Non-human identity for MCP servers on Postgres

Many teams assume that an MCP server can simply be given a database user name and password and that the server will behave like any other application client, but that approach ignores the requirements of non-human identity. The reality is that a static credential shared with a machine‑run process provides no visibility, no revocation on demand, and no protection against accidental data leakage.

When an MCP server talks directly to PostgreSQL, the connection bypasses any policy enforcement layer. The server can issue any SQL statement, read every column, and write without triggering an audit trail. If the server is compromised, the attacker inherits the same unrestricted access. This model also makes compliance reporting painful because there is no per‑request evidence of who queried what and when.

Why non-human identity matters for database access

Non‑human identities, service accounts, automation bots, or AI‑driven agents, need the same least‑privilege guarantees that human engineers receive. The goal is to grant a machine only the permissions required for a specific task, for a limited window, and to capture an audit record of every statement it runs.

In practice, the requirement looks like this:

Assign a distinct identity to each MCP server instance.
Scope that identity to the exact schemas, tables, or columns needed.
Enforce a review step for any privileged command (e.g., DROP DATABASE).
Mask sensitive columns (PII, PHI) before the data reaches the server.
Record every query for audit and replay.

Even after these controls are defined, the request still reaches PostgreSQL directly. Without a gateway in the data path, the database itself cannot enforce the masking policy, cannot block the dangerous statement, and cannot guarantee that the recorded query matches the exact bytes that were executed.

hoop.dev as the enforceable data path

hoop.dev provides a Layer 7 gateway that sits between the MCP server and PostgreSQL. The gateway holds the database credentials, so the server does not have direct access to the password. The MCP server authenticates to hoop.dev using an OIDC token, which conveys the non‑human identity and any group memberships. hoop.dev then evaluates each incoming SQL statement against the defined policy.

When a statement arrives, hoop.dev can:

Check the identity’s scope and reject statements that exceed it.
Route privileged statements to a human approver before they are forwarded.
Apply inline data masking to columns marked as sensitive, ensuring the MCP server never receives raw PII.
Record the full command and the masked result for later replay.

All of these enforcement outcomes happen because hoop.dev is the only component that sits in the data path. The setup (OIDC provider, service‑account provisioning, and role bindings) decides who may start a connection, but the actual guardrails are enforced by hoop.dev.

Architectural walk‑through

1. Provision a service account for each MCP server in your identity provider. The account receives a minimal set of groups that map to the database scopes you intend.

Continue reading? Get the full guide.

Non-Human Identity Management + Single Sign-On (SSO): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

2. Deploy the hoop.dev gateway near the PostgreSQL instance. The gateway runs an agent that holds the DB user/password (or an RDS IAM token) and terminates TLS for the wire‑protocol connection.

3. Register the PostgreSQL target in hoop.dev, specifying which columns should be masked and which statements require approval.

4. Configure the MCP server to point its database client at the hoop.dev endpoint instead of the raw PostgreSQL host. The server presents its OIDC token when establishing the connection.

5. During operation, every query passes through hoop.dev. The gateway checks the token, enforces the policy, masks data, and logs the session. If a privileged command is detected, hoop.dev pauses the request and notifies an approver; the command proceeds only after explicit consent.

This flow satisfies the non-human identity requirement while adding the missing audit, masking, and just‑in‑time approval layers.

Getting started

For a step‑by‑step guide on deploying the gateway and registering a PostgreSQL connection, see the getting‑started documentation. Detailed information about masking, guardrails, and session replay is available in the learn section of the site.

All configuration details, including how to define column‑level masks and approval policies, are covered in the docs. The open‑source repository contains the Docker Compose quickstart and Kubernetes manifests you can adapt to your environment.

For the full source code and contribution guidelines, visit the GitHub repository.

FAQ

Does hoop.dev store the database password?

No. The gateway holds the credential in memory and does not expose it to the MCP server or any downstream process.

Can I still use existing PostgreSQL clients?

Yes. Clients connect to the hoop.dev endpoint using the same connection string format; the gateway transparently proxies the wire‑protocol.

What happens if an MCP server tries to run a blocked statement?

hoop.dev intercepts the request, returns an error to the client, and logs the attempt for audit purposes.