Prerequisites

Features

Configuration

Connection setup

hoop CLI

Web panel

Access the connection

Clients advertising the wrong server

Known Issues

Community

Blog

API Reference

Hoop.dev - the only access gateway with data masking

Get started

Sign In

A MongoDB connection is a native type, allowing for the auditing of queries and redaction of their output. It facilitates a local TCP connection without requiring a password.

MongoDB

Introduction

Overview

This deployment leverages `docker compose` to deploy Hoop on local or remote machines for solution assessment.

Docker

This deployment leverages AWS CloudFormation to automatically create resources and set up the Hoop in your own AWS account.

Kubernetes

Install and configure the hoop.dev CLI to interact with your applications.

Command-Line

Superpower your web experience with a way to nativelly connect to your databases and services without the need of our command line

Desktop App

Describe how to configure the Hoop Gateway via environment variables

Environment Variables

Integrate with your own Identity Provider

Auth0

Okta

Google

Azure

JumpCloud

AWS Cognito

Set up and know better about hoop.dev's AI Data Masking

Get Started

Get to know all the fields that you can use to mask data in your organization.

Data Masking Fields

Connect to a private mysql instance from your favorite IDE

MySQL

A Postgres connection is a native type, allowing for the auditing of queries and redaction of their output. It facilitates a local TCP connection without requiring a password.

PostgreSQL

MSSQL

Execute queries to Oracle instances with [sqlcl](https://www.oracle.com/database/sqldeveloper/technologies/sqlcl/).

Oracle

Hoop could be configured to use the AWS command line to manage resources in multiple accounts.

AWS CLI

Interact with Elastic Container Service, executing one-off sessions into ECS tasks/containers.

AWS ECS

Hoop.dev can be configured to use the kubectl command line to manage resources and execute actions on workloads in Kubernetes.

Execute queries to a Cassandra cluster with [cqlsh](https://cassandra.apache.org/doc/latest/cassandra/tools/cqlsh.html).

Apache Cassandra

Python Scripts

Interact with the Artisan console or execute ad-hoc scripts.

Django

Interact with the rails console or execute ad-hoc scripts in a Ruby On Rails application.

Ruby on Rails

Interact with the IEx console or execute ad-hoc scripts.

Elixir IEx

PHP Artisan

Interact with web applications and APIs tunneling through hoop.dev.

Web Apps & APIs

Hoop could act as a bastion server allowing the execution of one-off sessions.

Jump Hosts

Architecture

Understand how it works and what's possible

AI Data Masking

You can define access control rules to restrict access to your connections

Access Control

Interact with the JIT console or execute ad-hoc scripts.

Just-in-Time Reviews

It enables integration with a known secrets manager, allowing the connection environment variable to be dynamically expanded for each connection.

Secrets Manager

Record and playback terminal sessions and entire databases connections.

Session Recording

Activate and use webhooks and SIEM integrations.

Webhooks/SIEM

Get to know how to configure AI Query Builder in your organization

AI Query Builder

Learn how the API Key feature works and how to use it

API Key Usage

Agent

Review sessions directly from your Slack workspace.

Slack

Hoop.dev can integrate with Microsoft Teams, sending messages to a channel when a particular event happens.

Teams

Integrate with Svix to have wehbooks/SIEM properly configured.

Svix

Streamline change management and security workflows by automatically creating and tracking Jira tickets for infrastructure access requests.

Jira

List Agent Keys

Create an agent key in a DSN format: `grpc(s)://<name>:<key>@<grpc-host>:<grpc-port>?mode=standard|embedded`.
This key is used to deploy agents and expose internal resources from your infra-structure

Create Agent Key

Remove an agent key. It will invalidate a running agent

Delete Agent Key

List Connections

The connection resource allows exposing internal services from your internal infra structure to users.

### Types of Connections

The definition of this resource represent how clients will be able to interact with internal resources.

Each type/subtype may represent a distinct implementation:

- `application/<subtype>` - An alias to map distinct types of shell applications (e.g.: python, ruby, etc)
- `application/tcp` - Forward TCP connections

    This type requires the following environment variables:
    - `HOST`: ip or dns of the internal service
    - `PORT`: the port of the internal service

- `custom` - Any custom shell application
- `database/<subtype>` - Allow connecting to databases through multiple clients (Webapp, cli, IDE's)

Each `<subtype>` has distinct environment variables that are allowed to be configured, refer to our [documentation](https://hoop.dev/docs) for more information.


Create Connection

Get Connection

Update Connection

List all available databases for a database connection

List Databases

Get detailed schema information including tables, views, columns and indexes

Get Database Schema

Delete Connection

List Guard Rail Rules

Create Guard Rail Rules

Get Guard Rail Rules

Update Guard Rail Rules

Delete a Rule

Get the organization key to run with `hoop run` command line

Get Org Key

Create the organization key to run with `hoop run` command line.

Create Org Key

Revoke Org Key

List Plugins

Create Plugin

Start a execution using a Runbook as input

Runbook Exec

List Runbooks By Connection

List Runbooks

Get Plugin

Update Plugin resource. The `config` and `name` attributes are immutable for this endpoint.

Update Plugin

Update the Plugin resource top level configuration.

Update Plugin Config

The report payload groups sessions by info types and by a custom field (`group_by`) provided by the client.
The items returns data containing the sum of redact fields performed by a given info type aggregated by the `group_by` attribute.

Session Reports

List Reviews

Get Review

Update Review Status

List Sessions

This endpoint performs ad-hoc executions. It will wait 50 seconds for a sucessful response (200), otherwise return an Accepted status code (202) meaning the execution will be held asynchronously. The outcome could be obtained later on by fetching the resource using the attribute `id`.

The payload of this request is used with the Connection resource to construct the command to be executed in the remote agent.
- The `script` attribute is passed as stdin to the Connection resource `command` attribute.
- The attribute `client_args` is appended to the suffix of the `command`.

For example, the following connection:

```json
{
  "name": "bash-connection",
  "command": ["/bin/bash"],
  "type": "custom"
}
```

With the following payload:

```json
{
  "script": "echo 'hello world'",
  "client_args": ["-x"],
  "connection": "bash-connection"
}
```

Will perform an ad-hoc shell execution as:

```sh
/bin/bash -x <<EOF
echo 'hello world'
EOF
```


Exec

Get a session by id. This endpoint returns a conditional response

- When the query string `extension` is present it will return a payload containing a link to download the session

```json
{
  "download_url": "http://127.0.0.1:8009/api/sessions/<id>/download?token=<token>&extension=csv&newline=1&event-time=0&events=o,e",
  "expire_at": "2024-07-25T15:56:35.317601Z",
}
```

- Fetching the endpoint without any query string returns the payload documented for this endpoint
- The attribute `event_stream` will be rendered differently if the request contains the query string `event_stream=utf8`

```json
{
  (...)
  "event_stream": ["hello world"]
  (...)
}
```

The attribute `metrics` contains the following structure:

```json
{
  "data_masking": {
    "err_count": 0,
    "info_types": {
      "EMAIL_ADDRESS": 1
    },
    "total_redact_count": 1,
    "transformed_bytes": 31
  },
  "event_size": 356
}
```


Get Session

Download Session

Reviewed Exec

Update the status of a review resource by the session id

Update Review Status By Sid

Exchanges and validates the authorization code for an access token after being redirect by the external provider.
A success authentication will redirect the user back to the default redirect url provided in the /login route.

In case of error it will include the query string `error=unexpected_error` when redirecting.


Login Callback

Returns the login url to perform the signin on the identity provider

Login

Signup anonymous authenticated user. This endpoint is only used for multi tenant setups.

Signup

Proxy to OpenAI chat completions `/vi/chat/completions`

OpenAI Chat Completions

Updates a feature configuration. It will report if this feature is available in the user info endpoint.

Feature Update

Get Webhooks Dashboard

Reports if the service is working properly

HealthCheck

Update Org License

Sign a new license for a customer. This route is for internal use only

Sign License

Get Public Server Info

Get Server Info

Get Jira integration for the organization

Get Jira Integration

Update the Jira integration for the organization

Update Jira Integration

Create a new Jira integration for the organization

Create Jira Integration

List Issue Templates

Create Issue Templates

Get Issue Templates

Update Issue Templates

Delete Issue Templates

Send a connect request to the client. A successful response indicates the client has stablished a connection.
If the connection resource has the review enabled, it returns a successful response containing the link of the review in the `Localtion` header.

ProxyManager Connect

Send a disconnect request. The transport layer will disconnect the connected client asynchronously

ProxyManager Disconnect

ProxyManager Status

List Service Accounts

Create a service account that is associated with a identity provider client

Create Service Account

Update a service account that is associated with a identity provider client

Update Service Account

Get UserInfo

List Users

Inviting a user will pre configure user definitions like display name, profile picture, groups or his slack id

Feature	Native	One Off	Description
TLS Termination Proxy			The local proxy terminates the connection with TLS, enabling the connection with the remote server to be TLS encrypted.
Audit			The gateway stores and audits the queries being issued by the client
Data Masking (Google DLP)			A policy can be enabled to mask sensitive fields dynamically when performing queries in the database.
Data Masking (MS Presidio DLP)			A policy can be enabled to mask sensitive fields dynamically when performing queries in the database.
Credentials Offload			The user authenticates via SSO instead of using database credentials.
Interactive Access			Interactive access is available when using an IDE or connecting via a terminal for analysis exploration.

​Prerequisites

​Features

​Configuration

​Connection setup

​Access the connection

​hoop CLI

​Web panel

​Known Issues

​Clients advertising the wrong server