Basic configuration

Extra configuration

Community

Blog

API Reference

Hoop.dev - the only access gateway with data masking

Get started

Sign In

Describe how to configure the Hoop Gateway via environment variables

Environment Variables

Introduction

Overview

This deployment leverages `docker compose` to deploy Hoop on local or remote machines for solution assessment.

Docker

This deployment leverages AWS CloudFormation to automatically create resources and set up the Hoop in your own AWS account.

Kubernetes

Install and configure the hoop.dev CLI to interact with your applications.

Command-Line

Superpower your web experience with a way to nativelly connect to your databases and services without the need of our command line

Desktop App

Integrate with your own Identity Provider

Auth0

Okta

Google

Azure

JumpCloud

AWS Cognito

Set up and know better about hoop.dev's AI Data Masking

Get Started

Get to know all the fields that you can use to mask data in your organization.

Data Masking Fields

Connect to a private mysql instance from your favorite IDE

MySQL

A Postgres connection is a native type, allowing for the auditing of queries and redaction of their output. It facilitates a local TCP connection without requiring a password.

PostgreSQL

MSSQL

A MongoDB connection is a native type, allowing for the auditing of queries and redaction of their output. It facilitates a local TCP connection without requiring a password.

MongoDB

Execute queries to Oracle instances with [sqlcl](https://www.oracle.com/database/sqldeveloper/technologies/sqlcl/).

Oracle

Hoop could be configured to use the AWS command line to manage resources in multiple accounts.

AWS CLI

Interact with Elastic Container Service, executing one-off sessions into ECS tasks/containers.

AWS ECS

Hoop.dev can be configured to use the kubectl command line to manage resources and execute actions on workloads in Kubernetes.

Execute queries to a Cassandra cluster with [cqlsh](https://cassandra.apache.org/doc/latest/cassandra/tools/cqlsh.html).

Apache Cassandra

Python Scripts

Interact with the Artisan console or execute ad-hoc scripts.

Django

Interact with the rails console or execute ad-hoc scripts in a Ruby On Rails application.

Ruby on Rails

Interact with the IEx console or execute ad-hoc scripts.

Elixir IEx

PHP Artisan

Interact with web applications and APIs tunneling through hoop.dev.

Web Apps & APIs

Hoop could act as a bastion server allowing the execution of one-off sessions.

Jump Hosts

Architecture

Understand how it works and what's possible

AI Data Masking

You can define access control rules to restrict access to your connections

Access Control

Interact with the JIT console or execute ad-hoc scripts.

Just-in-Time Reviews

Runbooks

It enables integration with a known secrets manager, allowing the connection environment variable to be dynamically expanded for each connection.

Secrets Manager

Record and playback terminal sessions and entire databases connections.

Session Recording

Activate and use webhooks and SIEM integrations.

Webhooks/SIEM

Get to know how to configure AI Query Builder in your organization

AI Query Builder

Learn how the API Key feature works and how to use it

API Key Usage

Agent

Review sessions directly from your Slack workspace.

Slack

Hoop.dev can integrate with Microsoft Teams, sending messages to a channel when a particular event happens.

Teams

Integrate with Svix to have wehbooks/SIEM properly configured.

Svix

Streamline change management and security workflows by automatically creating and tracking Jira tickets for infrastructure access requests.

Jira

List Agent Keys

Create an agent key in a DSN format: `grpc(s)://<name>:<key>@<grpc-host>:<grpc-port>?mode=standard|embedded`.
This key is used to deploy agents and expose internal resources from your infra-structure

Create Agent Key

Remove an agent key. It will invalidate a running agent

Delete Agent Key

List Connections

The connection resource allows exposing internal services from your internal infra structure to users.

### Types of Connections

The definition of this resource represent how clients will be able to interact with internal resources.

Each type/subtype may represent a distinct implementation:

- `application/<subtype>` - An alias to map distinct types of shell applications (e.g.: python, ruby, etc)
- `application/tcp` - Forward TCP connections

    This type requires the following environment variables:
    - `HOST`: ip or dns of the internal service
    - `PORT`: the port of the internal service

- `custom` - Any custom shell application
- `database/<subtype>` - Allow connecting to databases through multiple clients (Webapp, cli, IDE's)

Each `<subtype>` has distinct environment variables that are allowed to be configured, refer to our [documentation](https://hoop.dev/docs) for more information.


Create Connection

Get Connection

Update Connection

List all available databases for a database connection

List Databases

Get detailed schema information including tables, views, columns and indexes

Get Database Schema

Delete Connection

List Guard Rail Rules

Create Guard Rail Rules

Get Guard Rail Rules

Update Guard Rail Rules

Delete a Rule

Get the organization key to run with `hoop run` command line

Get Org Key

Create the organization key to run with `hoop run` command line.

Create Org Key

Revoke Org Key

List Plugins

Create Plugin

Start a execution using a Runbook as input

Runbook Exec

List Runbooks By Connection

List Runbooks

Get Plugin

Update Plugin resource. The `config` and `name` attributes are immutable for this endpoint.

Update Plugin

Update the Plugin resource top level configuration.

Update Plugin Config

The report payload groups sessions by info types and by a custom field (`group_by`) provided by the client.
The items returns data containing the sum of redact fields performed by a given info type aggregated by the `group_by` attribute.

Session Reports

List Reviews

Get Review

Update Review Status

List Sessions

This endpoint performs ad-hoc executions. It will wait 50 seconds for a sucessful response (200), otherwise return an Accepted status code (202) meaning the execution will be held asynchronously. The outcome could be obtained later on by fetching the resource using the attribute `id`.

The payload of this request is used with the Connection resource to construct the command to be executed in the remote agent.
- The `script` attribute is passed as stdin to the Connection resource `command` attribute.
- The attribute `client_args` is appended to the suffix of the `command`.

For example, the following connection:

```json
{
  "name": "bash-connection",
  "command": ["/bin/bash"],
  "type": "custom"
}
```

With the following payload:

```json
{
  "script": "echo 'hello world'",
  "client_args": ["-x"],
  "connection": "bash-connection"
}
```

Will perform an ad-hoc shell execution as:

```sh
/bin/bash -x <<EOF
echo 'hello world'
EOF
```


Exec

Get a session by id. This endpoint returns a conditional response

- When the query string `extension` is present it will return a payload containing a link to download the session

```json
{
  "download_url": "http://127.0.0.1:8009/api/sessions/<id>/download?token=<token>&extension=csv&newline=1&event-time=0&events=o,e",
  "expire_at": "2024-07-25T15:56:35.317601Z",
}
```

- Fetching the endpoint without any query string returns the payload documented for this endpoint
- The attribute `event_stream` will be rendered differently if the request contains the query string `event_stream=utf8`

```json
{
  (...)
  "event_stream": ["hello world"]
  (...)
}
```

The attribute `metrics` contains the following structure:

```json
{
  "data_masking": {
    "err_count": 0,
    "info_types": {
      "EMAIL_ADDRESS": 1
    },
    "total_redact_count": 1,
    "transformed_bytes": 31
  },
  "event_size": 356
}
```


Get Session

Download Session

Reviewed Exec

Exchanges and validates the authorization code for an access token after being redirect by the external provider.
A success authentication will redirect the user back to the default redirect url provided in the /login route.

In case of error it will include the query string `error=unexpected_error` when redirecting.


Login Callback

Returns the login url to perform the signin on the identity provider

Login

Signup anonymous authenticated user. This endpoint is only used for multi tenant setups.

Signup

Proxy to OpenAI chat completions `/vi/chat/completions`

OpenAI Chat Completions

Updates a feature configuration. It will report if this feature is available in the user info endpoint.

Feature Update

Get Webhooks Dashboard

Reports if the service is working properly

HealthCheck

Update Org License

Sign a new license for a customer. This route is for internal use only

Sign License

Get Public Server Info

Get Server Info

Get Jira integration for the organization

Get Jira Integration

Update the Jira integration for the organization

Update Jira Integration

Create a new Jira integration for the organization

Create Jira Integration

List Issue Templates

Create Issue Templates

Get Issue Templates

Update Issue Templates

Delete Issue Templates

Send a connect request to the client. A successful response indicates the client has stablished a connection.
If the connection resource has the review enabled, it returns a successful response containing the link of the review in the `Localtion` header.

ProxyManager Connect

Send a disconnect request. The transport layer will disconnect the connected client asynchronously

ProxyManager Disconnect

ProxyManager Status

List Service Accounts

Create a service account that is associated with a identity provider client

Create Service Account

Update a service account that is associated with a identity provider client

Update Service Account

Get UserInfo

List Users

Inviting a user will pre configure user definitions like display name, profile picture, groups or his slack id

Environment	Description
POSTGRES_DB_URI	The postgres connection string to connect in the database.
API_URL	API URL address, usually where your DNS will be pointed to. If a prefix is included all endpoints and routes will be available at this prefix.

Environment	Description
AUTH_METHOD	The authentication method to use (`local` or `idp`). Default to `local`
JWT_SECRET_KEY	The secret key to sign JWT tokens

Environment	Default Value	Description
ADMIN_USERNAME	admin	Changes the name of the group to act as the `admin` role
AUDITOR_USERNAME	auditor	Changes the name of the group to act as the `auditor` role
API_KEY		When this environment is set, it enables authentication with full administrative privileges. The key must follow this format: `{org-id}\|{random-string}`
ASK_AI_CREDENTIALS		The ChatGPT credentials in URL format: `<scheme>://_:<apikey>@<api-host>`
DLP_PROVIDER	`gcp`	Which DLP provider to use: `mspresidio` or `gcp`
DISABLE_SESSIONS_DOWNLOAD	false	Control if the download session is disabled or not
GIN_MODE	release	Turn on (debug) logging of routes
GOOGLE_APPLICATION_CREDENTIALS_JSON		GCP DLP credentials
GRPC_URL	`grpc://127.0.0.1:8010`	The gRPC URL to advertise to clients.
IDP_AUDIENCE		Identity Provider Audience (Oauth2)
LOG_ENCODING	json	The encoding of output logs (console)
LOG_GRPC		”1” enables logging gRPC protocol
LOG_LEVEL	info	The verbosity of logs (debug,info,warn,error)
MSPRESIDIO_ANALYZER_URL		Host and port for MS Presidio Analyzer `<host-to-analyzer:port>`
MSPRESIDIO_ANONYMIZER_URL		Host and port for MS Presidio Anonymizer `<host-to-anonymizer:port>`
ORG_MULTI_TENANT		Enable organization multi-tenancy
PLUGIN_AUDIT_PATH	`/opt/hoop/sessions`	The path where the temporary sessions are stored
PLUGIN_INDEX_PATH	`/opt/hoop/indexes`	The path where the temporary indexes are stored
STATIC_UI_PATH	`/app/ui/public`	The path where the UI assets resides
TLS_CA		The path or value to the certificate authority (pem), e.g.: `file://` or `base64://`
TLS_CERT		The path or value to the certificate server (pem) e.g.: `file://` or `base64://`
TLS_KEY		The path or value to the RSA private key e.g.: `file://` or `base64://`
WEBHOOK_APPKEY		The application key to send messages to the webhook provider.
WEBHOOK_APPURL		The Svix Server URL for self hosted setups.

Getting Started

Configure

Quickstarts

Learn

Concepts

Integrations

Environment Variables

Basic configuration

Extra configuration

Getting Started

Configure

Quickstarts

Learn

Concepts

Integrations

​Basic configuration

​Extra configuration

Basic configuration

Extra configuration