To get the most out of this guide, you will need to:
{finalConfig.requirements.description}
{finalConfig.requirements.items &&The table below outlines the features available for this type of connection.
| Feature | Native | One Off | Description |
|---|---|---|---|
| TLS Termination Proxy | {renderIcon(finalConfig.features?.tlsTerminationProxy?.native)} | {renderIcon(finalConfig.features?.tlsTerminationProxy?.oneOff)} | The local proxy terminates the connection with TLS, enabling the connection with the remote server to be TLS encrypted. |
| Audit | {renderIcon(finalConfig.features?.audit?.native)} | {renderIcon(finalConfig.features?.audit?.oneOff)} | The gateway stores and audits the queries being issued by the client. |
| Data Masking (Google DLP) | {renderIcon(finalConfig.features?.dataMaskingGoogleDLP?.native)} | {renderIcon(finalConfig.features?.dataMaskingGoogleDLP?.oneOff)} | A policy can be enabled to mask sensitive fields dynamically when performing queries in the database. |
| Data Masking (MS Presidio) | {renderIcon(finalConfig.features?.dataMaskingMSPresidio?.native)} | {renderIcon(finalConfig.features?.dataMaskingMSPresidio?.oneOff)} | A policy can be enabled to mask sensitive fields dynamically when performing queries in the database. |
| Guardrails | {renderIcon(finalConfig.features?.guardrails?.native)} | {renderIcon(finalConfig.features?.guardrails?.oneOff)} | An intelligent layer of protection with smart access controls and monitoring mechanisms. |
| Credentials Offload | {renderIcon(finalConfig.features?.credentialsOffload?.native)} | {renderIcon(finalConfig.features?.credentialsOffload?.oneOff)} | The user authenticates via SSO instead of using database credentials. |
| Interactive Access | {renderIcon(finalConfig.features?.interactiveAccess?.native)} | {renderIcon(finalConfig.features?.interactiveAccess?.oneOff)} | Interactive access is available when using an IDE or connecting via a terminal to perform analysis exploration. |
| Name | Type | Required | Description |
|---|---|---|---|
| {credential.name} | {credential.type} | {credential.required ? 'yes' : 'no'} | {credential.description?.split(/(\[[^\]]+\]\([^)]+\))/).map((part, index) => { const linkMatch = part.match(/\[([^\]]+)\]\(([^)]+)\)/); if (linkMatch) { return {linkMatch[1]}; } return part; })} |
Once a coding assistant has API connectivity, it is no longer making suggestions. It is reading production data, ingesting environment variables, and operating inside the same execution path as your engineers.
The default response has been to restrict access to a sandbox, remove production context, and accept reduced usefulness.
That tradeoff is no longer necessary.
The Claude Code connection type routes Claude Code's API traffic through hoop.dev before it reaches your infrastructure. With it, you can give Claude Code production access while maintaining the controls your security and compliance teams require:
* Sensitive data is masked before Claude Code sees it. PII, credentials, and secrets in query results are redacted in real time. The model works with the schema and structure, not the raw values.
* Credentials are never handed to the model. Claude Code authenticates through hoop.dev's SSO integration. Database credentials are retrieved just-in-time and never exposed to the model or its context window.
* Every query is logged at the command level. More granular than session-level access records, with hoop.dev every individual query is logged, with full context, in a structured and searchable audit trail.
* Guardrails can block or gate actions outside approved patterns. Queries or commands that fall outside policy can be blocked outright or routed through an approval workflow, without changing how Claude Code is invoked.
The result is that Claude Code interrogates real schemas, surfaces actual data anomalies, and generates migration scripts against live table structures without your credentials or PII leaving the controlled environment.