> ## Documentation Index
> Fetch the complete documentation index at: https://mintlify.hoop.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# JIT Access Requests Configuration

> Configure time-based access controls for your resource roles

This page covers the configuration options for Just-in-Time Access Requests. For an introduction to how JIT Access Requests work, see [JIT Access Requests](/learn/features/access-requests/jit).

<Info>
  Configuring per-command approvals instead? See [Action Access Requests Configuration](/setup/configuration/access-requests/action-configuration).
</Info>

## Enabling JIT Access Requests

### Via Web App

JIT Access Requests are configured as an Access Request rule of type **Just-in-Time**.

<Steps>
  <Step title="Open Access Request">
    In the Web App sidebar, under **Discover**, click **Access Request**.
  </Step>

  <Step title="Create a new rule">
    Click **Create new Access Request rule**. If you don't have any rules yet, you're taken straight to the rule form.
  </Step>

  <Step title="Set rule information">
    Give the rule a **Name** and an optional **Description**.
  </Step>

  <Step title="Choose the access request type">
    Select the **Access request type**:

    * **Just-in-Time** — temporary access that expires automatically after a defined time range.
    * **by Command** — execution-based access with a per-command approval workflow.

    Only resource roles that support the selected type can be added in the next step.
  </Step>

  <Step title="Select resource roles">
    Under **Resource configuration**, choose the **resource roles** this rule applies to. Optionally, use **Attribute configuration** to scope the rule further.
  </Step>

  <Step title="Set user groups">
    * **Required user groups** — the groups that must request access under this rule.
    * **Approval user groups** — the groups that can approve access for this rule.
  </Step>

  <Step title="Tune approval controls (optional)">
    * **Require all groups approval** — require approval from at least one member of each approval group.
    * **Approval amount** — the minimum number of approvals required per session.
    * **Force approval groups** — groups allowed to bypass the other approval rules.
  </Step>

  <Step title="Save">
    Click **Save** to create the rule.
  </Step>
</Steps>

### Via CLI

You can also configure access requests when creating a resource role:

```bash theme={"dark"}
hoop admin create conn prod-postgres \
  --agent default \
  --reviewers 'dba-team,security' \
  -- psql -h localhost -U postgres
```

The `--reviewers` flag specifies which groups can approve access requests.

***

## Requesting JIT Access

Users request time-based access using the `--duration` flag:

```bash theme={"dark"}
hoop connect prod-postgres --duration 2h
```

The CLI will wait for approval:

```
⣷ waiting for access request to be approved at https://use.hoop.dev/access-requests/abc123...
```

### Duration Formats

| Format | Duration   |
| ------ | ---------- |
| `10m`  | 10 minutes |
| `30m`  | 30 minutes |
| `1h`   | 1 hour     |
| `2h`   | 2 hours    |
| `8h`   | 8 hours    |
| `24h`  | 24 hours   |

***

## Configuration Options

### Maximum Access Duration

Limit how long users can request access. Configure in **Manage > Resources > \[resource role] > Settings**.

### Multiple Approval Groups

When multiple groups are configured, **all groups** must approve before access is granted.

**Example:** Configure `dba-team` and `security-team` as approvers:

* Request requires 1 approval from `dba-team` AND 1 approval from `security-team`
* Either group can reject the request

### Admin Auto-Approval

Admin users automatically approve their own requests. This is by design to ensure admins always have access.

To test the full workflow, use a non-admin account.

***

## Integration with Slack

To receive and approve requests in Slack:

1. [Configure the Slack integration](/integrations/slack)
2. Enable the `slack` plugin on your resource role:

```bash theme={"dark"}
hoop admin create conn prod-postgres \
  --agent default \
  --reviewers 'dba-team' \
  --plugin slack \
  -- psql -h localhost -U postgres
```

3. Approvers subscribe with `/hoop subscribe` in Slack
4. Access requests appear as interactive messages

***

## Troubleshooting

### Request stuck in PENDING

**Possible causes:**

1. **No active approvers** — check that the approval groups have members available
2. **Multiple groups required** — every configured approval group must approve
3. **Slack notifications not working** — verify the [Slack integration](/integrations/slack) is configured

Check the request in **Access Request** > find your request > see which groups have approved.

### Admin users bypass approval

This is expected — admin users auto-approve their own requests. To test the full workflow, use a non-admin account.

### Access still works after the time limit

**Possible causes:**

1. **Active session** — a session actively in use may not terminate immediately
2. **Request not expired** — check the request status in **Access Request**

To force expiration, an admin can **Revoke** the access from the Access Request page, which immediately terminates it.

### Approval notification not appearing in Slack

**Check:**

1. The Slack app is installed correctly ([setup guide](/integrations/slack))
2. The resource role has the `slack` plugin enabled
3. The approver has subscribed with `/hoop subscribe`
4. The notification channel is configured in the Slack plugin settings

***

## Environment Variables

These environment variables affect JIT Access Requests behavior on the gateway:

| Variable             | Description                                     | Default         |
| -------------------- | ----------------------------------------------- | --------------- |
| `REVIEW_TIMEOUT_SEC` | How long to wait for approval before timing out | `3600` (1 hour) |

***

## Related

<CardGroup cols={2}>
  <Card title="JIT Access Requests Overview" icon="clock" href="/learn/features/access-requests/jit">
    Learn how JIT Access Requests work and common use cases
  </Card>

  <Card title="Action Access Requests" icon="square-terminal" href="/setup/configuration/access-requests/action-configuration">
    Configure per-command approval workflows
  </Card>

  <Card title="Slack Integration" icon="slack" href="/integrations/slack">
    Set up Slack for access request notifications
  </Card>

  <Card title="Access Control" icon="lock" href="/setup/configuration/access-control-configuration">
    Configure who can access which resource roles
  </Card>
</CardGroup>
