How to Set Up a Postgres MCP Server With Windsurf

I was in the middle of a refactor when a colleague pinged me asking which users had started a trial but never converted. I didn't want to tab out, spin up a DB client, and write the query from scratch. I was already in Windsurf. I just wanted to ask the question and get the answer. That's the whole thing this post is about.

We'll connect Windsurf's Cascade agent to your Postgres database through QueryBear, a read-only MCP gateway. The setup takes about ten minutes.

Part of the Postgres MCP Server guide.

What you'll need

• A Postgres database (a read replica is recommended over your primary)
• A QueryBear account (free tier works)
• Windsurf installed

Why route through a gateway

Pasting your raw DATABASE_URL into an agent's environment gives the agent the same permissions as that role. A gateway like QueryBear sits in between: it enforces a SQL parser that rejects DML and DDL, an allowlist of tables the agent can see, a blocked-columns list for sensitive fields, a row limit, and a statement timeout. The agent never touches your credentials directly. See the full Postgres MCP Server guide for a deeper walkthrough.

Connect QueryBear to your Postgres database

1. Open the QueryBear dashboard and click "New connection."
2. Pick Postgres, then paste your database URL. A read replica URL is ideal. Use a role that has SELECT only.
3. Under "Allowed tables," check off the tables you want Cascade to see. Anything not on the list won't appear in the schema.
4. Under "Blocked columns," add any fields you'd never want in an agent's context window: password_hash, totp_secret, payment tokens, that kind of thing. Save.

That's your gateway configured.

Install the QueryBear MCP server in Windsurf

Open Windsurf, go to Settings, then "MCP Servers," then "Add custom server." Paste this:

{
  "mcpServers": {
    "querybear": {
      "serverUrl": "https://mcp.querybear.com/mcp"
    }
  }
}

Note that Windsurf uses serverUrl where some other tools use url. That difference will cause a silent failure if you copy a config from a Cursor guide, so double-check it.

Save and restart the MCP connection. You should see QueryBear appear in Cascade's tool list.

Ask your first question

Open Cascade in the side panel and ask in plain English:

"Find users who started a trial but never converted."

Cascade will call get_schema first to understand your tables, then generate and run a query. Here's what it produced for me:

SELECT u.id, u.email, u.trial_started_at
FROM users u
LEFT JOIN subscriptions s ON s.user_id = u.id
WHERE s.id IS NULL
  AND u.trial_started_at IS NOT NULL
ORDER BY u.trial_started_at DESC;

Got back 47 rows. The whole round trip took under a second. No switching apps, no copy-pasting connection strings.

A Windsurf-specific tip

Cascade can chain MCP calls in a single turn. If you ask a question that requires first understanding your schema and then running a query, it'll call get_schema and run_query back to back without you prompting it. That's useful when you're asking about tables you haven't looked at in a while.

One thing to watch: Windsurf caches MCP responses. If you've recently changed your QueryBear allowlist or added a new table, Cascade might still be working from the old schema. Hit cmd-shift-R to force a refresh, and the next call will pull fresh data.

Using a different tool?

• Claude Code
• Claude Cowork
• Cursor
• ChatGPT
• Codex
• Gemini

Querying a different database?

• MySQL MCP Server
• SQLite MCP Server