Prerequisites

Features

Configuration

Connection setup

Web panel

Access the connection

A Postgres connection is a native type, allowing for the auditing of queries and redaction of their output. It facilitates a local TCP connection without requiring a password.

PostgreSQL

Hoop.dev - the only access gateway with data masking

Introduction

Install and configure the hoop.dev CLI to interact with your applications.

Command-Line

Superpower your web experience with a way to nativelly connect to your databases and services without the need of our command line

Desktop App

Describe how to configure the Hoop Gateway via environment variables

Environment Variables

Reverse Proxy

Connect to a private mysql instance from your favorite IDE

MySQL

MSSQL

A MongoDB connection is a native type, allowing for the auditing of queries and redaction of their output. It facilitates a local TCP connection without requiring a password.

MongoDB

Execute queries to Oracle instances with [sqlcl](https://www.oracle.com/database/sqldeveloper/technologies/sqlcl/).

Oracle

Hoop.dev can be configured to use the kubectl command line to manage resources and execute actions on workloads in Kubernetes.

Kubernetes

Execute queries to a Cassandra cluster with [cqlsh](https://cassandra.apache.org/doc/latest/cassandra/tools/cqlsh.html).

Apache Cassandra

Interact with the rails console or execute ad-hoc scripts in a Ruby On Rails application.

Ruby on Rails

Interact with the IEx console or execute ad-hoc scripts.

Elixir IEx

Interact with the Artisan console or execute ad-hoc scripts.

PHP Artisan

Interact with web applications and APIs tunneling through hoop.dev.

Web Apps & APIs

Hoop could act as a bastion server allowing the execution of one-off sessions.

Jump Hosts

Architecture

Understand how it works and what's possible

AI Data Masking

You can define access control rules to restrict access to your connections

Access Control

Interact with the JIT console or execute ad-hoc scripts.

Just-in-Time Reviews

It enables integration with a known secrets manager, allowing the connection environment variable to be dynamically expanded for each connection.

Secrets Manager

Record and playback terminal sessions and entire databases connections.

Session Recording

Activate and use webhooks and SIEM integrations.

Webhooks/SIEM

Get to know how to configure AI Query Builder in your organization

AI Query Builder

Learn how the API Key feature works and how to use it

API Key Usage

Agent

Review sessions directly from your Slack workspace.

Slack

Hoop.dev can integrate with Microsoft Teams, sending messages to a channel when a particular event happens.

Teams

Integrate with Svix to have wehbooks/SIEM properly configured.

Svix

Streamline change management and security workflows by automatically creating and tracking Jira tickets for infrastructure access requests.

Jira

List Agent Keys

Create an agent key in a DSN format: `grpc(s)://<name>:<key>@<grpc-host>:<grpc-port>?mode=standard|embedded`.
This key is used to deploy agents and expose internal resources from your infra-structure

Create Agent Key

Remove an agent key. It will invalidate a running agent

Delete Agent Key

Exchanges and validates the authorization code for an access token after being redirect by the external provider.
A success authentication will redirect the user back to the default redirect url provided in the /login route.

In case of error it will include the query string `error=unexpected_error` when redirecting.


Login Callback

Returns the login url to perform the signin on the identity provider

Login

Signup anonymous authenticated user. This endpoint is only used for multi tenant setups.

Signup

List Connections

The connection resource allows exposing internal services from your internal infra structure to users.

### Types of Connections

The definition of this resource represent how clients will be able to interact with internal resources.

Each type/subtype may represent a distinct implementation:

- `application/<subtype>` - An alias to map distinct types of shell applications (e.g.: python, ruby, etc)
- `application/tcp` - Forward TCP connections

    This type requires the following environment variables:
    - `HOST`: ip or dns of the internal service
    - `PORT`: the port of the internal service

- `custom` - Any custom shell application
- `database/<subtype>` - Allow connecting to databases through multiple clients (Webapp, cli, IDE's)

Each `<subtype>` has distinct environment variables that are allowed to be configured, refer to our [documentation](https://hoop.dev/docs) for more information.


Create Connection

Get Connection

Update Connection

List all available databases for a database connection

List Databases

Get detailed schema information including tables, views, columns and indexes

Get Database Schema

Delete Connection

Proxy to OpenAI chat completions `/vi/chat/completions`

OpenAI Chat Completions

Updates a feature configuration. It will report if this feature is available in the user info endpoint.

Feature Update

Get Webhooks Dashboard

List Guard Rail Rules

Create Guard Rail Rules

Get Guard Rail Rules

Update Guard Rail Rules

Delete a Rule

Reports if the service is working properly

HealthCheck

Update Org License

Sign a new license for a customer. This route is for internal use only

Sign License

Get Public Server Info

Get Server Info

Get Jira integration for the organization

Get Jira Integration

Update the Jira integration for the organization

Update Jira Integration

Create a new Jira integration for the organization

Create Jira Integration

List Issue Templates

Create Issue Templates

Get Issue Templates

Update Issue Templates

Delete Issue Templates

Get values for a specific Jira object type in an Issue Template

Get Object Type Values for Issue Template

Get the organization key to run with `hoop run` command line

Get Org Key

Create the organization key to run with `hoop run` command line.

Create Org Key

Revoke Org Key

List Plugins

Create Plugin

Get Plugin

Update Plugin resource. The `config` and `name` attributes are immutable for this endpoint.

Update Plugin

Update the Plugin resource top level configuration.

Update Plugin Config

Start a execution using a Runbook as input

Runbook Exec

List Runbooks By Connection

List Runbooks

Send a connect request to the client. A successful response indicates the client has stablished a connection.
If the connection resource has the review enabled, it returns a successful response containing the link of the review in the `Localtion` header.

ProxyManager Connect

Send a disconnect request. The transport layer will disconnect the connected client asynchronously

ProxyManager Disconnect

ProxyManager Status

The report payload groups sessions by info types and by a custom field (`group_by`) provided by the client.
The items returns data containing the sum of redact fields performed by a given info type aggregated by the `group_by` attribute.

Session Reports

List Reviews

Get Review

Update Review Status

Update the status of a review resource by the session id

Update Review Status By Sid

List Service Accounts

Create a service account that is associated with a identity provider client

Create Service Account

Update a service account that is associated with a identity provider client

Update Service Account

Get UserInfo

List Users

Inviting a user will pre configure user definitions like display name, profile picture, groups or his slack id

Invite User

List User Groups

Patch User Slack ID

Get User

Update User

Delete User

List Sessions

This endpoint performs ad-hoc executions. It will wait 50 seconds for a sucessful response (200), otherwise return an Accepted status code (202) meaning the execution will be held asynchronously. The outcome could be obtained later on by fetching the resource using the attribute `id`.

The payload of this request is used with the Connection resource to construct the command to be executed in the remote agent.
- The `script` attribute is passed as stdin to the Connection resource `command` attribute.
- The attribute `client_args` is appended to the suffix of the `command`.

For example, the following connection:

```json
{
  "name": "bash-connection",
  "command": ["/bin/bash"],
  "type": "custom"
}
```

With the following payload:

```json
{
  "script": "echo 'hello world'",
  "client_args": ["-x"],
  "connection": "bash-connection"
}
```

Will perform an ad-hoc shell execution as:

```sh
/bin/bash -x <<EOF
echo 'hello world'
EOF
```


Exec

Get a session by id. This endpoint returns a conditional response

- When the query string `extension` is present it will return a payload containing a link to download the session

```json
{
  "download_url": "http://127.0.0.1:8009/api/sessions/<id>/download?token=<token>&extension=csv&newline=1&event-time=0&events=o,e",
  "expire_at": "2024-07-25T15:56:35.317601Z",
}
```

- Fetching the endpoint without any query string returns the payload documented for this endpoint
- The attribute `event_stream` will be rendered differently if the request contains the query string `event_stream=utf8`

```json
{
  (...)
  "event_stream": ["hello world"]
  (...)
}
```

The attribute `metrics` contains the following structure:

```json
{
  "data_masking": {
    "err_count": 0,
    "info_types": {
      "EMAIL_ADDRESS": 1
    },
    "total_redact_count": 1,
    "transformed_bytes": 31
  },
  "event_size": 356
}
```


Get Session

Download Session

Update Session Metadata

Reviewed Exec

Community

Blog

API Reference

Get started

Sign In

Overview

This deployment leverages `docker compose` to deploy Hoop on local or remote machines for solution assessment.

Docker

This deployment leverages AWS CloudFormation to automatically create resources and set up the Hoop in your own AWS account.

Integrate with your own Identity Provider

Auth0

Okta

Google

Azure

JumpCloud

AWS Cognito

Set up and know better about hoop.dev's AI Data Masking

Get Started

Get to know all the fields that you can use to mask data in your organization.

Data Masking Fields

Hoop could be configured to use the AWS command line to manage resources in multiple accounts.

AWS CLI

Interact with Elastic Container Service, executing one-off sessions into ECS tasks/containers.

Feature	Native	One Off	Description
TLS Termination Proxy			The local proxy terminates the connection with TLS, enabling the connection with the remote server to be TLS encrypted.
Audit			The gateway store and audit the queries being issued by the client.
Data Masking (Google DLP)			A policy can be enabled to mask sensitive fields dynamically when performing queries in the database.
Data Masking (MS Presidio)			A policy can be enabled to mask sensitive fields dynamically when performing queries in the database.
Credentials Offload			The user authenticates via SSO instead of using database credentials.
Interactive Access			Interactive access is available when using an IDE or connecting via a terminal to perform analysis exploration.

Name	Type	Required	Description
HOST	env-var	yes	The IP or Host of the Postgres server
USER	env-var	yes	The user to connect in the Postgres server
PASS	env-var	yes	The password to connect to the Postgres server. Make sure to URL encode the password if it contains any special characters.
PORT	env-var	yes	The port of the Postgres server
DB	env-var	yes	The name of the database to connect (Required when using the connection via the command line).
SSLMODE	env-var	no	How to connect via tls with the remote host, it defaults to prefer. https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION for more information. Available options are: disable, prefer, require, and verify-full

Getting Started

Configure

Quickstarts

Learn

Concepts

Integrations

PostgreSQL

Prerequisites

Features

Configuration

Connection setup

Access the connection

CLI

Web panel

Getting Started

Configure

Quickstarts

Learn

Concepts

Integrations

​Prerequisites

​Features

​Configuration

​Connection setup

​Access the connection

​CLI

​Web panel

Prerequisites

Features

Configuration

Connection setup

Access the connection

CLI

Web panel