docs(mcp): recommend read-only, project-scoped mode by default (supabase#36496)

Author: charislam

apps/docs/content/_partials/mcp_supabase_config.mdx

@@ -16,15 +16,18 @@
           "args": [
             "-y",
             "@supabase/mcp-server-supabase@latest",
-            "--access-token",
-            "<personal-access-token>"
-          ]
+            "--read-only",
+            "--project-ref=<project-ref>"
+          ],
+          "env": {
+            "SUPABASE_ACCESS_TOKEN": "<personal-access-token>"
+          }
         }
       }
     }
     ```
 
-    Replace `<personal-access-token>` with your personal access token.
+    Replace `<project-ref>` with your project ref, and `<personal-access-token>` with your personal access token.
 
   </TabPanel>
 
@@ -40,15 +43,18 @@
             "npx",
             "-y",
             "@supabase/mcp-server-supabase@latest",
-            "--access-token",
-            "<personal-access-token>"
-          ]
+            "--read-only",
+            "--project-ref=<project-ref>"
+          ],
+          "env": {
+            "SUPABASE_ACCESS_TOKEN": "<personal-access-token>"
+          }
         }
       }
     }
     ```
 
-    Replace `<personal-access-token>` with your personal access token.
+    Replace `<project-ref>` with your project ref, and `<personal-access-token>` with your personal access token.
 
     <Admonition type="note">
 
@@ -83,15 +89,18 @@
             "npx",
             "-y",
             "@supabase/mcp-server-supabase@latest",
-            "--access-token",
-            "<personal-access-token>"
-          ]
+            "--read-only",
+            "--project-ref=<project-ref>"
+          ],
+          "env": {
+            "SUPABASE_ACCESS_TOKEN": "<personal-access-token>"
+          }
         }
       }
     }
     ```
 
-    Replace `<personal-access-token>` with your personal access token.
+    Replace `<project-ref>` with your project ref, and `<personal-access-token>` with your personal access token.
 
     This assumes you have Windows Subsystem for Linux (WSL) enabled and `node`/`npx` are installed within the WSL environment.
 
@@ -107,15 +116,18 @@
           "args": [
             "-y",
             "@supabase/mcp-server-supabase@latest",
-            "--access-token",
-            "<personal-access-token>"
-          ]
+            "--read-only",
+            "--project-ref=<project-ref>"
+          ],
+          "env": {
+            "SUPABASE_ACCESS_TOKEN": "<personal-access-token>"
+          }
         }
       }
     }
     ```
 
-    Replace `<personal-access-token>` with your personal access token.
+    Replace `<project-ref>` with your project ref, and `<personal-access-token>` with your personal access token.
 
   </TabPanel>
 

apps/docs/content/_partials/mcp_supabase_vscode_config.mdx

@@ -21,7 +21,7 @@
       "servers": {
         "supabase": {
           "command": "npx",
-          "args": ["-y", "@supabase/mcp-server-supabase@latest"],
+          "args": ["-y", "@supabase/mcp-server-supabase@latest", "--read-only", "--project-ref=<project-ref>"],
           "env": {
             "SUPABASE_ACCESS_TOKEN": "${input:supabase-access-token}"
           }
@@ -30,6 +30,8 @@
     }
     ```
 
+    Replace `<project-ref>` with your project ref.
+
   </TabPanel>
 
   <TabPanel id="windows" label="Windows">
@@ -47,7 +49,7 @@
       "servers": {
         "supabase": {
           "command": "cmd",
-          "args": ["/c", "npx", "-y", "@supabase/mcp-server-supabase@latest"],
+          "args": ["/c", "npx", "-y", "@supabase/mcp-server-supabase@latest", "--read-only", "--project-ref=<project-ref>"],
           "env": {
             "SUPABASE_ACCESS_TOKEN": "${input:supabase-access-token}"
           }
@@ -56,6 +58,8 @@
     }
     ```
 
+    Replace `<project-ref>` with your project ref.
+
     <Admonition type="note">
 
     Make sure that `node` and `npx` are available in your system `PATH`. Assuming `node` is installed, you can get the path by running:
@@ -93,7 +97,7 @@
       "servers": {
         "supabase": {
           "command": "wsl",
-          "args": ["npx", "-y", "@supabase/mcp-server-supabase@latest"],
+          "args": ["npx", "-y", "@supabase/mcp-server-supabase@latest",  "--read-only", "--project-ref=<project-ref>"],
           "env": {
             "SUPABASE_ACCESS_TOKEN": "${input:supabase-access-token}"
           }
@@ -102,6 +106,8 @@
     }
     ```
 
+    Replace `<project-ref>` with your project ref.
+
     This assumes you have Windows Subsystem for Linux (WSL) enabled and `node`/`npx` are installed within the WSL environment.
 
   </TabPanel>
@@ -121,7 +127,7 @@
       "servers": {
         "supabase": {
           "command": "npx",
-          "args": ["-y", "@supabase/mcp-server-supabase@latest"],
+          "args": ["-y", "@supabase/mcp-server-supabase@latest", "--read-only", "--project-ref=<project-ref>"],
           "env": {
             "SUPABASE_ACCESS_TOKEN": "${input:supabase-access-token}"
           }
@@ -130,6 +136,8 @@
     }
     ```
 
+    Replace `<project-ref>` with your project ref.
+
   </TabPanel>
 
 </Tabs>

apps/docs/content/guides/getting-started/mcp.mdx

@@ -23,7 +23,9 @@ First, go to your [Supabase settings](https://supabase.com/dashboard/account/tok
 
 ## Step 2: Configure in your AI tool
 
-MCP compatible tools can connect to Supabase using the [Supabase MCP server](https://github.com/supabase-community/supabase-mcp). Below are instructions for connecting to this server using popular AI tools:
+MCP compatible tools can connect to Supabase using the [Supabase MCP server](https://github.com/supabase-community/supabase-mcp).
+
+Follow the instructions for your AI tool to connect the Supabase MCP server. The configuration below uses read-only, project-scoped mode by default. We recommend these settings to prevent the agent from making unintended changes to your database. Note that read-only mode applies only to database operations. Write operations on project-management tools, such as `create_project`, are still available.
 
 ### Cursor
 
@@ -53,9 +55,9 @@ MCP compatible tools can connect to Supabase using the [Supabase MCP server](htt
 
 <div className="mb-8 not-prose [&>p]:flex [&>p]:flex-col [&>p]:gap-2">
   [![Install with NPX in VS
-  Code](https://img.shields.io/badge/VS_Code-NPM-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=supabase&inputs=%5B%7B%22type%22%3A%22promptString%22%2C%22id%22%3A%22supabase-access-token%22%2C%22description%22%3A%22Supabase%20personal%20access%20token%22%2C%22password%22%3Atrue%7D%5D&config=%7B%22command%22%3A%22npx%22%2C%22args%22%3A%5B%22-y%22%2C%22%40supabase%2Fmcp-server-supabase%40latest%22%5D%2C%22env%22%3A%7B%22SUPABASE_ACCESS_TOKEN%22%3A%22%24%7Binput%3Asupabase-access-token%7D%22%7D%7D)
+  Code](https://img.shields.io/badge/VS_Code-NPM-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=supabase&inputs=%5B%7B%22type%22%3A%22promptString%22%2C%22id%22%3A%22supabase-access-token%22%2C%22description%22%3A%22Supabase%20personal%20access%20token%22%2C%22password%22%3Atrue%7D%5D%26config%3D%7B%22command%22%3A%22npx%22%2C%22args%22%3A%5B%22-y%22%2C%22%40supabase%2Fmcp-server-supabase%40latest%22%2C%22--readonly%22%2C%22--project-ref%3D%24SUPABASE_MCP_PROJECT_REF%22%5D%2C%22env%22%3A%7B%22SUPABASE_ACCESS_TOKEN%22%3A%22%24%7Binput%3Asupabase-access-token%7D%22%2C%22SUPABASE_MCP_PROJECT_REF%22%3A%22%24%7Binput%3Asupabase-project-ref%7D%22%7D%7D)
   [![Install with NPX in VS Code
-  Insiders](https://img.shields.io/badge/VS_Code_Insiders-NPM-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=supabase&inputs=%5B%7B%22type%22%3A%22promptString%22%2C%22id%22%3A%22supabase-access-token%22%2C%22description%22%3A%22Supabase%20personal%20access%20token%22%2C%22password%22%3Atrue%7D%5D&config=%7B%22command%22%3A%22npx%22%2C%22args%22%3A%5B%22-y%22%2C%22%40supabase%2Fmcp-server-supabase%40latest%22%5D%2C%22env%22%3A%7B%22SUPABASE_ACCESS_TOKEN%22%3A%22%24%7Binput%3Asupabase-access-token%7D%22%7D%7D&quality=insiders)
+  Insiders](https://img.shields.io/badge/VS_Code_Insiders-NPM-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=supabase&inputs=%5B%7B%22type%22%3A%22promptString%22%2C%22id%22%3A%22supabase-access-token%22%2C%22description%22%3A%22Supabase%20personal%20access%20token%22%2C%22password%22%3Atrue%7D%5D%26config%3D%7B%22command%22%3A%22npx%22%2C%22args%22%3A%5B%22-y%22%2C%22%40supabase%2Fmcp-server-supabase%40latest%22%2C%22--readonly%22%2C%22--project-ref%3D%24SUPABASE_MCP_PROJECT_REF%22%5D%2C%22env%22%3A%7B%22SUPABASE_ACCESS_TOKEN%22%3A%22%24%7Binput%3Asupabase-access-token%7D%22%2C%22SUPABASE_MCP_PROJECT_REF%22%3A%22%24%7Binput%3Asupabase-project-ref%7D%22%7D%7D)
 </div>
 
 1.  Open [VS Code](https://code.visualstudio.com/) and create a `.vscode` directory in your project root if it doesn't exist.