hoop.dev gives engineers native, credential-less access to production databases and servers. Every connection is identity-bound, port-enforced, and audited at the gateway.
An engineer needs to read a row from a production database. The secure path looks like this: open the VPN, SSH into the jump host, find the shared credential in the vault, paste it, then connect. Five steps before the first query runs.
So the engineer does what engineers do. They copy the credential into an environment variable once, and skip the dance every time after that. Now a long-lived production password lives on a laptop, and the audit log shows a shared service account instead of a person.
This is the quiet failure mode of most access controls. The control that is hard to use is the control that gets routed around. A staff security engineer at a personal-finance fintech put it to us plainly on a call this month: make the security controls good but easy, or the business is not going to use them. The same week, a different security leader said the part out loud that every security team feels: "I can't tell the business they can't use this without an open door."
The fix is not a stricter door. It is a secure path that is faster than the workaround.
What if the secure path was the command engineers already run?
Here is the whole change:
psql -h analytics-db.hoop
No VPN toggle. No jump host. No credential to paste. The engineer connects to a production database with the same native client they already use, and the connection runs through the Hoop gateway on the way.
The setup behind that is one install script. It puts a small background service on the engineer's machine (Linux and macOS today) and wires up DNS so that any *.hoop hostname resolves on its own. There is no second configuration step, no client to reconfigure, no SDK to import into anything. The engineer keeps their tools. psql, their database GUI, the script they already wrote. All of it points at a .hoop hostname and works.
That is the part that decides adoption. A control engineers do not have to think about is a control they do not route around.
Where did the credential go?
Nowhere the engineer can see, which is the point.
The engineer signs in once through the company identity provider, the same Okta or SSO that sits behind every other internal tool. The background service holds that session. The raw database credential never lands in the engineer's shell, never sits in an environment variable, never gets copied into a script. The connection is bound to the person who opened it.
We made the same argument about AI agents recently: an agent should never hold a raw credential, and the audit trail should show the human behind it. This is that principle applied to the humans directly. Same gateway, same credential-less model, no copied secrets on either side.
|
The old secure path |
The Hoop Tunnel |
| How you connect |
VPN, jump host, paste a credential |
psql -h db.hoop, native client |
| Where the credential lives |
On a laptop, in an env var |
Nowhere the user can reach |
| What the audit log shows |
A shared service account |
The person, the connection, the query |
| When someone leaves |
Rotate a shared password |
Revoke their identity once |
| Developer experience |
Five steps, every time |
The command they already type |
Does getting out of the way mean giving up control?
No. Out of the way for the engineer is not out of the loop for security.
Every connection still runs through the gateway. Identity is retrieved from the identity provider, so the session carries a real person, not a shared account. Ports are enforced at connection time, so a session reaches the databases and servers it is allowed to reach and nothing else. And the in-session controls still apply on the wire: a sensitive column gets masked before the result leaves the database, a destructive command gets stopped before it runs, a mutating action waits for an approval that lands in the same audit trail.
The engineer sees a normal database connection. The security team sees who connected, to what, and every command that crossed the line.
One gateway, two kinds of users
A human engineer connects with their native tools. An AI agent connects through MCP. Both arrive at the same gateway, and the gateway treats them the same way: identity resolved from the company IdP, no raw credential in hand, every action enforced inside the session, every session in one audit trail.
The gateway does not care whether a person or a model sits on the other end. It cares who they are and what they are allowed to do. That is the whole posture. Humans and agents get the same governance, and the humans get to keep the tools they already know.
Security teams have spent a decade as the office of no. The way out is not a louder no. It is a yes that happens to be the easiest command to type.
Hoop is open source. The gateway, the credential-less access model, and the in-session controls described here live in the hoophq org on GitHub. Hoop is MIT-licensed, SOC 2 Type II, and a CNCF member.