How to add MySQL MCP Server Pro to Windsurf
MySQL CRUD plus anomaly analysis: SQL optimization, health checks, lock and index diagnostics, with role-based permissions. Paste the config into ~/.codeium/windsurf/mcp_config.json and restart Windsurf.
Last updated June 14, 2026 · 246★ · stdio · oauth
Windsurf config for MySQL MCP Server Pro
pip install mysql_mcp_server_pro{
"mcpServers": {
"mysql-mcp-server-pro": {
"command": "uvx",
"args": [
"--from",
"mysql_mcp_server_pro",
"mysql_mcp_server_pro",
"--mode",
"stdio"
],
"env": {
"MYSQL_HOST": "192.168.x.xxx",
"MYSQL_PORT": "3306",
"MYSQL_USER": "root",
"MYSQL_PASSWORD": "root",
"MYSQL_DATABASE": "a_llm",
"MYSQL_ROLE": "admin"
}
}
}
}Requires `uv` (the Python package runner). Install it from https://docs.astral.sh/uv/ if `uvx` is not found.
Setup steps
- 1Open Windsurf → Cascade → the hammer/MCP icon → Configure (or edit ~/.codeium/windsurf/mcp_config.json).
- 2Paste the MySQL MCP Server Pro config below.
- 3Fill in placeholder secrets, then save.
- 4Click Refresh in the MCP panel.
- 5MySQL MCP Server Pro's tools become available to Cascade.
Before you start
- A reachable MySQL database with valid credentials
- Python with uv/uvx, or pip to install the mysql_mcp_server_pro package
- Environment variables for the DB connection (MYSQL_HOST, MYSQL_PORT, MYSQL_USER, MYSQL_PASSWORD, MYSQL_DATABASE) and optionally MYSQL_ROLE
What MySQL MCP Server Pro can do in Windsurf
execute_sqlSQL execution tool that can run SELECT, SHOW, DESCRIBE, EXPLAIN, INSERT, UPDATE, DELETE, CREATE, ALTER, DROP, and TRUNCATE commands based on the configured permission role.
get_chinese_initialsConvert Chinese field names to pinyin initials.
get_db_health_runningAnalyze MySQL health status, including connection status, transaction status, running status, and lock status detection.
get_table_descSearch for table structures in the database based on table names, supporting multi-table queries.
get_table_indexSearch for table indexes in the database based on table names, supporting multi-table queries.
get_table_lockCheck whether there are row-level or table-level locks on the current MySQL server.
get_table_nameSearch for table names in the database based on table comments and descriptions.
get_db_health_index_usageGet index usage for the connected MySQL database, including redundant indexes, poorly performing indexes, and the top 5 unused indexes with query times greater than 30 seconds.
Security
Connects to a MySQL database using credentials supplied via environment variables (MYSQL_HOST, MYSQL_PORT, MYSQL_USER, MYSQL_PASSWORD, MYSQL_DATABASE). Use MYSQL_ROLE to scope permissions: 'readonly' (SELECT/SHOW/DESCRIBE/EXPLAIN), 'writer' (adds INSERT/UPDATE/DELETE), or 'admin' (adds CREATE/ALTER/DROP/TRUNCATE). Prefer the least-privileged role; the README examples use 'admin', which grants destructive DDL. For HTTP/SSE deployments, enable OAuth 2.0 (--oauth true) to protect the endpoint.
MySQL MCP Server Pro + Windsurf FAQ
Where is the Windsurf config file?
Windsurf reads MCP servers from ~/.codeium/windsurf/mcp_config.json. Paste the MySQL MCP Server Pro config there under the "mcpServers" key and restart the client.
Is MySQL MCP Server Pro safe to use with Windsurf?
Connects to a MySQL database using credentials supplied via environment variables (MYSQL_HOST, MYSQL_PORT, MYSQL_USER, MYSQL_PASSWORD, MYSQL_DATABASE). Use MYSQL_ROLE to scope permissions: 'readonly' (SELECT/SHOW/DESCRIBE/EXPLAIN), 'writer' (adds INSERT/UPDATE/DELETE), or 'admin' (adds CREATE/ALTER/DROP/TRUNCATE). Prefer the least-privileged role; the README examples use 'admin', which grants destructive DDL. For HTTP/SSE deployments, enable OAuth 2.0 (--oauth true) to protect the endpoint.
Which MCP transports are supported?
All of them: STDIO, SSE, and Streamable HTTP. Streamable HTTP is the default mode; use --mode sse for SSE or --mode stdio for STDIO.
How do I restrict what SQL the server can run?
Set the MYSQL_ROLE environment variable. 'readonly' allows SELECT/SHOW/DESCRIBE/EXPLAIN; 'writer' adds INSERT/UPDATE/DELETE; 'admin' adds CREATE/ALTER/DROP/TRUNCATE. Choose the least-privileged role for your use case.
Does it support authentication for HTTP deployments?
Yes. It supports OAuth 2.0 (built-in password mode by default). Start with --oauth true, log in at the auth service, then pass the token in the request headers as 'authorization: bearer TOKEN_VALUE'.