For an introduction to what the MCP server does and the controls it enforces, see the MCP Server overview.
Prerequisites
- Either create an account in our managed instance or deploy your own hoop.dev instance
- Have admin access to your hoop.dev instance
- An MCP-compatible client (Claude Code, Cursor, Devin, or any client that supports streamable HTTP transport with OAuth)
- A user account in Hoop with access to at least one resource role
Endpoint
The MCP server is mounted at:Add the MCP Server to Your Client
Configure your MCP client to point at your gateway. The exact format varies by client. With OAuth enabled (the client negotiates the token automatically):hoop login or any valid Hoop API token.
Enabling OAuth via the CLI
OAuth on the/api/mcp endpoint is off by default and is managed by an administrator with the hoop admin mcp auth command group. When enabled, the endpoint accepts JWTs issued by the gateway’s configured OIDC issuer in addition to regular Hoop bearer tokens — so existing Bearer-token clients keep working.
When enabled, discovery metadata is published at:
/api/mcp URL.
These commands require an authenticated admin session (run
hoop login first as an admin user).Enable OAuth
| Flag | Default | Purpose |
|---|---|---|
--resource-uri | <api-url>/api/mcp | Canonical RFC 8707 audience binding. Inbound JWTs must carry this value as the aud claim. |
--groups-claim | groups | The JWT claim from which user groups are extracted. |
Check current status
Update configuration without toggling state
Useconfigure to change the resource URI or groups claim while leaving enabled/disabled as-is:
--resource-uri or --groups-claim.
Disable OAuth
/api/mcp accepts only Hoop bearer tokens. Any MCP client that was relying on the OAuth flow will need to switch to the Authorization: Bearer <token> header.
First Calls
Once the client is connected, these are the recommended first tool calls:Confirm identity
Ask the agent to call
me_get. The response confirms which user the MCP session is acting as, the groups it belongs to, and whether it has admin or auditor privileges. This is the recommended first call in any session.Discover what's available
Have the agent call
connections_list (and optionally serverinfo_get for gateway version and license info). The agent now knows which databases, applications, and custom resources it can target.exec response is one of three envelopes the agent should handle explicitly:
status | Meaning | What the agent does next |
|---|---|---|
completed | Output is in the response. May include AI analysis. | Use the output. Done. |
failed | Command ran but exited non-zero. | Inspect output and exit_code. |
pending_approval | A review is required before the command can run. | Call reviews_wait, then reviews_execute once status=APPROVED. |
running | Command is still running after a 50-second timeout. | Poll sessions_get with the returned session_id. |
Troubleshooting
unauthorized: missing auth context or missing access token
Check:
- If using OAuth, the MCP client completed the flow successfully and OAuth is enabled on the gateway
- If using a Bearer token, the
Authorization: Bearer <token>header is being sent and the token has not expired - The gateway URL points to
/api/mcpexactly
OAuth flow does not start / metadata endpoint returns 404
OAuth for the MCP endpoint is off by default. Ask an administrator to enable it on the gateway (hoop admin mcp auth enable), or fall back to the Bearer token method in the meantime.
Incompatible auth server: does not support dynamic client registration
This message comes from the MCP client (Claude Code, Cursor, etc.), not from Hoop. The client discovered Hoop’s protected-resource metadata, followed the authorization_servers URL to your IdP (Okta, Azure AD, Google, Auth0, etc.), and found that the IdP does not expose a registration_endpoint — so the client cannot create itself an OAuth client on the fly via RFC 7591 Dynamic Client Registration.
Hoop itself does not implement DCR; it only delegates authorization to your IdP. You have two ways to move forward:
-
Pre-register a static OAuth client in your IdP:
If you need full OAuth, ask your IdP admin to create an OAuth client for the MCP client manually and configure that client with the resulting
client_id/client_secret. Each IdP exposes this differently — for example, Okta calls it an “OIDC application”, Azure calls it an “App Registration”. Most IdPs that support DCR have it disabled by default for security reasons. -
Use the Bearer token method:
This skips OAuth entirely. Configure your MCP client with an
Authorization: Bearer <token>header using a token fromhoop login.
/.well-known/openid-configuration at the issuer URL) advertises a registration_endpoint.
admin access required
The tool is gated to admin users. Ask an administrator to perform the action, or use a read-only equivalent.
connection not found or not accessible
Check:
- The connection name is correct (use
connections_listto verify) - The user has a resource role granting access to this connection
- If the connection is bound to
access_control, the user is in one of the allowed groups
pending_approval never resolves
Check:
- A reviewer group exists and has at least one member who can approve
- The reviewer was notified (Slack/Teams integration is configured, or they’re checking the Web App)
- The agent is calling
reviews_waitrepeatedly after eachtimed_out=true
Agent disconnects on long queries
This is expected for executions over ~50 seconds. Ensure the agent handlesstatus=running by polling sessions_get with the returned session_id, rather than treating it as an error.