Data Classification for MCP

Uncontrolled exposure of raw prompts and model outputs can leak personally identifiable information, violate industry regulations, and damage an organization’s reputation. When developers send data directly to a large language model without first applying data classification, they rely on trust that the model will not surface sensitive fields. In practice, prompts often contain customer identifiers, internal project codes, or proprietary algorithms that should never leave the perimeter, and without a systematic way to label and filter that data, accidental disclosure becomes inevitable, leading to compliance fines, loss of competitive advantage, and costly remediation efforts.

Most teams address the problem by scattering ad‑hoc scripts or manual reviews, but those approaches lack visibility and cannot guarantee that every request respects the organization’s classification policy. The result is a patchwork of controls that disappears as soon as a new developer joins or a CI pipeline is updated.

The missing piece is a dedicated enforcement point that sits on the data path between the caller and the MCP server. Such a gateway can inspect each prompt, apply classification rules, mask or redact confidential fields, and log the interaction for audit. By placing policy enforcement in the traffic flow, the MCP endpoint never sees raw sensitive data, and the organization retains a complete evidence trail.

Implementing this architecture requires three layers. First, identity providers such as Okta or Azure AD issue OIDC tokens that identify the calling user or service account. These tokens decide who may send a request and what classification level they are allowed to apply, but they do not enforce any data handling on their own. Second, a gateway positioned between identity and the MCP target becomes the sole place where classification policies can be enforced. Third, the gateway must provide outcomes such as masking, session recording, audit logging, and just‑in‑time approval for high‑risk prompts.

hoop.dev fulfills the gateway role. It proxies connections to the MCP server, parses the LLM protocol, applies configurable data classification rules, and either forwards the sanitized prompt, blocks it, or routes it for human approval. Because hoop.dev sits in the data path, it is the only component that can guarantee that every piece of data conforms to policy before it reaches the model.

The missing enforcement point

Without a dedicated gateway, the request travels straight from the caller to the MCP endpoint. The endpoint processes the original payload, stores logs that may contain raw PII, and returns unfiltered responses. No single component in that flow has the authority to inspect, transform, or reject content based on classification rules. The result is a blind spot where data leaks can occur unnoticed.

How hoop.dev places policy in the data path

The first step is to provision an identity provider such as Okta or Azure AD. These services issue OIDC tokens that identify the calling user or service account. hoop.dev verifies those tokens, extracts group membership, and maps the identity to an allowed classification level. This setup decides who may send a request and what classification label they can apply, but it does not enforce any data handling on its own.

The gateway is the only place where enforcement can happen. When a request arrives, hoop.dev parses the LLM protocol, applies the data classification rules, and either forwards the sanitized prompt, blocks it, or routes it for human approval. Because the gateway sits between identity and the MCP target, it is the sole point that can guarantee that every piece of data conforms to policy before it reaches the model.

Enforcement outcomes that matter

• hoop.dev masks sensitive fields in model responses, ensuring that confidential values never appear in client‑side logs.
• hoop.dev records each session, providing replay capability and an audit trail that ties a classified prompt to the user who issued it.
• hoop.dev generates audit logs that capture the classification level, the applied policy, and any redaction actions, giving auditors concrete evidence of compliance.
• hoop.dev can route high‑risk prompts to a just‑in‑time approval workflow, stopping accidental exposure before it happens.

All of these outcomes exist only because hoop.dev sits in the data path; without it, the MCP server would process the original request unchecked.

Getting started

To try this approach, follow the Getting started guide and review the feature documentation for data classification policy syntax. The open‑source repository contains example policies and deployment manifests.

Contribute on GitHub to help improve the classification engine and share best‑practice policies.

FAQ

What types of data can be classified?

Any field that appears in a prompt or response can be labeled – PII, financial identifiers, proprietary code snippets, or internal project names. The policy language lets you define regex patterns or keyword lists that match those categories.

Does hoop.dev store the raw data?

No. The gateway only retains the transformed payload and the audit record. Raw sensitive content is redacted before any storage occurs.

Can existing MCP deployments be retrofitted?

Yes. Because hoop.dev acts as a transparent proxy, you point your client to the gateway address and keep the original MCP endpoint unchanged. All classification enforcement is added without modifying the MCP server.