All posts
June 16, 20263 min read

Just-in-time access for AI agents on MySQL

Start with the failure, not the feature. The most common way an AI agent does damage to a MySQL database is not a clever attack. It is a static database user with permanent privileges that the agent holds twenty-four hours a day, used once a week. The credential outlives the task by orders of magnitude, and every hour it sits idle is an hour it can be misused. Just-in-time access for AI agents on MySQL replaces that standing grant with access that exists only for the task and only for as long a

Free White Paper

Just-in-Time Access + AI Human-in-the-Loop Oversight: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Start with the failure, not the feature. The most common way an AI agent does damage to a MySQL database is not a clever attack. It is a static database user with permanent privileges that the agent holds twenty-four hours a day, used once a week. The credential outlives the task by orders of magnitude, and every hour it sits idle is an hour it can be misused.

Just-in-time access for AI agents on MySQL replaces that standing grant with access that exists only for the task and only for as long as the task runs. The agent requests a connection, the request is authorized against a named identity, access opens, the work happens, and access closes. There is no long-lived privileged user waiting to be abused.

The pitfalls that make standing access dangerous

Before the setup, look at what goes wrong without just-in-time access:

  • The credential never expires. A static MySQL user with broad SELECT and UPDATE rights is a permanent key. If the agent is compromised, so is the database, on a timeline measured in months.
  • Scope creep. Each new task adds a grant. Nobody removes the old ones. The agent ends up with privileges no current task needs.
  • No tie to a task. When access is always on, you cannot say which task an action belonged to. The audit trail is a flat stream with no boundaries.

These are not edge cases. They are the default state of any agent wired directly to MySQL with a config-file password.

Where the access boundary belongs

hoop.dev is an open-source Layer 7 gateway that proxies the MySQL wire protocol through an agent inside your network. The AI agent connects to hoop.dev, which authorizes the session against the agent's identity, opens the MySQL connection just in time, and closes it when the session ends. The architectural point: the grant has to live outside the process the agent controls. If the agent holds a permanent credential, no policy you write later can make it temporary. Move the boundary to the gateway and the access becomes a request, not a possession.

Continue reading? Get the full guide.

Just-in-Time Access + AI Human-in-the-Loop Oversight: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Set up just-in-time access step by step

  1. Register the MySQL connection in hoop.dev with HOST, PORT, USER, PASS, and DB. hoop.dev holds this credential, not the agent.
  2. Give the agent its own identity in the gateway rather than a shared database login.
  3. Set the access policy: which connections the agent may request, and whether sensitive operations route to a human for approval first.
  4. Point the agent at the hoop.dev endpoint. It now requests access per task instead of carrying a password.
  5. Verify by checking that no MySQL session stays open between tasks and that each session is attributed to the agent.

Verify it actually closed

Run a task, then query MySQL's process list. If just-in-time access is working, the agent's connection is gone once the task finished. A connection that lingers means you still have standing access in disguise.

The same check catches a subtler problem. If the agent can reconnect on its own after the task without a fresh authorization, the access was never really scoped. Confirm that a second task triggers a second authorization, not a silent reuse of the first session. Just-in-time access only holds when every task is its own request, evaluated against the agent's identity and policy before MySQL opens. If the agent can extend its own window, the boundary is decorative.

FAQ

How is this different from a short-lived password I rotate?

Rotation shortens the window but the grant is still standing between rotations. Just-in-time access opens the connection per task and closes it after, so there is no idle privileged session at all.

Does the agent need to handle the MySQL credential?

No. hoop.dev holds the connection credential and brokers the session. The agent authenticates to the gateway as its own identity and never sees the database password.

Does this work with RDS MySQL?

Yes. RDS connections can use per-user IAM auth on the web-app path, so the per-task identity maps to an IAM token rather than a shared user.

For the next layer, see how session recording captures each scoped task and the wider approach to agent access. Run the gateway yourself against a test MySQL instance: hoop.dev on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot