June 18, 20264 min read

Putting access controls around Claude: production access for AI coding agents (on Azure)

When Claude coding agents run in production on Azure, every request must be vetted, sensitive data must be masked, and each session recorded for audit. The ideal state of production access is a clear evidence trail that shows the AI‑driven tool performed only the actions it was allowed to, and that no secret data escaped the protected environment. In practice, many organizations hand Claude a static service account, embed long‑lived keys in CI pipelines, and let the agent talk directly to datab

Free White Paper

AI Model Access Control + Customer Support Access to Production: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Coleman Nye

In practice, many organizations hand Claude a static service account, embed long‑lived keys in CI pipelines, and let the agent talk directly to databases, Kubernetes clusters, or internal APIs. The agent inherits whatever permissions the account has, often far beyond what a single request needs. Because the connection bypasses any central gate, there is no real‑time approval step, no inline data redaction, and no immutable log of what the AI actually executed. If something goes wrong, an unexpected DELETE, a credential leak, or a malformed query, there is no reliable trail to investigate, and remediation becomes a guessing game.

Production access for AI coding agents therefore demands three things: a way to grant the minimum privileges needed for each operation, a point where every request can be inspected and, if required, paused for human approval, and a mechanism that records the full session for later review. The first two items are about limiting what the agent can do; the third is about proving what it actually did.

Why production access matters for Claude agents

Claude is designed to generate code, issue database commands, and orchestrate container workloads. In a development sandbox this flexibility is a boon, but in production the same capabilities become a risk. An unguarded Claude instance could:

Accidentally modify production schemas or delete rows.
Expose secrets returned by APIs or database queries.
Trigger cascading failures by invoking privileged cloud‑CLI commands.

Each of these scenarios violates the principle of least privilege and makes compliance reporting painful. Auditors ask for evidence that only authorized actions were taken, and that any sensitive response data was protected. Without a dedicated control point, meeting those expectations is nearly impossible.

Common pitfalls when granting production access

Teams often fall into three patterns that appear to solve the problem but leave critical gaps.

Static credentials. A single service account is created with broad rights and stored in environment variables. The agent can use those rights at any time, and there is no way to revoke them for a single request.
Direct network paths. Claude connects straight to the target endpoint. Because the traffic never passes through a gate, there is no place to inject approvals or mask fields.
Missing audit trail. Even when logging is enabled on the target, the logs are noisy, incomplete, and do not tie actions back to the specific Claude request or the user who triggered it.

All three issues are rooted in the fact that the enforcement layer is missing. Identity providers can tell who is calling, but without a data‑path gateway there is nowhere to enforce policy.

Continue reading? Get the full guide.

AI Model Access Control + Customer Support Access to Production: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Architecting controls with hoop.dev

The missing piece is a Layer 7 gateway that sits between the Claude agent and the production resources. The gateway receives the identity token from the OIDC provider, determines the groups or roles of the caller, and then decides whether the request can proceed, needs approval, or must be blocked. Because the gateway operates at the protocol level, it can also rewrite responses to hide secrets and record the full request/response exchange.

This design satisfies the three production‑access requirements:

Just‑in‑time privilege. The gateway grants the minimal rights needed for each request, based on policy.
Real‑time approval workflow. If a command exceeds a risk threshold, the gateway routes it to a human reviewer before execution.
Session recording and masking. Every interaction is captured, and any fields marked as sensitive are stripped from the recorded data.

All of these capabilities are provided by hoop.dev, which acts as the sole data‑path enforcement point for Claude’s production workloads.

How hoop.dev enforces production access

When a Claude instance initiates a connection, hoop.dev performs the following steps:

It validates the OIDC token presented by the agent. This is the setup phase that decides who the request is, but it does not enforce any policy on its own.
The request then passes through hoop.dev’s gateway. This is the only place where enforcement can happen, because the gateway sits directly in the traffic flow.
hoop.dev evaluates the request against configured policies. If the command is low‑risk, it forwards it to the target. If it exceeds a risk threshold, hoop.dev pauses the request and triggers a just‑in‑time approval workflow.
Before the response reaches Claude, hoop.dev scans it for configured sensitive fields and masks them, ensuring that secrets never leave the protected boundary.
Finally, hoop.dev records the entire session, including the original request, any approval metadata, and the masked response, so that auditors can later verify exactly what happened.

Because hoop.dev is the gateway, every enforcement outcome, approval, masking, blocking, and recording, relies on its presence in the data path. Removing hoop.dev would revert the system to the insecure state described earlier.

Getting started with hoop.dev for Claude on Azure

To protect Claude’s production access, deploy the hoop.dev gateway near your Azure resources. The quick‑start uses Docker Compose, but you can also run it in Kubernetes or as an Azure container instance. After deployment, register your Azure databases, Kubernetes clusters, or HTTP services as connections in hoop.dev. Configure policies that define which Claude‑generated commands require approval, which response fields must be masked, and how long sessions should be retained.

The official getting‑started guide walks you through the deployment steps, identity provider configuration, and policy authoring. For deeper insight into masking, approvals, and session replay, see the learn section. The source code and example configurations are available in the GitHub repository.

FAQ

What if Claude needs to access multiple Azure services in a single workflow?

hoop.dev can proxy each service independently while applying a unified policy set. The gateway treats every downstream connection as a separate resource, but the same approval and masking rules can be applied across them.

Can I audit who triggered a Claude request?

Yes. hoop.dev records the identity token that initiated the session, so the audit log ties every command back to the specific user or service account that launched the Claude agent.

Does hoop.dev store the raw secrets returned by Azure services?

No. Sensitive fields are masked before they are persisted in the session archive, ensuring that the recorded data contains no clear‑text secrets.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts