Explore and query Apache Pinot clusters through MCP.
Valid MCP server (1 strong, 1 medium validity signals). No known CVEs in dependencies. Package registry verified. Imported from the Official MCP Registry.
4 files analyzed · 1 issue found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: PINOT_CONTROLLER_URL
Environment variable: PINOT_BROKER_URL
Environment variable: PINOT_USERNAME
Environment variable: PINOT_PASSWORD
Environment variable: PINOT_TOKEN
Environment variable: PINOT_USE_MSQE
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-startreedata-mcp-pinot": {
"env": {
"PINOT_TOKEN": "your-pinot-token-here",
"PINOT_PASSWORD": "your-pinot-password-here",
"PINOT_USERNAME": "your-pinot-username-here",
"PINOT_USE_MSQE": "your-pinot-use-msqe-here",
"PINOT_BROKER_URL": "your-pinot-broker-url-here",
"PINOT_CONTROLLER_URL": "your-pinot-controller-url-here"
},
"args": [
"mcp-pinot-server"
],
"command": "uvx"
}
}
}From the project's GitHub README.
This project is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. It is built using the FastMCP framework. It is designed to integrate with Claude Desktop to enable real-time analytics and metadata queries on a Pinot cluster.
It allows you to
See Pinot MCP in action below:

Prompt:
Can you do a histogram plot on the GitHub events against time

Once Claude is running, click the hammer 🛠️ icon and try these prompts:
uv is a fast Python package installer and resolver, written in Rust. It's designed to be a drop-in replacement for pip with significantly better performance.
curl -LsSf https://astral.sh/uv/install.sh | sh
# Reload your bashrc/zshrc to take effect. Alternatively, restart your terminal
# source ~/.bashrc
# Clone the repository
git clone https://github.com/startreedata/mcp-pinot.git
cd mcp-pinot
uv pip install -e . # Install dependencies
# For development dependencies (including testing tools), use:
# uv pip install -e .[dev]
The MCP server expects a uvicorn config style .env file in the root directory to configure the Pinot cluster connection. This repo includes a sample .env.example file that assumes a pinot quickstart setup.
mv .env.example .env
The server loads configuration from environment variables and from a .env file
found from the current working directory. Values in .env override process
environment variables, so run the server from the repository directory or pass
the same variables through your process manager, container, or Claude Desktop
configuration.
| Use case | Required settings | Notes |
|---|---|---|
| Claude Desktop | MCP_TRANSPORT=stdio | Recommended for local desktop use. No HTTP listener is started unless TLS certs are configured. |
| Local HTTP | MCP_TRANSPORT=http, MCP_HOST=127.0.0.1 | Default local development profile. Accessible only from the same machine. |
| Remote HTTP/HTTPS | MCP_TRANSPORT=http, MCP_HOST=0.0.0.0, OAUTH_ENABLED=true | The server refuses non-loopback HTTP/HTTPS binds unless OAuth is enabled. Use TLS directly or an authenticated reverse proxy. |
| Helm exposure | service.enabled=true, mcp.host=0.0.0.0, mcp.oauth.enabled=true | Helm defaults are local-only and render no Service unless exposure is explicitly enabled. |
| Variable | Default | Description |
|---|---|---|
PINOT_CONTROLLER_URL | http://localhost:9000 | Pinot controller endpoint used for metadata and table/schema operations. |
PINOT_BROKER_URL | http://localhost:8000 | Pinot broker endpoint used for SQL queries. |
PINOT_BROKER_HOST | Parsed from PINOT_BROKER_URL | Optional host override for the broker connection. |
PINOT_BROKER_PORT | Parsed from PINOT_BROKER_URL | Optional port override for the broker connection. |
PINOT_BROKER_SCHEME | Parsed from PINOT_BROKER_URL | Optional scheme override, usually http or https. |
PINOT_USERNAME / PINOT_PASSWORD | unset | Basic authentication for Pinot. |
PINOT_TOKEN | unset | Bearer or raw token for Pinot; takes precedence over PINOT_TOKEN_FILENAME. |
PINOT_TOKEN_FILENAME | unset | File containing a Pinot token. A missing or empty file logs a warning and continues without token auth. |
PINOT_DATABASE | empty | Optional database header for multi-database Pinot deployments. |
PINOT_USE_MSQE | false | Enables Pinot multi-stage query engine query option. |
PINOT_REQUEST_TIMEOUT | 60 | HTTP request timeout in seconds. |
PINOT_CONNECTION_TIMEOUT | 60 | HTTP connection timeout in seconds. |
PINOT_QUERY_TIMEOUT | 60 | SQL query timeout in seconds. |
| Variable | Default | Description |
|---|---|---|
MCP_TRANSPORT | http | Transport mode. Use stdio for Claude Desktop and http for HTTP/SSE clients. |
MCP_HOST | 127.0.0.1 | HTTP bind host. Set 0.0.0.0 only with OAuth enabled. |
MCP_PORT | 8080 | HTTP listen port. |
MCP_PATH | /mcp | MCP HTTP path. |
MCP_SSL_KEYFILE | unset | TLS private key path. Requires MCP_SSL_CERTFILE. |
MCP_SSL_CERTFILE | unset | TLS certificate path. Requires MCP_SSL_KEYFILE. |
OAuth is required before binding HTTP or HTTPS to a non-loopback host.
| Variable | Default | Description |
|---|---|---|
OAUTH_ENABLED | false | Enables OAuth authentication. |
OAUTH_CLIENT_ID | empty | OAuth client ID. |
OAUTH_CLIENT_SECRET | empty | OAuth client secret. |
OAUTH_BASE_URL | http://localhost:8080 | Public base URL for this MCP server. |
OAUTH_AUTHORIZATION_ENDPOINT | empty | Upstream authorization endpoint. |
OAUTH_TOKEN_ENDPOINT | empty | Upstream token endpoint. |
OAUTH_JWKS_URI | empty | JWKS URI used for token verification. |
OAUTH_ISSUER | empty | Expected token issuer. |
OAUTH_AUDIENCE | unset | Optional expected audience claim. |
OAUTH_EXTRA_AUTH_PARAMS | unset | Optional JSON object with additional authorization parameters. |
| Variable | Default | Description |
|---|---|---|
PINOT_TABLE_FILTER_FILE | unset | YAML file with included_tables glob patterns. If configured and missing, startup fails. |
See SECURITY.md for the production exposure checklist and vulnerability reporting process.
⚠️ Security Note: For production access control, use Pinot's native table-level ACLs (available since Pinot 0.8.0+). Table filtering in this MCP server is a convenience feature for organizing tables and improving UX, not a security boundary. It uses best-effort SQL parsing and should not be relied upon for security.
Table filtering allows you to control which Pinot tables are visible through the MCP server. This is useful for:
When table filtering is enabled, all table operations are filtered to show only the configured tables.
Table filtering applies across all MCP operations:
Copy the example configuration file:
cp table_filters.yaml.example table_filters.yaml
Edit table_filters.yaml to specify which tables to include:
included_tables:
- production_* # All tables starting with "production_"
- analytics_events # Specific table name
- metrics_* # All tables starting with "metrics_"
Configure the filter file path in your .env:
PINOT_TABLE_FILTER_FILE=table_filters.yaml
The filter supports glob-style patterns using standard Unix filename pattern matching:
exact_table_name - Matches exactly this tableprefix_* - Matches all tables starting with "prefix_"*_suffix - Matches all tables ending with "_suffix"*pattern* - Matches all tables containing "pattern"sharded_table_? - Matches tables with exactly one character after the underscore (e.g., sharded_table_1, sharded_table_a)When filtering is enabled, SQL queries are checked before execution:
"table name") and backtick-quoted (`table_name`) table namesdatabase.schema.table)Example filtered query:
SELECT * FROM allowed_table
JOIN other_table ON allowed_table.id = other_table.id
Error: Query references unauthorized tables: other_table. Allowed tables: allowed_table, prod_*
Fail-Fast Validation:
PINOT_TABLE_FILTER_FILE is configured but the file doesn't exist, the server will fail to start with a FileNotFoundErrorincluded_tables key will show all tables (no filtering)Comprehensive Filtering:
To disable table filtering, either:
PINOT_TABLE_FILTER_FILE environment variable, or.env fileWhen not configured, all tables in the Pinot cluster are visible.
The read-query tool always validates SQL before forwarding it to Pinot. It
accepts one statement only, and that statement must be a read-only SELECT or
WITH ... SELECT query. SQL comments are stripped, semicolon-stacked statements
are rejected, and write/DDL/admin keywords are blocked.
To enable OAuth authentication, set the following environment variables in your .env file:
Required variables (when OAUTH_ENABLED=true):
OAUTH_CLIENT_ID: OAuth client IDOAUTH_CLIENT_SECRET: OAuth client secretOAUTH_BASE_URL: Your MCP server base URLOAUTH_AUTHORIZATION_ENDPOINT: OAuth authorization endpoint URLOAUTH_TOKEN_ENDPOINT: OAuth token endpoint URLOAUTH_JWKS_URI: JSON Web Key Set URI for token verificationOAUTH_ISSUER: Token issuer identifierOptional variables:
OAUTH_AUDIENCE: Expected audience claim for token validationOAUTH_EXTRA_AUTH_PARAMS: Additional authorization parameters as JSON object (e.g., {"scope": "openid profile"})Example configuration:
OAUTH_ENABLED=true
OAUTH_CLIENT_ID=client-id
OAUTH_CLIENT_SECRET=client-secret
OAUTH_BASE_URL=http://localhost:8000
OAUTH_AUTHORIZATION_ENDPOINT=https://example.com/oauth/authorize
OAUTH_TOKEN_ENDPOINT=https://example.com/oauth/token
OAUTH_JWKS_URI=https://example.com/.well-known/jwks.json
OAUTH_ISSUER=https://example.com
OAUTH_AUDIENCE=client-id
OAUTH_EXTRA_AUTH_PARAMS={"scope": "openid profile"}
uv --directory . run mcp_pinot/server.py
You should see logs indicating that the server is running.
Security notes:
- The HTTP transport binds to
127.0.0.1by default. Prefer thestdiotransport for Claude Desktop; setMCP_HOST=0.0.0.0only when the server is protected by OAuth and TLS or an authenticated reverse proxy.- The server refuses to start when HTTP is bound to a non-loopback host and
OAUTH_ENABLEDis nottrue.read-queryenforces a single read-only SQL statement before execution. This is a guardrail, not a replacement for Pinot authentication and authorization.- Ensure you are using
mcp[cli]version>=1.10.0, which includes DNS rebinding protections for the HTTP/SSE server.
Start Pinot QuickStart using docker:
docker run --name pinot-quickstart -p 2123:2123 -p 9000:9000 -p 8000:8000 -d apachepinot/pinot:latest QuickStart -type batch
Query MCP Server
uv --directory . run examples/example_client.py
This quickstart just checks all the tools and queries the airlineStats table.
vi ~/Library/Application\ Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"pinot_mcp": {
"command": "/path/to/uv",
"args": [
"--directory",
"/path/to/mcp-pinot-repo",
"run",
"mcp_pinot/server.py"
],
"env": {
// You can also include your .env config here
}
}
}
}
Replace /path/to/uv with the absolute path to the uv command, you can run which uv to figure it out.
Replace /path/to/mcp-pinot with the absolute path to the folder where you cloned this repo.
Note: you must use stdio transport when running your server to use with Claude desktop.
You could also configure environment variables here instead of the .env file, in case you want to connect to multiple pinot clusters as MCP servers.
Claude will now auto-launch the MCP server on startup and recognize the new Pinot-based tools.
Apache Pinot MCP server now supports DXT desktop extensions file
To use it, you first need to install dxt via
npm install -g @anthropic-ai/dxt
then you can run the following commands:
uv pip install -r pyproject.toml --target mcp_pinot/lib
uv pip install . --target mcp_pinot/lib
dxt pack
After this you'll get a .dxt file in your dir. Double click on that file to install it in claude desktop
See SECURITY.md for vulnerability reporting instructions, security categories, and the checklist for safely exposing the MCP HTTP endpoint.
Pinot class in utils/pinot_client.pyBuild the project with
pip install -e ".[dev]"
Test the repo with:
pytest
docker build -t mcp-pinot .
docker run -v $(pwd)/.env:/app/.env mcp-pinot
Note: Make sure to have your .env file configured with the appropriate Pinot cluster settings before running the container.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.