Skip to main content
In the Web App, these are called Resource Roles. In the API, the same objects are called connections. They refer to the same thing: a named, typed configuration that exposes an internal service through a Hoop agent.

Connection Types

Every connection has a type and an optional subtype.

Database (type: "database")

Connections that implement native database wire protocols. Hoop intercepts queries and can enforce masking, guardrails, and access policies on the traffic.
SubtypeProtocol
postgresPostgreSQL wire protocol
mysqlMySQL protocol
mongodbMongoDB Wire Protocol
mssqlMicrosoft SQL Server
oracledbOracle Database

Application (type: "application")

Connections to networked services and processes.
SubtypeDescription
httpproxyForwards HTTP/HTTPS traffic to an upstream service
tcpRaw TCP forwarding
sshSSH tunneling

Custom (type: "custom")

Arbitrary shell command execution. Use this type when your resource doesn’t fit a standard protocol. The command field defines what runs when a session opens.

Agent Binding

Each connection is bound to an agent via the agent_id field. The connection’s status reflects the agent’s reachability:
  • online — the agent is connected and the resource is accessible
  • offline — the agent is not connected or the resource is unreachable
If no agent_id is set on the connection, it inherits the agent from the associated resource.

Credentials

Connection secrets (database passwords, API tokens, hostnames) are stored as environment variables attached to the connection. In the API, they are submitted under a secret object with "envvar:KEY" keys, base64-encoded: 
{
  "secret": {
    "envvar:HOST": "bXlkYi5leGFtcGxlLmNvbQ==",
    "envvar:PORT": "NTQzMg==",
    "envvar:USER": "YWRtaW4=",
    "envvar:PASS": "c3VwZXJzZWNyZXQ="
  }
}
The agent resolves these environment variables at runtime when opening a session.

Access Modes

Each connection exposes up to three interaction modes, each independently enabled or disabled:
ModeDescription
execRun a command and receive output (non-interactive)
connectOpen an interactive session (e.g., a database shell)
runbooksExecute pre-defined runbook scripts against the connection

Features Per Connection

Hoop features are attached to individual connections via the plugin system. When a connection is created, a default set of plugins is automatically enabled. Additional features can be configured on a per-connection basis:
FeaturePluginWhat it does
Session RecordingauditAlways active; records all session activity
Live Data MaskingdlpRedacts sensitive patterns (emails, credit cards, etc.) in output
Access RequestsreviewHolds execution pending approval from a designated reviewer group
GuardrailsEnforces input/output rules attached to the connection
Access Controlaccess_controlRestricts which user groups can see and use the connection
RunbooksrunbooksEnables runbook execution on the connection
Webhooks / SIEMwebhooksForwards session lifecycle events to external endpoints
Slack NotificationsslackSends Slack messages for access request events
See Plugins for a full reference.

Creating Connections

Navigate to Resource Roles in the sidebar, then click New Resource Role. Select the type and fill in the required fields.