# How to integrate Supabase MCP with OpenAI Agents SDK ```json { "title": "How to integrate Supabase MCP with OpenAI Agents SDK", "toolkit": "Supabase", "toolkit_slug": "supabase", "framework": "OpenAI Agents SDK", "framework_slug": "open-ai-agents-sdk", "url": "https://composio.dev/toolkits/supabase/framework/open-ai-agents-sdk", "markdown_url": "https://composio.dev/toolkits/supabase/framework/open-ai-agents-sdk.md", "updated_at": "2026-05-12T10:27:27.190Z" } ``` ## Introduction This guide walks you through connecting Supabase to the OpenAI Agents SDK using the Composio tool router. By the end, you'll have a working Supabase agent that can create a new secret api key for your project, list all third-party auth providers configured, delete google oauth from your supabase project through natural language commands. This guide will help you understand how to give your OpenAI Agents SDK agent real control over a Supabase account through Composio's Supabase MCP server. Before we dive in, let's take a quick look at the key ideas and tools involved. ## Also integrate Supabase with - [ChatGPT](https://composio.dev/toolkits/supabase/framework/chatgpt) - [Claude Agent SDK](https://composio.dev/toolkits/supabase/framework/claude-agents-sdk) - [Claude Code](https://composio.dev/toolkits/supabase/framework/claude-code) - [Claude Cowork](https://composio.dev/toolkits/supabase/framework/claude-cowork) - [Codex](https://composio.dev/toolkits/supabase/framework/codex) - [Cursor](https://composio.dev/toolkits/supabase/framework/cursor) - [VS Code](https://composio.dev/toolkits/supabase/framework/vscode) - [OpenCode](https://composio.dev/toolkits/supabase/framework/opencode) - [OpenClaw](https://composio.dev/toolkits/supabase/framework/openclaw) - [Hermes](https://composio.dev/toolkits/supabase/framework/hermes-agent) - [CLI](https://composio.dev/toolkits/supabase/framework/cli) - [Google ADK](https://composio.dev/toolkits/supabase/framework/google-adk) - [LangChain](https://composio.dev/toolkits/supabase/framework/langchain) - [Vercel AI SDK](https://composio.dev/toolkits/supabase/framework/ai-sdk) - [Mastra AI](https://composio.dev/toolkits/supabase/framework/mastra-ai) - [LlamaIndex](https://composio.dev/toolkits/supabase/framework/llama-index) - [CrewAI](https://composio.dev/toolkits/supabase/framework/crew-ai) ## TL;DR Here's what you'll learn: - Get and set up your OpenAI and Composio API keys - Install the necessary dependencies - Initialize Composio and create a Tool Router session for Supabase - Configure an AI agent that can use Supabase as a tool - Run a live chat session where you can ask the agent to perform Supabase operations ## What is OpenAI Agents SDK? The OpenAI Agents SDK is a lightweight framework for building AI agents that can use tools and maintain conversation state. It provides a simple interface for creating agents with hosted MCP tool support. Key features include: - Hosted MCP Tools: Connect to external services through hosted MCP endpoints - SQLite Sessions: Persist conversation history across interactions - Simple API: Clean interface with Agent, Runner, and tool configuration - Streaming Support: Real-time response streaming for interactive applications ## What is the Supabase MCP server, and what's possible with it? The Supabase MCP server is an implementation of the Model Context Protocol that connects your AI agent and assistants like Claude, Cursor, etc directly to your Supabase account. It provides structured and secure access to your Supabase projects, so your agent can perform actions like managing API keys, configuring authentication, and handling custom domains on your behalf. - API key management: Create, update, or permanently delete project API keys, including setting descriptions and customizing JWT templates for secure access control. - Third-party auth integration control: List, retrieve, or remove third-party authentication providers (like Google or GitHub) from your Supabase project to tailor user sign-in options. - Custom domain and subdomain setup: Activate custom hostnames or vanity subdomains for your Supabase project, ensuring your app is accessible at a branded URL after DNS verification. - OAuth authorization handling: Generate OAuth 2.0 authorization URLs for secure user authentication flows, supporting seamless integration with registered apps. - Subdomain availability checks: Instantly verify if a desired vanity subdomain is available for your project before making DNS changes or launching branded experiences. ## Supported Tools | Tool slug | Name | Description | |---|---|---| | `SUPABASE_ALPHA_CREATES_A_NEW_API_KEY_FOR_THE_PROJECT` | Create project api key | Creates a 'publishable' or 'secret' API key for an existing Supabase project, optionally with a description; 'secret' keys can have customized JWT templates. | | `SUPABASE_ALPHA_DELETES_AN_API_KEY_FOR_THE_PROJECT` | Delete an API key from the project | Permanently deletes a specific API key (identified by `id`) from a Supabase project (identified by `ref`), revoking its access. | | `SUPABASE_ALPHA_DELETE_THIRD_PARTY_AUTH_INTEGRATION` | Delete third party auth config | Removes a third-party authentication provider (e.g., Google, GitHub) from a Supabase project's configuration; this immediately prevents users from logging in via that method. | | `SUPABASE_ALPHA_GET_A_THIRD_PARTY_INTEGRATION` | Get a third-party integration | Retrieves the detailed configuration for a specific third-party authentication (TPA) provider, identified by `tpa_id`, within an existing Supabase project specified by `ref`. | | `SUPABASE_ALPHA_LISTS_ALL_THIRD_PARTY_AUTH_INTEGRATIONS` | List third-party auth integrations for project | Lists all configured third-party authentication provider integrations for an existing Supabase project (using its `ref`), suitable for read-only auditing or verifying current authentication settings. | | `SUPABASE_ALPHA_UPDATE_API_KEY` | Update an API key for the project | Updates an existing Supabase project API key's `description` and/or `secret_jwt_template` (which defines its `role`); does not regenerate the key string. | | `SUPABASE_APPLY_A_MIGRATION` | Apply a database migration | Tool to apply database migrations to a Supabase project. Use when you need to execute SQL schema changes, create tables, alter columns, or run other DDL/DML operations as part of a tracked migration. This is a Beta feature in the Supabase Management API. | | `SUPABASE_BETA_ACTIVATE_CUSTOM_HOSTNAME` | Beta activate custom hostname for project | Activates a previously configured custom hostname for a Supabase project, assuming DNS settings are verified externally. | | `SUPABASE_BETA_ACTIVATE_VANITY_SUBDOMAIN` | Activate vanity subdomain for project | Activates a vanity subdomain for the specified Supabase project (e.g., 'my-brand.supabase.co'). Important notes: - Vanity subdomains require a paid plan (Pro/Team/Enterprise) - Usage of vanity subdomains and custom domains is mutually exclusive - After activation, your project's auth services will no longer work on the original {project-ref}.supabase.co hostname - Schedule a downtime window to update client code and OAuth providers before activating | | `SUPABASE_BETA_AUTHORIZE_USER_THROUGH_OAUTH` | Authorize user through OAuth | Generates a Supabase OAuth 2.0 authorization URL for user redirection. IMPORTANT: This action requires a pre-registered OAuth client_id and a redirect_uri that matches one of the pre-registered URIs for that OAuth application. Without a valid registered OAuth application, this endpoint will return a 400 error. To use this action: 1. Register an OAuth application in the Supabase dashboard 2. Use the client_id from the registered application 3. Ensure redirect_uri matches one of the registered callback URLs | | `SUPABASE_BETA_CHECK_VANITY_SUBDOMAIN_AVAILABILITY` | Check vanity subdomain availability | Checks if a specific vanity subdomain is available for a Supabase project; this action does not reserve or assign the subdomain. | | `SUPABASE_BETA_CREATE_READ_REPLICA` | Setup read replica for project | Provisions a read-only replica for a Supabase project in a specified, Supabase-supported AWS region to enhance read performance and reduce latency. | | `SUPABASE_BETA_ENABLE_DATABASE_WEBHOOKS` | Enable project database webhooks | Enables database webhooks for the Supabase project `ref`, triggering real-time notifications for INSERT, UPDATE, or DELETE events. | | `SUPABASE_BETA_GET_PROJECT_CUSTOM_HOSTNAME_CONFIG` | Beta get project's custom hostname config | Retrieves a Supabase project's custom hostname configuration, including its status, SSL certificate, and ownership verification, noting that availability may depend on the project's plan. | | `SUPABASE_BETA_GET_PROJECT_NETWORK_BANS` | Retrieve network bans for project | Retrieves the list of banned IPv4 addresses for a Supabase project using its unique project reference string; this is a read-only operation. | | `SUPABASE_BETA_GET_PROJECT_NETWORK_RESTRICTIONS` | Get project network restrictions | Retrieves the network restriction settings (IP allowlists) for a Supabase project. Use this action to: - Check which IPv4/IPv6 CIDR blocks are allowed to connect to the project's database - Verify if network restrictions are enabled (entitlement: "allowed") or disabled ("disallowed") - Audit current network security configuration - Check if network restrictions have been modified (old_config present) Note: Default values 0.0.0.0/0 (IPv4) and ::/0 (IPv6) mean all IPs are allowed. Network restrictions require a Pro, Team, or Enterprise plan. | | `SUPABASE_BETA_GET_PROJECT_PGSODIUM_CONFIG` | Get project pgsodium config | Retrieves the PGSodium configuration, including the root encryption key, for an existing Supabase project identified by its `ref`. | | `SUPABASE_BETA_GET_PROJECT_SSL_ENFORCEMENT_CONFIG` | Get project SSL enforcement configuration | Retrieves the SSL enforcement configuration for a specified Supabase project, indicating if SSL connections are mandated for its database. | | `SUPABASE_BETA_GET_VANITY_SUBDOMAIN_CONFIG` | Get current vanity subdomain config | Fetches the current vanity subdomain configuration, including its status and custom domain name, for a Supabase project identified by its reference ID. | | `SUPABASE_BETA_REMOVE_NETWORK_BANS` | Remove project network bans | Removes specified IPv4 addresses from a Supabase project's network ban list, granting immediate access; IPs not currently banned are ignored. | | `SUPABASE_BETA_REMOVE_READ_REPLICA` | Remove read replica | Remove a read replica from a Supabase project (Pro plan or higher required). This beta endpoint initiates the removal of a specified read replica database. The operation is irreversible. Before removal, ensure all application traffic is redirected from the replica to the primary database. Requirements: - Project must be on Pro plan or higher - Bearer token with infra_read_replicas_write permission (FGA) - Valid read replica database identifier Note: Returns 201 on success with an empty response body. | | `SUPABASE_BETA_RUN_SQL_QUERY` | Execute project database query | Executes a given SQL query against the project's database; use for advanced data operations or when standard API endpoints are insufficient, ensuring queries are valid PostgreSQL and sanitized. Use the get_table_schemas or generate_type_script_types tool to retrieve the table schema, then base your query on it. | | `SUPABASE_BETA_UPDATE_PROJECT_NETWORK_RESTRICTIONS` | Beta update project network restrictions | Updates and applies network access restrictions (IPv4/IPv6 CIDR lists) for a Supabase project, which may terminate existing connections not matching the new rules. | | `SUPABASE_BETA_UPGRADE_PROJECT_POSTGRES_VERSION` | Upgrade the project's PostgreSQL version | Initiates an asynchronous upgrade of a Supabase project's PostgreSQL database to a specified `target_version` from a selected `release_channel`, returning a `tracking_id` to monitor status; the `target_version` must be available in the chosen channel. | | `SUPABASE_COUNT_ACTION_RUNS` | Count action runs | Counts the number of action runs for a Supabase project using a HEAD request. Use this when you need to retrieve the total count of action runs without fetching the full list of runs. | | `SUPABASE_CREATE_A_PROJECT` | Create new project | Creates a new Supabase project, requiring a unique name (no dots) within the organization; project creation is asynchronous. | | `SUPABASE_CREATE_BULK_SECRETS` | Bulk create secrets | Tool to bulk create secrets for a Supabase project. Use when you need to create multiple project secrets at once. Each secret name must not start with SUPABASE_. | | `SUPABASE_CREATE_DATABASE_BRANCH` | Create a database branch | Creates a new, isolated database branch from an existing Supabase project (identified by `ref`), useful for setting up separate environments like development or testing, which can optionally be linked to a Git branch. | | `SUPABASE_CREATE_FUNCTION` | Create a function | Creates a new serverless Edge Function for a Supabase project (identified by `ref`), requiring valid JavaScript/TypeScript in `body` and a project-unique `slug` identifier. | | `SUPABASE_CREATE_LOGIN_ROLE` | Create CLI login role | Creates a temporary CLI login role for database access with specified permissions; use when setting up CLI authentication for development or administrative tasks. | | `SUPABASE_CREATE_ORGANIZATION` | Create an organization | Creates a new Supabase organization, which serves as a top-level container for projects, billing, and team access. | | `SUPABASE_CREATE_PROJECT_SIGNING_KEY` | Create project signing key | Create a new signing key for JWT authentication in a Supabase project. The key is created in standby status by default and must be activated separately. | | `SUPABASE_CREATE_SSO_PROVIDER` | Create SSO provider configuration | Creates a new SAML 2.0 Single Sign-On (SSO) provider for a Supabase project, requiring either `metadata_xml` or `metadata_url` for SAML IdP configuration. | | `SUPABASE_CREATE_THIRD_PARTY_AUTH_INTEGRATION` | Create a new third-party auth integration | Call this to add a new third-party authentication method (OIDC or JWKS) to a Supabase project for integrating external identity providers (e.g., for SSO); the API may also support `custom_jwks` if sent directly. | | `SUPABASE_DELETE_CUSTOM_HOSTNAME_CONFIG` | Delete custom hostname config | Deletes an active custom hostname configuration for the project identified by `ref`, reverting to the default Supabase-provided hostname; this action immediately makes the project inaccessible via the custom domain and requires subsequent updates to client, OAuth, and DNS settings. | | `SUPABASE_DELETE_DATABASE_BRANCH` | Delete branch by id | Permanently and irreversibly deletes a specific, non-default database branch by its `branch_id`, without affecting other branches. | | `SUPABASE_DELETE_FUNCTION` | Delete an edge function by slug | Permanently deletes a specific Edge Function (by `function_slug`) from a Supabase project (by `ref`); this action is irreversible and requires prior existence of both project and function. | | `SUPABASE_DELETE_LOGIN_ROLES` | Delete CLI login roles | [Beta] Deletes existing login roles used by the Supabase CLI for the specified project. Use when you need to remove CLI authentication roles that were previously created for project access. | | `SUPABASE_DELETE_PROJECT` | Delete project by ref | Permanently and irreversibly deletes a Supabase project, identified by its unique `ref` ID, resulting in complete data loss. | | `SUPABASE_DELETE_PROJECT_VANITY_SUBDOMAIN` | Delete vanity subdomain for project | Permanently and irreversibly deletes an active vanity subdomain configuration for the specified Supabase project, reverting it to its default Supabase URL. | | `SUPABASE_DELETE_SECRETS` | Bulk delete secrets | Tool to bulk delete secrets from a Supabase project. Use when you need to remove multiple secrets at once. Requires the edge_functions_secrets_write scope. | | `SUPABASE_DELETE_SSO_PROVIDER` | Remove an SSO provider | Deletes a specific SSO provider by its ID (`provider_id`) from a Supabase project (`ref`), which disables it and returns its details; ensure this action will not inadvertently lock out users. | | `SUPABASE_DEPLOY_FUNCTION` | Deploy function | Deploys Edge Functions to a Supabase project using multipart upload. | | `SUPABASE_DISABLE_PREVIEW_BRANCHING` | Disable preview branching | Disables the preview branching feature for an existing Supabase project, identified by its unique reference ID (`ref`). Note: Preview branching must be enabled on the project for this operation to succeed. If the project does not have preview branching enabled, a 422 error will be returned. | | `SUPABASE_DISABLE_PROJECT_READONLY` | Disable project readonly mode | Temporarily disables a Supabase project's read-only mode for 15 minutes to allow write operations (e.g., for maintenance or critical updates), after which it automatically reverts to read-only. | | `SUPABASE_EXCHANGE_OAUTH_TOKEN` | Exchange auth code for access and refresh token | (Beta) Implements the OAuth 2.0 token endpoint to exchange an authorization code or refresh token for access/refresh tokens, based on `grant_type`. This is a standard OAuth 2.0 token endpoint that uses application/x-www-form-urlencoded content type as per OAuth 2.0 specification. Requires a valid registered OAuth application client_id and client_secret. For authorization_code grant type: - Requires valid authorization code obtained from the OAuth authorization flow - Optionally requires code_verifier if PKCE was used during authorization For refresh_token grant type: - Requires valid refresh_token from a previous token exchange | | `SUPABASE_GENERATE_TYPESCRIPT_TYPES` | Generate TypeScript types | Generates and retrieves TypeScript types from a Supabase project's database; any schemas specified in `included_schemas` must exist in the project. | | `SUPABASE_GET_ACTION_RUN` | Get action run status | Retrieves the status and details of a specific action run, including its steps, timestamps, and configuration. Use this to monitor or check the progress of an action execution. | | `SUPABASE_GET_ACTION_RUN_LOGS` | Get action run logs | Retrieves the execution logs for a specific action run by its ID. Use this to debug action executions, view output messages, and investigate errors that occurred during action runs. | | `SUPABASE_GET_AVAILABLE_REGIONS` | Get Available Regions | Tool to get the list of available regions for creating a new Supabase project. Use when you need to determine which regions are available for project deployment, or to get region recommendations based on geographic location and instance size requirements. Note: This is a Beta endpoint. | | `SUPABASE_GET_BRANCH` | Get a database branch | Retrieves detailed information about a specific database branch by its name and project reference. Use this to check branch status, configuration, and metadata before performing operations on the branch. | | `SUPABASE_GET_DATABASE_BRANCH_CONFIG` | Get database branch config | Retrieves the read-only configuration and status for a Supabase database branch, typically for monitoring or verifying its settings. | | `SUPABASE_GET_FUNCTION` | Retrieve a function | Retrieves detailed information, metadata, configuration, and status for a specific Edge Function using its project reference ID and function slug. | | `SUPABASE_GET_FUNCTION_BODY` | Retrieve a function body | Retrieves the source code (body) for a specified serverless Edge Function using its project reference and function slug; this is a read-only operation that does not execute the function or return runtime logs. | | `SUPABASE_GET_HEALTH` | Get API Health Status | Tool to check the health status of the Supabase API. Use when you need to verify API availability or troubleshoot connectivity issues. | | `SUPABASE_GET_JIT_ACCESS_CONFIG` | Get JIT access config | [Beta] Retrieves the project's just-in-time (JIT) access configuration, including user roles and their expiration settings. Use this to check temporary access grants and their validity periods. | | `SUPABASE_GET_MIGRATION` | Get a migration | Retrieves a specific database migration entry from the migration history using its version identifier. Use when you need to inspect migration details, SQL statements, or rollback commands for a specific migration version. | | `SUPABASE_GET_ORGANIZATION` | Get information about an organization | Fetches comprehensive details for a specific Supabase organization using its unique slug. | | `SUPABASE_GET_PROJECT` | Get project | Retrieves detailed information about a specific Supabase project by its unique reference ID. Use when you need to get comprehensive project details including status, database configuration, and metadata. Authentication: - Requires a valid Bearer token in the Authorization header. - Token format: 'Bearer ' where access_token is either: - A Personal Access Token (PAT) generated from https://supabase.com/dashboard/account/tokens - An OAuth2 access token with the 'project_admin_read' scope Required Scope: - project_admin_read: Allows retrieval of project information. Returns: Project object containing id, ref, name, organization details, region, status, database configuration, and created_at timestamp. | | `SUPABASE_GET_PROJECT_API_KEY` | Get project API key | Retrieves details of a specific API key for a Supabase project by its UUID. Use when you need to inspect a single key's configuration, type, or metadata. | | `SUPABASE_GET_PROJECT_API_KEYS` | Get project API keys | Retrieves all API keys for an existing Supabase project, specified by its unique reference ID (`ref`); this is a read-only operation. | | `SUPABASE_GET_PROJECT_LOGS` | Get project logs | Retrieves analytics logs for a Supabase project. Use this to fetch and analyze project logs including edge function logs, database logs, and API logs for monitoring and debugging. | | `SUPABASE_GET_PROJECT_PGBOUNCER_CONFIG` | Get project PgBouncer config | Retrieves the active PgBouncer configuration (PostgreSQL connection pooler) for a Supabase project, used for performance tuning, auditing, or getting the connection string. | | `SUPABASE_GET_PROJECT_POSTGRES_CONFIG` | Get project postgres config | Retrieves the current read-only PostgreSQL database configuration for a specified Supabase project's `ref`, noting that some advanced or security-sensitive details might be omitted from the response. | | `SUPABASE_GET_PROJECT_POSTGREST_CONFIG` | Get project's PostgREST config | Retrieves the PostgREST configuration for a specific Supabase project. | | `SUPABASE_GET_PROJECT_READONLY_MODE_STATUS` | Get project's read-only mode status | Retrieves the read-only mode status for a specified Supabase project to check its operational state; this action does not change the read-only state. | | `SUPABASE_GET_PROJECT_SIGNING_KEYS` | Get project signing keys | Tool to list all signing keys for a Supabase project. Use when you need to retrieve JWT signing keys for authentication verification or rotation management. | | `SUPABASE_GET_PROJECT_SUPAVISOR_CONFIG` | Get project Supavisor configuration | Retrieves the Supavisor (connection pooler) configuration for a specified Supabase project, identified by its reference ID. | | `SUPABASE_GET_PROJECT_UPGRADE_ELIGIBILITY` | Get Project Upgrade Eligibility | Checks a Supabase project's eligibility for an upgrade, verifying compatibility and identifying potential issues; this action does not perform the actual upgrade. | | `SUPABASE_GET_PROJECT_UPGRADE_STATUS` | Get project upgrade status | Retrieves the latest status of a Supabase project's database upgrade for monitoring purposes; does not initiate or modify upgrades. | | `SUPABASE_GET_RESUMABLE_UPLOAD_BASE_OPTIONS` | Get TUS resumable upload base options | Handles OPTIONS request for TUS Resumable uploads to discover server capabilities. Use when preparing resumable upload requests to verify supported TUS protocol versions and extensions. | | `SUPABASE_GET_RESUMABLE_UPLOAD_OPTIONS` | Get TUS resumable upload options | Handles OPTIONS request for TUS Resumable uploads to discover server capabilities. Use when preparing resumable upload requests to verify supported TUS protocol versions and extensions. | | `SUPABASE_GETS_PROJECT_S_AUTH_CONFIG` | Get project's auth config | Retrieves the project's complete read-only authentication configuration, detailing all settings (e.g., providers, MFA, email/SMS, JWT, security policies) but excluding sensitive secrets. | | `SUPABASE_GETS_PROJECT_S_SERVICE_HEALTH_STATUS` | Get project's service health status | Retrieves the current health status for a Supabase project, for specified services or all services if the 'services' list is omitted. | | `SUPABASE_GET_SQL_SNIPPET` | Get a specific SQL snippet | Retrieves a specific SQL snippet by its unique identifier. | | `SUPABASE_GET_SSO_PROVIDER` | Get a SSO provider by its UUID | Retrieves the configuration details for a specific Single Sign-On (SSO) provider (e.g., SAML, Google, GitHub, Azure AD), identified by its UUID, within a Supabase project. | | `SUPABASE_GET_TABLE_SCHEMAS` | Get Table Schemas | Retrieves column details, types, and constraints for multiple database tables to help debug schema issues and write accurate SQL queries. Use the SUPABASE_LIST_TABLES action first to discover available tables, the fetch their detailed schemas. | | `SUPABASE_HANDLE_RESUMABLE_UPLOAD_SIGN_OPTIONS` | OPTIONS for resumable upload sign | Handles CORS preflight OPTIONS request for TUS resumable upload signing. Use when preparing cross-origin resumable upload requests to verify allowed methods and headers. | | `SUPABASE_HANDLE_RESUMABLE_UPLOAD_SIGN_OPTIONS_WITH_ID` | OPTIONS for resumable upload sign | Handles CORS preflight OPTIONS request for TUS resumable upload signing endpoints. Use when preparing cross-origin resumable upload requests to verify allowed methods and headers. | | `SUPABASE_INVOKE_EDGE_FUNCTION` | Invoke Edge Function | Tool to invoke a deployed Supabase Edge Function over HTTPS. Use for testing and debugging Edge Functions with configurable method, headers, body, and authentication. | | `SUPABASE_LIST_ALL_ORGANIZATIONS` | List all organizations | Lists all organizations (ID and name only) associated with the Supabase account, excluding project details within these organizations. | | `SUPABASE_LIST_ALL_PROJECTS` | List all projects | Retrieves a list of all Supabase projects, including their ID, name, region, and status, for the authenticated user. Authentication: - Requires a valid Bearer token in the Authorization header. - Token format: 'Bearer ' where access_token is either: - A Personal Access Token (PAT) generated from https://supabase.com/dashboard/account/tokens - An OAuth2 access token with the 'Projects.Read' scope Required Scope: - Projects.Read: Allows retrieval of project metadata. Returns: List of Project objects containing id, name, organization_id, region, status, database info, and created_at. | | `SUPABASE_LIST_BACKUPS` | List project database backups | Lists all database backups for a Supabase project, providing details on existing backups but not creating new ones or performing restores; availability may depend on plan and configuration. | | `SUPABASE_LIST_BUCKETS` | List all buckets | Retrieves a list of all storage buckets for a Supabase project, without returning bucket contents or access policies. | | `SUPABASE_LIST_DATABASE_BRANCHES` | List all database branches | Lists all database branches for a specified Supabase project, used for isolated development and testing of schema changes; ensure the project reference ID is valid. | | `SUPABASE_LIST_FUNCTIONS` | List all functions | Lists metadata for all Edge Functions in a Supabase project (specified by 'ref'), excluding function code or logs; the project must exist. | | `SUPABASE_LIST_MIGRATION_HISTORY` | List migration history | Retrieves the list of applied database migration versions for a Supabase project. Use this to track which migrations have been applied to the project's database. This is a read-only operation that requires the project reference ID. | | `SUPABASE_LIST_ORGANIZATION_MEMBERS` | List members of an organization | Retrieves all members of a Supabase organization, identified by its unique slug, including their user ID, username, email, role, and MFA status. | | `SUPABASE_LIST_SECRETS` | List all secrets | Retrieves all secrets for a Supabase project using its reference ID; secret values in the response may be masked. | | `SUPABASE_LIST_SQL_SNIPPETS` | List SQL snippets for the logged in user | Retrieves a list of SQL snippets for the logged-in user, optionally filtered by a specific Supabase project if `project_ref` is provided. | | `SUPABASE_LIST_SSO_PROVIDERS` | List all SSO providers | Lists all configured Single Sign-On (SSO) providers for a Supabase project, requiring the project reference ID (`ref`) of an existing project. | | `SUPABASE_LIST_TABLES` | List Database Tables | Lists all tables and views in specified database schemas, providing a quick overview of database structure to help identify available tables before fetching detailed schemas. | | `SUPABASE_PATCH_MIGRATION` | Patch a migration | [Beta] Patches an existing entry in the project's migration history, updating the name or rollback script. Use this to correct migration metadata after the migration has been created. | | `SUPABASE_PATCH_NETWORK_RESTRICTIONS` | Patch project network restrictions | Updates project's network restrictions by incrementally adding or removing IPv4/IPv6 CIDR blocks. Use when you need to modify existing restrictions without replacing the entire configuration. | | `SUPABASE_PUSH_BRANCH` | Push a database branch | Pushes a database branch, applying migrations and changes to the specified branch. Use when you need to deploy schema changes or migrations to a database branch. | | `SUPABASE_RESET_DATABASE_BRANCH` | Reset a database branch | Resets an existing Supabase database branch, identified by `branch_id`, to its initial clean state, irreversibly deleting all its current data and schema changes. | | `SUPABASE_RESTORE_PITR_BACKUP` | Restore database PITR backup | Restores a Supabase project's database to a specific Unix timestamp using Point-in-Time Recovery (PITR), overwriting the current state; requires a paid plan with PITR and physical backups enabled. | | `SUPABASE_RUN_READ_ONLY_QUERY` | Execute read-only database query | [Beta] Run a SQL query as supabase_read_only_user. Use when you need to safely execute SELECT queries without risk of modifying data. Only read operations are allowed. | | `SUPABASE_SELECT_FROM_TABLE` | Select From Table | Tool to select rows from a Supabase/PostgREST table. Use for read-only queries with filtering, sorting, and pagination. | | `SUPABASE_UPDATE_A_FUNCTION` | Update a function | Updates an existing Supabase Edge Function's properties (like name, slug, source code, JWT settings, import map) identified by project `ref` and `function_slug`, supporting plain text code or ESZIP for the body. Use RETRIEVE_A_FUNCTION_BODY action first to get the current source code, as this action requires sending the complete function code, not just the changes. | | `SUPABASE_UPDATE_DATABASE_BRANCH_CONFIG` | Update database branch config | Updates the configuration of a Supabase database branch, allowing modification of its name, associated Git branch, reset-on-push behavior, persistence, and status. Note: Database branching requires a paid Supabase plan (Pro or higher). This action requires a valid branch_id which must be exactly 20 lowercase alphabetic characters. Authentication: - Requires a valid Bearer token in the Authorization header. - Token format: 'Bearer ' Required Scope: - Environment:Write | | `SUPABASE_UPDATE_DATABASE_PASSWORD` | Update database password | Updates the database password for a Supabase project. Use when needing to rotate credentials or recover database access. | | `SUPABASE_UPDATE_FUNCTIONS` | Bulk update functions | Tool to bulk update Edge Functions in a Supabase project. Use when you need to update multiple functions at once with new configurations such as status, version, or other properties. | | `SUPABASE_UPDATE_JIT_ACCESS_CONFIG` | Update JIT access config | [Beta] Update a Supabase project's just-in-time (JIT) access configuration. Use to enable or disable JIT access features for privileged operations on the project. | | `SUPABASE_UPDATE_PGSODIUM_CONFIG` | Update pgsodium root key | Critically updates or initializes a Supabase project's pgsodium root encryption key for security setup or key rotation, requiring secure backup of the new key to prevent irreversible data loss. | | `SUPABASE_UPDATE_PROJECT` | Update a project | Updates a Supabase project's configuration (currently supports updating the project name). Use when you need to rename an existing project. | | `SUPABASE_UPDATE_PROJECT_AUTH_CONFIG` | Update project's auth config | Update Supabase project Auth configuration via the Management API. Use to fix misconfigured Auth redirects, SMTP settings, or other auth parameters. Only provided fields are updated; others remain unchanged. Before updating, confirm the Auth service status is ACTIVE_HEALTHY by checking project health. | | `SUPABASE_UPDATE_PROJECT_CUSTOM_HOSTNAME` | Update project's custom hostname configuration | Updates the custom hostname for a Supabase project, requiring subsequent DNS changes to a user-controlled domain for SSL certificate issuance and domain ownership. | | `SUPABASE_UPDATE_PROJECT_LEGACY_API_KEYS` | Update project legacy API keys | Tool to disable or re-enable JWT-based legacy API keys (anon, service_role) for a Supabase project. Use when you need to toggle legacy API key access for security or migration purposes. Note: This API endpoint may be removed in the future - check for HTTP 404 Not Found if the endpoint is no longer available. | | `SUPABASE_UPDATE_PROJECT_POSTGRES_CONFIG` | Update project's postgres config | Updates specified PostgreSQL configuration parameters for an existing Supabase project (`ref`) to optimize database performance; note that unspecified parameters remain unchanged, and caution is advised as incorrect settings can impact stability or require a restart. | | `SUPABASE_UPDATE_PROJECT_POSTGREST_CONFIG` | Update project's PostgREST config | Updates PostgREST configuration settings (e.g., `max_rows`, `db_pool`, `db_schema`, `db_extra_search_path`) for a Supabase project to fine-tune API performance, data exposure, and database resource usage. | | `SUPABASE_UPDATE_PROJECT_SUPAVISOR_CONFIG` | Update database pooler config | Updates the Supavisor (database pooler) configuration, such as `default_pool_size`, for an existing Supabase project identified by `ref`; the `pool_mode` parameter in the request is deprecated and ignored. | | `SUPABASE_UPDATE_SSL_ENFORCEMENT_CONFIG` | Update SSL enforcement config | Updates the SSL enforcement configuration (enable/disable) for a specified Supabase project's database. | | `SUPABASE_UPDATE_SSO_PROVIDER` | Update an SSO provider by its UUID | Updates an existing SSO provider's SAML metadata, associated email domains, or attribute mappings for a Supabase project, identified by `ref` and `provider_id`. | | `SUPABASE_UPSERT_MIGRATION` | Upsert migration | Tool to upsert a database migration without applying it. Use when you need to track migration changes for a project. [Beta] This endpoint stores migration metadata without executing the SQL. | | `SUPABASE_VERIFY_CUSTOM_HOSTNAME_DNS` | Reverify custom hostname | Re-verifies DNS and SSL configurations for an existing custom hostname associated with a Supabase project. | ## Supported Triggers None listed. ## Creating MCP Server - Stand-alone vs Composio SDK The Supabase MCP server is an implementation of the Model Context Protocol that connects your AI agent to Supabase. It provides structured and secure access so your agent can perform Supabase operations on your behalf through a secure, permission-based interface. With Composio's managed implementation, you don't have to create your own developer app. For production, if you're building an end product, we recommend using your own credentials. The managed server helps you prototype fast and go from 0-1 faster. ## Step-by-step Guide ### 1. Prerequisites Before starting, make sure you have: - Composio API Key and OpenAI API Key - Primary know-how of OpenAI Agents SDK - A live Supabase project - Some knowledge of Python or Typescript ### 1. Getting API Keys for OpenAI and Composio OpenAI API Key - Go to the [OpenAI dashboard](https://platform.openai.com/settings/organization/api-keys) and create an API key. You'll need credits to use the models, or you can connect to another model provider. - Keep the API key safe. Composio API Key - Log in to the [Composio dashboard](https://dashboard.composio.dev?utm_source=toolkits&utm_medium=framework_docs). - Go to Settings and copy your API key. ### 2. Install dependencies Install the Composio SDK and the OpenAI Agents SDK. ```python pip install composio_openai_agents openai-agents python-dotenv ``` ```typescript npm install @composio/openai-agents @openai/agents dotenv ``` ### 3. Set up environment variables Create a .env file and add your OpenAI and Composio API keys. ```bash OPENAI_API_KEY=sk-...your-api-key COMPOSIO_API_KEY=your-api-key USER_ID=composio_user@gmail.com ``` ### 4. Import dependencies What's happening: - You're importing all necessary libraries. - The Composio and OpenAIAgentsProvider classes are imported to connect your OpenAI agent to Composio tools like Supabase. ```python import asyncio import os from dotenv import load_dotenv from composio import Composio from composio_openai_agents import OpenAIAgentsProvider from agents import Agent, Runner, HostedMCPTool, SQLiteSession ``` ```typescript import 'dotenv/config'; import { Composio } from '@composio/core'; import { OpenAIAgentsProvider } from '@composio/openai-agents'; import { Agent, hostedMcpTool, run, OpenAIConversationsSession } from '@openai/agents'; import * as readline from 'readline'; ``` ### 5. Set up the Composio instance No description provided. ```python load_dotenv() api_key = os.getenv("COMPOSIO_API_KEY") user_id = os.getenv("USER_ID") if not api_key: raise RuntimeError("COMPOSIO_API_KEY is not set. Create a .env file with COMPOSIO_API_KEY=your_key") # Initialize Composio composio = Composio(api_key=api_key, provider=OpenAIAgentsProvider()) ``` ```typescript dotenv.config(); const composioApiKey = process.env.COMPOSIO_API_KEY; const userId = process.env.USER_ID; if (!composioApiKey) { throw new Error('COMPOSIO_API_KEY is not set. Create a .env file with COMPOSIO_API_KEY=your_key'); } if (!userId) { throw new Error('USER_ID is not set'); } // Initialize Composio const composio = new Composio({ apiKey: composioApiKey, provider: new OpenAIAgentsProvider(), }); ``` ### 6. Create a Tool Router session What is happening: - You give the Tool Router the user id and the toolkits you want available. Here, it is only supabase. - The router checks the user's Supabase connection and prepares the MCP endpoint. - The returned session.mcp.url is the MCP URL that your agent will use to access Supabase. - This approach keeps things lightweight and lets the agent request Supabase tools only when needed during the conversation. ```python # Create a Supabase Tool Router session session = composio.create( user_id=user_id, toolkits=["supabase"] ) mcp_url = session.mcp.url ``` ```typescript // Create Tool Router session for Supabase const session = await composio.create(userId as string, { toolkits: ['supabase'], }); const mcpUrl = session.mcp.url; ``` ### 7. Configure the agent No description provided. ```python # Configure agent with MCP tool agent = Agent( name="Assistant", model="gpt-5", instructions=( "You are a helpful assistant that can access Supabase. " "Help users perform Supabase operations through natural language." ), tools=[ HostedMCPTool( tool_config={ "type": "mcp", "server_label": "tool_router", "server_url": mcp_url, "headers": {"x-api-key": api_key}, "require_approval": "never", } ) ], ) ``` ```typescript // Configure agent with MCP tool const agent = new Agent({ name: 'Assistant', model: 'gpt-5', instructions: 'You are a helpful assistant that can access Supabase. Help users perform Supabase operations through natural language.', tools: [ hostedMcpTool({ serverLabel: 'tool_router', serverUrl: mcpUrl, headers: { 'x-api-key': composioApiKey }, requireApproval: 'never', }), ], }); ``` ### 8. Start chat loop and handle conversation No description provided. ```python print("\nComposio Tool Router session created.") chat_session = SQLiteSession("conversation_openai_toolrouter") print("\nChat started. Type your requests below.") print("Commands: 'exit', 'quit', or 'q' to end\n") async def main(): try: result = await Runner.run( agent, "What can you help me with?", session=chat_session ) print(f"Assistant: {result.final_output}\n") except Exception as e: print(f"Error: {e}\n") while True: user_input = input("You: ").strip() if user_input.lower() in {"exit", "quit", "q"}: print("Goodbye!") break result = await Runner.run( agent, user_input, session=chat_session ) print(f"Assistant: {result.final_output}\n") asyncio.run(main()) ``` ```typescript // Keep conversation state across turns const conversationSession = new OpenAIConversationsSession(); // Simple CLI const rl = readline.createInterface({ input: process.stdin, output: process.stdout, prompt: 'You: ', }); console.log('\nComposio Tool Router session created.'); console.log('\nChat started. Type your requests below.'); console.log("Commands: 'exit', 'quit', or 'q' to end\n"); try { const first = await run(agent, 'What can you help me with?', { session: conversationSession }); console.log(`Assistant: ${first.finalOutput}\n`); } catch (e) { console.error('Error:', e instanceof Error ? e.message : e, '\n'); } rl.prompt(); rl.on('line', async (userInput) => { const text = userInput.trim(); if (['exit', 'quit', 'q'].includes(text.toLowerCase())) { console.log('Goodbye!'); rl.close(); process.exit(0); } if (!text) { rl.prompt(); return; } try { const result = await run(agent, text, { session: conversationSession }); console.log(`\nAssistant: ${result.finalOutput}\n`); } catch (e) { console.error('Error:', e instanceof Error ? e.message : e, '\n'); } rl.prompt(); }); rl.on('close', () => { console.log('\n👋 Session ended.'); process.exit(0); }); ``` ## Complete Code ```python import asyncio import os from dotenv import load_dotenv from composio import Composio from composio_openai_agents import OpenAIAgentsProvider from agents import Agent, Runner, HostedMCPTool, SQLiteSession load_dotenv() api_key = os.getenv("COMPOSIO_API_KEY") user_id = os.getenv("USER_ID") if not api_key: raise RuntimeError("COMPOSIO_API_KEY is not set. Create a .env file with COMPOSIO_API_KEY=your_key") # Initialize Composio composio = Composio(api_key=api_key, provider=OpenAIAgentsProvider()) # Create Tool Router session session = composio.create( user_id=user_id, toolkits=["supabase"] ) mcp_url = session.mcp.url # Configure agent with MCP tool agent = Agent( name="Assistant", model="gpt-5", instructions=( "You are a helpful assistant that can access Supabase. " "Help users perform Supabase operations through natural language." ), tools=[ HostedMCPTool( tool_config={ "type": "mcp", "server_label": "tool_router", "server_url": mcp_url, "headers": {"x-api-key": api_key}, "require_approval": "never", } ) ], ) print("\nComposio Tool Router session created.") chat_session = SQLiteSession("conversation_openai_toolrouter") print("\nChat started. Type your requests below.") print("Commands: 'exit', 'quit', or 'q' to end\n") async def main(): try: result = await Runner.run( agent, "What can you help me with?", session=chat_session ) print(f"Assistant: {result.final_output}\n") except Exception as e: print(f"Error: {e}\n") while True: user_input = input("You: ").strip() if user_input.lower() in {"exit", "quit", "q"}: print("Goodbye!") break result = await Runner.run( agent, user_input, session=chat_session ) print(f"Assistant: {result.final_output}\n") asyncio.run(main()) ``` ```typescript import 'dotenv/config'; import { Composio } from '@composio/core'; import { OpenAIAgentsProvider } from '@composio/openai-agents'; import { Agent, hostedMcpTool, run, OpenAIConversationsSession } from '@openai/agents'; import * as readline from 'readline'; const composioApiKey = process.env.COMPOSIO_API_KEY; const userId = process.env.USER_ID; if (!composioApiKey) { throw new Error('COMPOSIO_API_KEY is not set. Create a .env file with COMPOSIO_API_KEY=your_key'); } if (!userId) { throw new Error('USER_ID is not set'); } // Initialize Composio const composio = new Composio({ apiKey: composioApiKey, provider: new OpenAIAgentsProvider(), }); async function main() { // Create Tool Router session const session = await composio.create(userId as string, { toolkits: ['supabase'], }); const mcpUrl = session.mcp.url; // Configure agent with MCP tool const agent = new Agent({ name: 'Assistant', model: 'gpt-5', instructions: 'You are a helpful assistant that can access Supabase. Help users perform Supabase operations through natural language.', tools: [ hostedMcpTool({ serverLabel: 'tool_router', serverUrl: mcpUrl, headers: { 'x-api-key': composioApiKey }, requireApproval: 'never', }), ], }); // Keep conversation state across turns const conversationSession = new OpenAIConversationsSession(); // Simple CLI const rl = readline.createInterface({ input: process.stdin, output: process.stdout, prompt: 'You: ', }); console.log('\nComposio Tool Router session created.'); console.log('\nChat started. Type your requests below.'); console.log("Commands: 'exit', 'quit', or 'q' to end\n"); try { const first = await run(agent, 'What can you help me with?', { session: conversationSession }); console.log(`Assistant: ${first.finalOutput}\n`); } catch (e) { console.error('Error:', e instanceof Error ? e.message : e, '\n'); } rl.prompt(); rl.on('line', async (userInput) => { const text = userInput.trim(); if (['exit', 'quit', 'q'].includes(text.toLowerCase())) { console.log('Goodbye!'); rl.close(); process.exit(0); } if (!text) { rl.prompt(); return; } try { const result = await run(agent, text, { session: conversationSession }); console.log(`\nAssistant: ${result.finalOutput}\n`); } catch (e) { console.error('Error:', e instanceof Error ? e.message : e, '\n'); } rl.prompt(); }); rl.on('close', () => { console.log('\nSession ended.'); process.exit(0); }); } main().catch((err) => { console.error('Fatal error:', err); process.exit(1); }); ``` ## Conclusion This was a starter code for integrating Supabase MCP with OpenAI Agents SDK to build a functional AI agent that can interact with Supabase. Key features: - Hosted MCP tool integration through Composio's Tool Router - SQLite session persistence for conversation history - Simple async chat loop for interactive testing You can extend this by adding more toolkits, implementing custom business logic, or building a web interface around the agent. ## How to build Supabase MCP Agent with another framework - [ChatGPT](https://composio.dev/toolkits/supabase/framework/chatgpt) - [Claude Agent SDK](https://composio.dev/toolkits/supabase/framework/claude-agents-sdk) - [Claude Code](https://composio.dev/toolkits/supabase/framework/claude-code) - [Claude Cowork](https://composio.dev/toolkits/supabase/framework/claude-cowork) - [Codex](https://composio.dev/toolkits/supabase/framework/codex) - [Cursor](https://composio.dev/toolkits/supabase/framework/cursor) - [VS Code](https://composio.dev/toolkits/supabase/framework/vscode) - [OpenCode](https://composio.dev/toolkits/supabase/framework/opencode) - [OpenClaw](https://composio.dev/toolkits/supabase/framework/openclaw) - [Hermes](https://composio.dev/toolkits/supabase/framework/hermes-agent) - [CLI](https://composio.dev/toolkits/supabase/framework/cli) - [Google ADK](https://composio.dev/toolkits/supabase/framework/google-adk) - [LangChain](https://composio.dev/toolkits/supabase/framework/langchain) - [Vercel AI SDK](https://composio.dev/toolkits/supabase/framework/ai-sdk) - [Mastra AI](https://composio.dev/toolkits/supabase/framework/mastra-ai) - [LlamaIndex](https://composio.dev/toolkits/supabase/framework/llama-index) - [CrewAI](https://composio.dev/toolkits/supabase/framework/crew-ai) ## Related Toolkits - [Codeinterpreter](https://composio.dev/toolkits/codeinterpreter) - Codeinterpreter is a Python-based coding environment with built-in data analysis and visualization. It lets you instantly run scripts, plot results, and prototype solutions inside supported platforms. - [GitHub](https://composio.dev/toolkits/github) - GitHub is a code hosting platform for version control and collaborative software development. It streamlines project management, code review, and team workflows in one place. - [Ably](https://composio.dev/toolkits/ably) - Ably is a real-time messaging platform for live chat and data sync in modern apps. It offers global scale and rock-solid reliability for seamless, instant experiences. - [Abuselpdb](https://composio.dev/toolkits/abuselpdb) - Abuselpdb is a central database for reporting and checking IPs linked to malicious online activity. Use it to quickly identify and report suspicious or abusive IP addresses. - [Alchemy](https://composio.dev/toolkits/alchemy) - Alchemy is a blockchain development platform offering APIs and tools for Ethereum apps. It simplifies building and scaling Web3 projects with robust infrastructure. - [Algolia](https://composio.dev/toolkits/algolia) - Algolia is a hosted search API that powers lightning-fast, relevant search experiences for web and mobile apps. It helps developers deliver instant, typo-tolerant, and scalable search without complex infrastructure. - [Anchor browser](https://composio.dev/toolkits/anchor_browser) - Anchor browser is a developer platform for AI-powered web automation. It transforms complex browser actions into easy API endpoints for streamlined web interaction. - [Apiflash](https://composio.dev/toolkits/apiflash) - Apiflash is a website screenshot API for programmatically capturing web pages. It delivers high-quality screenshots on demand for automation, monitoring, or reporting. - [Apiverve](https://composio.dev/toolkits/apiverve) - Apiverve delivers a suite of powerful APIs that simplify integration for developers. It's designed for reliability and scalability so you can build faster, smarter applications without the integration headache. - [Appcircle](https://composio.dev/toolkits/appcircle) - Appcircle is an enterprise-grade mobile CI/CD platform for building, testing, and publishing mobile apps. It streamlines mobile DevOps so teams ship faster and with more confidence. - [Appdrag](https://composio.dev/toolkits/appdrag) - Appdrag is a cloud platform for building websites, APIs, and databases with drag-and-drop tools and code editing. It accelerates development and iteration by combining hosting, database management, and low-code features in one place. - [Appveyor](https://composio.dev/toolkits/appveyor) - AppVeyor is a cloud-based continuous integration service for building, testing, and deploying applications. It helps developers automate and streamline their software delivery pipelines. - [Backendless](https://composio.dev/toolkits/backendless) - Backendless is a backend-as-a-service platform for mobile and web apps, offering database, file storage, user authentication, and APIs. It helps developers ship scalable applications faster without managing server infrastructure. - [Baserow](https://composio.dev/toolkits/baserow) - Baserow is an open-source no-code database platform for building collaborative data apps. It makes it easy for teams to organize data and automate workflows without writing code. - [Bench](https://composio.dev/toolkits/bench) - Bench is a benchmarking tool for automated performance measurement and analysis. It helps you quickly evaluate, compare, and track your systems or workflows. - [Better stack](https://composio.dev/toolkits/better_stack) - Better Stack is a monitoring, logging, and incident management solution for apps and services. It helps teams ensure application reliability and performance with real-time insights. - [Bitbucket](https://composio.dev/toolkits/bitbucket) - Bitbucket is a Git-based code hosting and collaboration platform for teams. It enables secure repository management and streamlined code reviews. - [Blazemeter](https://composio.dev/toolkits/blazemeter) - Blazemeter is a continuous testing platform for web and mobile app performance. It empowers teams to automate and analyze large-scale tests with ease. - [Blocknative](https://composio.dev/toolkits/blocknative) - Blocknative delivers real-time mempool monitoring and transaction management for public blockchains. Instantly track pending transactions and optimize blockchain interactions with live data. - [Bolt iot](https://composio.dev/toolkits/bolt_iot) - Bolt IoT is a platform for building and managing IoT projects with cloud-based device control and monitoring. It makes connecting sensors and actuators to the internet seamless for automation and data insights. ## Frequently Asked Questions ### What are the differences in Tool Router MCP and Supabase MCP? With a standalone Supabase MCP server, the agents and LLMs can only access a fixed set of Supabase tools tied to that server. However, with the Composio Tool Router, agents can dynamically load tools from Supabase and many other apps based on the task at hand, all through a single MCP endpoint. ### Can I use Tool Router MCP with OpenAI Agents SDK? Yes, you can. OpenAI Agents SDK fully supports MCP integration. You get structured tool calling, message history handling, and model orchestration while Tool Router takes care of discovering and serving the right Supabase tools. ### Can I manage the permissions and scopes for Supabase while using Tool Router? Yes, absolutely. You can configure which Supabase scopes and actions are allowed when connecting your account to Composio. You can also bring your own OAuth credentials or API configuration so you keep full control over what the agent can do. ### How safe is my data with Composio Tool Router? All sensitive data such as tokens, keys, and configuration is fully encrypted at rest and in transit. Composio is SOC 2 Type 2 compliant and follows strict security practices so your Supabase data and credentials are handled as safely as possible. --- [See all toolkits](https://composio.dev/toolkits) · [Composio docs](https://docs.composio.dev/llms.txt)