A Guide to Policy as Code in Function Calling

Many believe that function calling can be secured by simply trusting the caller’s token, but that approach ignores the need for enforceable, testable policies expressed as policy as code.

Function calling lets a service invoke a piece of code, often a microservice, a serverless routine, or an LLM‑driven tool, by sending a request that includes arguments and expects a response. The convenience is undeniable, yet the security surface expands with every new endpoint. A caller can be a human, an automated job, or an AI agent, each with different risk profiles. Without a systematic way to express and enforce constraints, teams end up relying on ad‑hoc checks, scattered configuration files, or manual reviews that are hard to audit.

What policy as code brings to function calling

Policy as code treats access rules, data‑handling requirements, and operational limits as version‑controlled, testable artifacts. Instead of a prose document that lives in a wiki, the policy lives in the same repository as the code that defines the function. This alignment gives three concrete benefits:

• Automated validation: CI pipelines can lint, test, and verify that a new function respects the declared policy before it reaches production.
• Clear audit trail: Each change to the policy is recorded in the version‑control history, providing evidence of intent and review.
• Dynamic enforcement: At runtime the system can read the policy definition and apply it to every request, ensuring that the declared intent is actually enforced.

The policy language typically expresses who may call, what arguments are allowed, and how responses must be treated. For example, a policy might forbid a function from returning credit‑card numbers, or it might require that any request originating from a non‑interactive service be approved by a human before execution.

Why a data‑path gateway is required

Even with policy as code in place, the enforcement point matters. The identity and token verification step (often an OIDC or SAML flow) tells the system *who* is making the request, but it does not guarantee that the request complies with the policy. If the enforcement logic lives inside the function itself, a compromised function can bypass the checks, and the policy evidence becomes unreliable because the function could tamper with logs.

The enforcement must sit on the path that the request travels, between the caller and the function runtime. Only a gateway that intercepts the wire‑level protocol can see the full request, apply masking, block disallowed commands, and trigger just‑in‑time approvals before the function sees the payload. Without that data‑path control, the policy remains a declaration without a technical guarantee.

How hoop.dev fills the enforcement gap

hoop.dev is a Layer 7 gateway that sits between identities and infrastructure. By placing hoop.dev on the data path for function calls, it becomes the single point where policy as code can be evaluated and enforced. hoop.dev reads the caller’s OIDC token, extracts group membership, and then matches the request against the policy stored in version control. The gateway can:

• Block a function call that violates argument constraints before it reaches the runtime.
• Mask sensitive fields in the function’s response, ensuring that downstream logs never contain raw personal data.
• Require a human approval workflow for high‑risk calls, turning a potentially dangerous operation into a controlled, auditable event.
• Record the entire session, providing replay capability and evidence for auditors.

All of these outcomes are possible only because hoop.dev sits in the data path. The setup phase, defining OIDC clients, provisioning service accounts, and configuring policies, determines who may start a request, but the enforcement outcomes (blocking, masking, approval, recording) exist solely because hoop.dev intercepts the traffic.

Deploying hoop.dev is straightforward: a Docker Compose quick‑start brings up the gateway with built‑in OIDC verification, masking, and guardrails. The agent runs close to the function runtime, holds the credentials needed to invoke the function, and never exposes them to the caller. For detailed steps, see the getting‑started guide and the broader learn page.

Frequently asked questions

Is policy as code still useful if I use hoop.dev?
Yes. hoop.dev enforces the policy at runtime, but the policy definition remains version‑controlled code. The two work together: the code defines the intent, hoop.dev guarantees the intent is applied to every call.

Can hoop.dev enforce policies on existing functions without code changes?
Because hoop.dev operates at the protocol layer, you can add or modify policies without touching the function implementation. The gateway intercepts the traffic and applies the new rules immediately.

How does hoop.dev help with compliance audits?
hoop.dev records each session, captures approval events, and masks sensitive data in logs. Those records provide the audit evidence that compliance frameworks demand, while the policy‑as‑code repository supplies the documented intent.

Ready to see policy as code in action for your function calls? Explore the open‑source repository on GitHub: hoop.dev on GitHub.