file, then fully quit and reopen Claude Desktop.
5Open a chat and confirm BigQuery MCP Server's tools appear under the 🔌 tools menu.

Before you start

Node.js 14 or higher
Google Cloud project with BigQuery enabled
Google Cloud CLI installed or a service account key file
Any MCP-compatible client (Claude Desktop, Claude Code, etc.)

What BigQuery MCP Server can do in Claude Desktop

query

Run a read-only BigQuery SQL query. Accepts a `sql` string argument; only SELECT statements pass BigQuery's dry-run validation, and INFORMATION_SCHEMA queries are auto-qualified to the project. Results respect the configured maximumBytesBilled limit and any active field/table protection rules.

Security

Read-only by design — only SELECT statements pass BigQuery's dry-run validation; mutating statements (INSERT, UPDATE, DELETE, DROP, TRUNCATE, EXPORT DATA, MERGE) are rejected. Protected Mode lets admins define preventedFields to block sensitive columns (PII/PHI/financial/secrets) from entering LLM responses, with an optional auto-scanner across all datasets. Per the README, field restrictions are cooperative guardrails for AI agents, not a hard SQL firewall against adversarial attackers (see PROTECTION.md). Query results are sent to the LLM provider for processing and thus leave your network; run locally for sensitive data. Configurable per-query billing cap (maximumBytesBilled, default 1GB) via config.json or --maximum-bytes-billed. Keep service account key files secure and never commit them.

BigQuery MCP Server + Claude Desktop FAQ

Where is the Claude Desktop config file?

Claude Desktop reads MCP servers from ~/Library/Application Support/Claude/claude_desktop_config.json. Paste the BigQuery MCP Server config there under the "mcpServers" key and restart the client.

Is BigQuery MCP Server safe to use with Claude Desktop?

Can the AI agent modify or delete my data?

No. The server is read-only by design. Only SELECT statements are allowed and each query is validated by BigQuery's dry-run planner before execution, so INSERT, UPDATE, DELETE, DROP, TRUNCATE, EXPORT DATA, and MERGE are all rejected.

How does it authenticate to Google Cloud?

Either via Application Default Credentials (`gcloud auth application-default login`, good for development) or a service account key file passed with the --key-file argument (recommended for production). Keep service account key files secure and never commit them to version control.

What is the difference between Simple Mode and Protected Mode?

Simple Mode runs with no config file, applies safe defaults (1GB query limit) and no field restrictions — suitable for personal projects and non-sensitive data. Protected Mode is enabled by passing --config-file and lets you define preventedFields, choose a protectionMode (off, allowedTables, autoProtect), and run an auto-scanner that discovers sensitive columns across all datasets.

View repo Full BigQuery MCP Server page