Overview
What is Pocketbase?
Remote MCP server that connects any MCP client to a PocketBase instance over stateless HTTP. It is built for developers managing PocketBase backends via AI agents.
How to use Pocketbase?
Use the hosted instance at https://pocketbase.tokenscompany.co/mcp with HTTP transport (not SSE). Configure required headers: X-PB-URL (your PocketBase instance URL) plus either X-PB-Email + X-PB-Password or X-PB-Token. Self‑host via Bun or Docker.
Key features of Pocketbase
- Stateless HTTP MCP server for PocketBase
- Full CRUD on collections, records, backups, and settings
- Two auth methods: email+password or token
- Open source (MIT) with SLSA provenance attestation
- SSRF protection, rate limiting, and CORS support
- No credential storage, no telemetry, no sessions
Use cases of Pocketbase
- Manage PocketBase collections and records through an AI agent
- Automate backup creation and deletion
- Query and update app settings programmatically
- Bulk import or overwrite collection schemas
FAQ from Pocketbase
What transport does this server use?
Stateless streamable HTTP, not SSE. Use "type": "http" in MCP config and --transport http in Claude Code CLI.
How do I authenticate?
Provide X-PB-URL plus either X-PB-Email and X-PB-Password (recommended) or X-PB-Token. If both are given, the token takes priority.
Does the server store my data or credentials?
No. It is fully stateless: no database, no disk writes, no credential persistence, no sessions, and no telemetry. Every request is processed and discarded immediately.
Can I self-host Pocketbase?
Yes. Run with Bun (bun install && bun run src/index.ts) or Docker using ghcr.io/tokenscompany/pocketbase-mcp:latest. No external dependencies beyond your PocketBase instance.
What security features are included?
SSRF protection (private IP ranges rejected), rate limiting (default 60 requests/min per IP with burst 10), CORS with Access-Control-Allow-Origin: *, and a 1 MB body size limit.