Skip to content

Connect DigitalOcean to Claude: Scale Databases and Kubernetes

Learn how to build a managed MCP server to connect DigitalOcean to Claude. Automate Kubernetes deployments, database scaling, and DevOps workflows via AI.

Riya Sethi Riya Sethi · · 9 min read
Connect DigitalOcean to Claude: Scale Databases and Kubernetes

If you need to orchestrate cloud infrastructure with AI - whether that is scaling Kubernetes nodes, managing managed databases, or debugging App Platform deployments - you need a Model Context Protocol (MCP) server. This server translates the reasoning of a Large Language Model (LLM) into structured REST API calls. If your team uses ChatGPT, check out our guide on connecting DigitalOcean to ChatGPT or explore our broader architectural overview on connecting DigitalOcean to AI Agents.

Giving an AI agent read and write access to your production DigitalOcean environment is a high-stakes engineering challenge. You must handle complex JSON specs, deeply nested Kubernetes configurations, and specific pagination rules. If you build this manually, you own the entire API lifecycle. Every time DigitalOcean updates an App Platform parameter or introduces a new database configuration option, you have to rewrite your tool schemas, redeploy your MCP server, and test the integration.

This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for DigitalOcean, connect it natively to Claude Desktop or your custom agent framework, and execute complex DevOps workflows using natural language.

The Engineering Reality of the DigitalOcean API

A custom MCP server is a self-hosted integration layer. While the open MCP standard provides a predictable way for models to discover tools, the reality of implementing it against cloud infrastructure APIs is difficult. You are integrating a system where state changes are heavily asynchronous and configurations are massive.

If you decide to build a custom MCP server for DigitalOcean, here are the specific architectural challenges you will face:

Asynchronous State Changes When you ask an LLM to "create a Droplet" or "deploy a Kubernetes cluster," the DigitalOcean API does not return a ready resource. It returns a 202 Accepted status and an Action ID. The underlying resource might take minutes to provision. If your custom MCP server blocks waiting for the resource, it will timeout the LLM's tool call. You have to build custom polling logic into your agent to routinely check the action status endpoint before attempting the next step in a workflow.

Complex App Platform and Kubernetes Specs The payload to create a DigitalOcean App Platform deployment or a new node pool is not a flat list of keys. It is a deeply nested JSON specification containing database rules, environment variables, build commands, and component types. Forcing an LLM to hallucinate this exact JSON structure from scratch frequently leads to 400 Bad Request errors. A managed MCP server leverages dynamically generated JSON schemas derived directly from DigitalOcean's API documentation, providing the LLM with the exact property constraints and types it needs to format the request correctly.

Rate Limits and 429 Handling DigitalOcean enforces specific rate limits across its endpoints (typically 5,000 requests per hour for standard operations, but far fewer for specific endpoints like floating IP assignments or heavy database queries). If your AI agent gets trapped in a looping workflow, you will hit these limits. Truto does not retry, throttle, or apply backoff on rate limit errors. When the upstream DigitalOcean API returns an HTTP 429, Truto passes that exact error to the caller. Truto normalizes the upstream rate limit information into standardized headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) per the IETF spec. Your agent logic is responsible for parsing these headers and initiating a proper retry with exponential backoff.

How to Generate a DigitalOcean MCP Server

Truto dynamically generates MCP servers for any connected integration. Rather than hand-coding tool definitions for DigitalOcean, Truto reads the underlying integration documentation. A tool only appears in the MCP server if it has a corresponding documentation entry - ensuring only curated, highly reliable endpoints are exposed to the LLM.

Each MCP server is scoped to a single authenticated DigitalOcean account. The generated server URL contains a hashed cryptographic token that handles authentication.

You can create this server through the Truto dashboard or programmatically via the API.

Method 1: Via the Truto UI

  1. Navigate to the integrated account page for your connected DigitalOcean instance in the Truto dashboard.
  2. Click the MCP Servers tab.
  3. Click Create MCP Server.
  4. Select your desired configuration. You can filter the server to only allow specific methods (e.g., read) or specific tags (e.g., kubernetes, databases).
  5. Copy the generated MCP server URL (e.g., https://api.truto.one/mcp/a1b2c3d4e5f6...).

Method 2: Via the Truto API

If you are provisioning AI workspaces programmatically for your end-users, you can generate the MCP server via a REST call. The API validates that the integration has tools available, generates a secure token, stores the hash, and returns a ready-to-use URL.

curl -X POST https://api.truto.one/integrated-account/{integrated_account_id}/mcp \
  -H "Authorization: Bearer YOUR_TRUTO_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "DigitalOcean DevOps Assistant",
    "config": {
      "methods": ["read", "write"],
      "tags": ["droplets", "kubernetes", "databases"]
    },
    "expires_at": null
  }'

The response returns the server URL containing the authentication token:

{
  "id": "abc-123",
  "name": "DigitalOcean DevOps Assistant",
  "config": { "methods": ["read", "write"] },
  "expires_at": null,
  "url": "https://api.truto.one/mcp/a1b2c3d4e5f6"
}

Because query parameters and request bodies share a flat input namespace in MCP, Truto automatically splits the LLM's arguments using the endpoint's JSON schemas. It delegates the execution directly to Truto's proxy API handlers, executing the command natively against DigitalOcean.

Connecting the MCP Server to Claude

Once you have the Truto MCP URL, you need to connect it to Claude.

Method A: Via the Claude UI (or ChatGPT UI)

If your organization has Custom Connectors enabled in Claude Desktop or ChatGPT Developer Mode:

  1. Open your AI client settings (e.g., in Claude: Settings -> Integrations -> Add MCP Server).
  2. Paste the Truto MCP server URL.
  3. Click Add.

The client will immediately ping the endpoint, execute the initialize and tools/list JSON-RPC handshake, and populate the model's context with the available DigitalOcean tools.

Method B: Via Manual Configuration File

For Claude Desktop, you can manually configure the connection using the standard MCP Server-Sent Events (SSE) proxy command. Edit your claude_desktop_config.json file (typically located at ~/Library/Application Support/Claude/claude_desktop_config.json on macOS):

{
  "mcpServers": {
    "digitalocean": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "https://api.truto.one/mcp/a1b2c3d4e5f6..."
      ]
    }
  }
}

Restart Claude Desktop. The model will automatically discover the DigitalOcean tools.

DigitalOcean Hero Tools for AI Agents

When Claude lists the tools available on your Truto MCP server, it receives dynamically generated schemas based on the integration's documentation. Here are the highest-leverage operations for orchestrating DigitalOcean infrastructure.

1. List All DigitalOcean Databases

Retrieves a complete list of managed database clusters in the account. The LLM can use this to audit current infrastructure, check engine versions (PostgreSQL, MySQL, Redis), or find target cluster IDs for scaling operations.

"Audit our DigitalOcean account and list all active database clusters. Tell me their current status, node count, and region."

2. Update a DigitalOcean Database Resize by ID

Scales a database cluster by changing its slug size, node count, or storage capacity. The LLM evaluates performance alerts and issues a resize command. The API returns a 202 Accepted while the resize occurs.

"The production PostgreSQL cluster (ID: 8fa729...) is under heavy load. Resize it to 4 nodes using the db-s-4vcpu-8gb size slug."

3. Create a DigitalOcean Kubernetes Cluster

Provisions a brand-new managed Kubernetes cluster. The LLM must construct a payload defining the cluster name, region, Kubernetes version, and the initial node pool array. Truto provides the JSON schema required to get this complex structure right.

"Deploy a new Kubernetes cluster in NYC3 called 'staging-cluster'. Use the latest available 1.28 version and configure a single node pool with 3 nodes using the s-2vcpu-4gb size."

4. Create a DigitalOcean App

Deploys code directly via DigitalOcean App Platform. The LLM formats a complex App Spec containing the repository source, branch, build commands, and HTTP route configuration.

"Deploy a new App Platform instance for our frontend service. Pull from the 'main' branch of our GitHub repo, set the build command to 'npm run build', and expose it on port 3000."

5. Create a DigitalOcean Firewall

Provisions network security rules. The LLM can map natural language requests to specific inbound and outbound rule arrays (e.g., opening port 443, dropping SSH traffic from outside VPCs).

"Create a new DigitalOcean firewall named 'web-tier-security'. Block all inbound traffic except ports 80 and 443 from any IPv4 address, and attach it to droplets with the tag 'frontend'."

6. Create a DigitalOcean Droplet Action

Executes operational commands on virtual machines, such as power cycling, taking a snapshot, or rebuilding from a new image. The LLM isolates the problematic droplet ID and issues the appropriate action type.

"The backend worker droplet (ID: 109283...) is unresponsive. Initiate a power cycle action on it immediately, then list the recent actions to confirm it is rebooting."

To view the complete schema definitions and the full inventory of available endpoints, visit the DigitalOcean integration page.

Workflows in Action

By exposing DigitalOcean's infrastructure API to Claude via an MCP server, you can orchestrate complex, multi-step operations using conversational prompts.

Scenario 1: Emergency Infrastructure Scaling

A site reliability engineer receives an alert regarding heavy latency. They ask the agent to scale up the infrastructure.

"Check the CPU load on our 'api-prod' Droplets over the last hour. If the average is over 80%, spin up two new droplets in the same region, apply the 'api-prod' tag, and ensure they are added to the main load balancer."

  1. Metric retrieval: Claude calls list_all_digital_ocean_droplet_cpus for the existing host IDs to confirm the load.
  2. Infrastructure provisioning: Claude calls create_a_digital_ocean_droplet, sending an array of two new names, returning two new Droplet IDs.
  3. Tagging: Claude calls create_a_digital_ocean_tag_resource to attach the api-prod tag to the new IDs.
  4. Traffic routing: Claude calls create_a_digital_ocean_load_balancer_droplet to attach the new compute instances to the active load balancer, completing the scaling workflow.
flowchart TD
    User["SRE Engineer"] -->|Prompt| Claude
    subgraph DO_Workflow ["Emergency Scaling"]
        Claude -->|Call list_all_digital_ocean_droplet_cpus| DO_Metrics["DO Metrics API"]
        DO_Metrics -.->|Return >80% Load| Claude
        Claude -->|Call create_a_digital_ocean_droplet| DO_Compute["DO Compute API"]
        DO_Compute -.->|Return New IDs| Claude
        Claude -->|Call create_a_digital_ocean_tag_resource| DO_Tags["DO Tagging API"]
        Claude -->|Call create_a_digital_ocean_load_balancer_droplet| DO_Network["DO Load Balancer API"]
    end
    Claude -->|Return Status| User

Scenario 2: Secure Database Provisioning

A developer needs a fresh database for a new microservice but does not have direct access to the DigitalOcean console.

"Provision a new PostgreSQL 15 database cluster in SFO3 named 'auth-service-db'. It needs 2 nodes on the basic 2GB plan. Once it is created, add a firewall rule that only allows connections from Droplets with the 'auth-service' tag."

  1. Database creation: Claude calls create_a_digital_ocean_database with the engine set to pg, version 15, region sfo3, and node count 2.
  2. Validation loop: The agent parses the returned cluster UUID. It notes the status is creating.
  3. Firewall application: Claude immediately calls update_a_digital_ocean_database_firewall_by_id, passing the cluster UUID and a rule object specifying the tag type with the value auth-service.
sequenceDiagram
    participant Dev as Developer
    participant AI as Claude (MCP Client)
    participant Truto as Truto MCP Router
    participant DO as DigitalOcean API

    Dev->>AI: "Provision new Postgres DB and restrict access by tag"
    AI->>Truto: tools/call (create_a_digital_ocean_database)
    Truto->>DO: POST /v2/databases
    DO-->>Truto: 201 Created (Cluster UUID, Status: creating)
    Truto-->>AI: Result: Cluster details
    AI->>Truto: tools/call (update_a_digital_ocean_database_firewall_by_id)
    Truto->>DO: PUT /v2/databases/{uuid}/firewall
    DO-->>Truto: 204 No Content
    Truto-->>AI: Result: Success
    AI-->>Dev: "Database provisioned and firewall locked to 'auth-service' tag."

Security and Access Control

Giving an LLM access to infrastructure requires strict governance. Truto's managed MCP architecture provides several layers of access control, meaning possession of the server URL alone is not always enough to execute destructive operations.

  • Method Filtering: When generating the MCP token, you can restrict the server to specific operation categories. Setting config.methods: ["read"] ensures the LLM can only execute GET and LIST requests. It can read metrics, but it cannot delete a cluster.
  • Tag Filtering: You can restrict the MCP server to specific functional areas using config.tags. If you set tags: ["kubernetes"], the server will completely filter out tools for App Platform, DNS, and billing, severely limiting the agent's blast radius.
  • Require API Token Auth: For higher security environments, you can enable require_api_token_auth: true. This forces the MCP client to pass a valid Truto API token in the Authorization header. If the URL leaks, it is useless without the secondary authentication token.
  • Ephemeral Servers: Using the expires_at property, you can issue short-lived MCP servers. Both the primary database record and the underlying KV storage enforce this TTL. When the timestamp is reached, a Durable Object alarm fires and the access token is permanently purged from the edge.

FAQ

How does the DigitalOcean MCP server handle API rate limits?
Truto does not absorb or automatically retry rate limit errors. When the DigitalOcean API returns an HTTP 429, Truto passes the error back to the caller and normalizes the upstream rate limit information into standard IETF headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset). The client agent is responsible for implementing retry and backoff logic.
Can I restrict the Claude agent to read-only access for DigitalOcean?
Yes. When creating the MCP server, you can use method filtering to allow only read operations (like get and list). You can also apply tag filters to restrict access to specific resources, such as monitoring alerts or read-only database queries.
How do I securely pass my DigitalOcean credentials to the MCP server?
You do not pass credentials to the MCP server directly. The MCP server URL generated by Truto contains a cryptographic token linked to a specific authenticated DigitalOcean account. The server executes tool calls using that integrated account's secure OAuth or API token lifecycle.
Does this support DigitalOcean App Platform and Serverless Functions?
Yes. Because Truto derives MCP tools dynamically from the underlying integration documentation, any documented DigitalOcean resource - including App Platform specs, serverless functions, and managed databases - is automatically available as an AI tool.

More from our Blog