How does the MCP server handle FloQast API rate limits?

Truto does not automatically retry or apply backoff to rate limited requests. If FloQast returns a 429 Too Many Requests error, Truto passes it directly to the caller. It does, however, normalize the limit information into standard headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) so your AI agent can manage its own backoff strategy.

Can I restrict the FloQast MCP server to read-only access?

Yes. When generating the MCP server URL via Truto, you can pass a configuration object with specific method filters (e.g., config: { methods: ["read"] }). This ensures the LLM can only execute get and list operations, blocking any create, update, or delete commands.

Do I have to write custom JSON schemas for FloQast endpoints?

No. Truto dynamically generates MCP-compliant tool descriptions and JSON schemas directly from the underlying integration documentation. When Claude requests the tool list, Truto builds the necessary query and body schemas on the fly without manual coding.

How do I revoke Claude's access to FloQast?

You can delete the MCP server via the Truto UI or the API. Alternatively, you can configure the MCP server with an expires_at timestamp upon creation, and the underlying infrastructure will automatically destroy the token and terminate access at the specified time.

Connect FloQast to Claude: Audit Compliance Controls and Programs

If you need to connect FloQast to Claude to automate month-end close audits, monitor compliance controls, or analyze reconciliation statuses, you need a Model Context Protocol (MCP) server. This infrastructure layer acts as the translator between Claude's natural language tool calls and FloQast's REST API. You can either spend weeks building and maintaining this infrastructure yourself, or use a managed platform like Truto to dynamically generate a secure, authenticated MCP server URL. If your team uses ChatGPT, check out our guide on connecting FloQast to ChatGPT or explore our broader architectural overview on connecting FloQast to AI Agents.

Giving a Large Language Model (LLM) read and write access to your financial compliance ecosystem is an engineering risk. You have to handle secure token lifecycles, accurately map complex JSON schemas for highly specific financial objects, and deal with strict validation rules. Every time the FloQast API changes or your team needs access to a new compliance program, you have to update your server code, redeploy, and rigorously test the integration.

This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for FloQast, connect it natively to Claude, and execute complex audit workflows using natural language.

The Engineering Reality of the FloQast API

A custom MCP server is a self-hosted integration layer. While the open MCP standard provides a predictable way for models to discover tools, the reality of implementing it against a specific financial compliance API like FloQast is painful. You are not just building a generic proxy - you are mapping an LLM's unpredictable output to a highly structured financial data model.

If you decide to build a custom MCP server for FloQast, you own the entire API lifecycle. Here are the specific challenges you will face:

Period-Locked Data and Strict Filtering Unlike a generic CRM where you can simply pull a list of contacts, FloQast data is inherently tied to financial periods. Endpoints like reconciliations and checklists require strict filter [month] and filter [year] query parameters. If you expose raw endpoints to Claude without explicit schema definitions indicating that these filters are mandatory, the model will attempt generic GET requests and fail. A managed MCP server extracts these requirements from the API documentation and injects them into the tool's JSON schema as required properties, forcing the LLM to ask the user for the financial period before executing the call.

Complex Relational Hierarchies FloQast's compliance module operates on a strict relational hierarchy: Entities map to Programs, Programs map to Processes, and Processes map to Controls. The API does not typically offer deep native expansion. To update a control, an LLM must often first list programs to find a programId, list processes to find a processId, and finally list controls. Building a custom MCP server means you have to accurately expose all these relational endpoints and ensure their schemas clearly describe to the LLM how the IDs map to each other.

Rate Limiting and Financial Close Bursts During month-end close, automated agents querying checklists and reconciliations can easily trigger API quotas. It is critical to understand how this is handled: Truto does not retry, throttle, or apply backoff on rate limit errors. When the upstream FloQast API returns an HTTP 429 (Too Many Requests), Truto passes that error directly to the caller. However, Truto normalizes the upstream rate limit information into standardized IETF headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset). The caller (your AI agent or multi-agent orchestration framework) is entirely responsible for reading these headers and implementing appropriate retry and exponential backoff logic.

Instead of building schema translation and token management from scratch, you can use Truto. Truto exposes FloQast's endpoints as ready-to-use MCP tools, dynamically generating schemas based on real-time integration documentation.

How to Generate a FloQast MCP Server with Truto

Truto dynamically generates MCP tools from an integration's resource definitions. A tool only appears if it has an underlying documentation record, ensuring only well-defined endpoints are exposed to the LLM. You can spin up an MCP server for FloQast using either the Truto UI or the API.

Method 1: Via the Truto UI

For administrators and operators, the UI is the fastest way to generate a connection URL.

Navigate to your Integrated Accounts in the Truto dashboard.
Select your connected FloQast account.
Click the MCP Servers tab.
Click Create MCP Server.
Select your desired configuration. For auditing, you might want to restrict the server to read-only access by checking the appropriate method filters.
Click Generate and copy the provided MCP Server URL (e.g., https://api.truto.one/mcp/abc123def456).

Method 2: Via the Truto API

For developers building programmatic onboarding flows, you can generate MCP servers via the Truto API. This creates a secure token stored in a distributed key-value store, binding it to the specific integrated account.

curl -X POST https://api.truto.one/integrated-account/{integrated_account_id}/mcp \
  -H "Authorization: Bearer YOUR_TRUTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "FloQast Audit AI Server",
    "config": {
      "methods": ["read", "update"]
    }
  }'

The API validates that FloQast has tools available, generates a secure token, and returns a ready-to-use URL:

{
  "id": "mcp_9f8e7d6c5b",
  "name": "FloQast Audit AI Server",
  "config": {
    "methods": ["read", "update"]
  },
  "expires_at": null,
  "url": "https://api.truto.one/mcp/a1b2c3d4e5f6..."
}

Connecting the FloQast MCP Server to Claude

Once you have your Truto MCP URL, you need to configure your client. The server operates over HTTP POST with JSON-RPC 2.0 messages.

Method A: Via the Claude UI (Desktop/Web)

If you are using Claude's application interface (or similarly, ChatGPT Enterprise):

Copy your generated MCP server URL.
In Claude, navigate to Settings -> Integrations -> Add MCP Server (or Custom Connectors).
Name the connector "FloQast".
Paste the URL and click Add.
Claude will automatically initialize the connection, perform a handshake, and fetch the available FloQast tools.

Method B: Via Manual Configuration File

If you are running Claude Desktop and prefer managing configuration as code, you can use the official Server-Sent Events (SSE) transport wrapper provided by the Model Context Protocol SDK.

Open your claude_desktop_config.json file (typically located at ~/Library/Application Support/Claude/claude_desktop_config.json on macOS) and add the server:

{
  "mcpServers": {
    "floqast_compliance": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "--url",
        "https://api.truto.one/mcp/a1b2c3d4e5f6..."
      ]
    }
  }
}

Restart Claude Desktop. The application will connect to Truto and automatically register the FloQast operations.

Essential FloQast MCP Tools for Claude

Truto normalizes FloQast's API into standardized tools. The query parameters and request bodies are passed as a flat argument object by the LLM, which Truto safely parses and routes to the correct upstream endpoint.

Here are the critical hero tools your AI agent will use for compliance and audit operations.

1. list_all_flo_qast_programs

Description: Lists compliance programs in FloQast. Contextual Usage: Programs represent the top-level frameworks (e.g., SOX, SOC 2, ISO 27001). Your agent needs this tool to map program names to their internal id values before looking up specific controls.

"Claude, pull a list of all active compliance programs in our FloQast account. I need the internal program IDs for the SOX framework."

2. list_all_flo_qast_controls

Description: Lists controls in FloQast. Accepts optional filters for month, year, activity status, and programId. Contextual Usage: The workhorse tool for auditing. Because financial APIs require tight scoping, you must prompt the LLM to provide the specific period. The tool schema strictly defines month and year to prevent the LLM from hallucinating query formats.

"Fetch all compliance controls under the SOX program ID prog_123 for October 2023. Filter only for controls that are currently active."

3. get_single_flo_qast_control_by_id

Description: Gets a specific control by its unique id, returning deep metadata including owners, assignees, descriptions, and assertion mapping. Contextual Usage: Once the agent identifies an anomalous or failed control from the list view, it uses this tool to inspect the full definition and identify the responsible parties for remediation.

"Get the detailed configuration for control ID ctrl_889. I need to see the exact description, the assigned owner, and the frequency of the control."

4. update_a_flo_qast_control_by_id

Description: Updates an existing control in FloQast. Contextual Usage: Used for remediation workflows. The agent can update control metadata, reassign owners, or adjust descriptions based on changes in compliance policy.

"Update control ctrl_889. Change the description to note that log retention must now be 365 days, and reassign the owner to user usr_554."

5. list_all_flo_qast_checklists

Description: Lists checklist items for a specific month and year, returning completion status, schedule details, and signature assignments. Contextual Usage: Essential for month-end close reporting. The LLM can retrieve the checklist and cross-reference which teams are lagging on their sign-offs.

"Pull the month-end checklist for November 2023. Identify any items related to 'Payroll' that lack signatures and list the assigned users."

6. list_all_flo_qast_reconciliations

Description: Lists reconciliations for a given period. Requires filter [month] and filter [year]. Returns details including account status and related TLCs (Trial Balance, Ledger, Subledger). Contextual Usage: Allows the agent to audit the actual financial reconciliation process, checking if ledger balances tie out correctly against subledgers.

"Retrieve all reconciliations for December 2023. Provide a summary of any accounts where the status is not 'Reconciled'."

For the complete inventory of available FloQast endpoints and their exact JSON schema definitions, visit the FloQast integration page.

Workflows in Action

Connecting an LLM to FloQast unlocks powerful, multi-step automation. Here is how specific personas use these tools in practice.

Scenario 1: The Month-End Reconciliation Audit

Persona: Corporate Controller

During the financial close, the Controller needs a rapid summary of trailing checklists and unreconciled accounts. Instead of manually clicking through FloQast, they prompt Claude.

"Review our FloQast instance for the November 2023 close. First, pull the checklist and tell me what tasks are overdue. Second, pull the reconciliations for the same period and summarize any accounts that haven't tied out yet. Flag the owners of the overdue items."

Execution Sequence:

Claude calls list_all_flo_qast_checklists with arguments {"filter [month]": "11", "filter [year]": "2023"}.
Claude parses the checklist response, filtering for items missing signatures.
Claude calls list_all_flo_qast_reconciliations with arguments {"filter [month]": "11", "filter [year]": "2023"}.
Claude cross-references the data and generates a cohesive status report.

Result: The Controller receives a formatted summary of bottlenecks, identifying exactly which accounts are delaying the close and who is responsible, entirely bypassing the FloQast UI.

Scenario 2: Compliance Control Remediation

Persona: IT Compliance Administrator

Following a policy update, an administrator needs to identify specific controls and update their assignees.

"Find our SOC 2 compliance program. Then pull all active controls for December 2023 under that program. Find the control titled 'Database Access Review' and update its assignee to user ID usr_999."

Execution Sequence:

Claude calls list_all_flo_qast_programs to find the ID for the SOC 2 program (e.g., prog_soc2).
Claude calls list_all_flo_qast_controls with arguments {"filter [month]": "12", "filter [year]": "2023", "programId": "prog_soc2"}.
Claude filters the returned list locally to find the ID of the 'Database Access Review' control (e.g., ctrl_db_42).
Claude calls update_a_flo_qast_control_by_id passing the id and the new assignee array.

Result: The LLM successfully navigates FloQast's relational hierarchy, discovers the correct internal IDs, and mutates the required record - all driven by a single natural language command.

Security and Access Control

Exposing financial compliance data to an AI model requires strict governance. Truto's MCP servers enforce security at the infrastructure layer, ensuring that you maintain absolute control over what the LLM can see and do.

Method Filtering: You can explicitly configure the server to block mutation endpoints. Setting methods: ["read"] during server creation guarantees the LLM can only execute GET requests, eliminating the risk of accidental data deletion.
Tag Filtering: Restrict tool generation to specific integration domains. By providing an array of tags (e.g., tags: ["compliance"]), the server will only generate tools for resources that match those categories, hiding unrelated financial ledgers from the model's context.
Time-to-Live (Expires At): Use the expires_at property to create ephemeral access. The backend scheduler will automatically execute a cleanup alarm, purging the token from the distributed key-value store and terminating access at the exact millisecond required.
Dual Authentication Layer: By enabling require_api_token_auth: true, possession of the MCP URL is no longer sufficient. The connecting client must also supply a valid Truto API token in the Authorization header, binding the AI agent's execution strictly to authenticated enterprise users.

The Architecture of AI-Driven Compliance

Building an MCP server from scratch means dealing with FloQast's period-locked endpoints, handling hierarchical mapping, and parsing rate limit headers into exponential backoffs. It is an undifferentiated engineering tax that drains resources from core product development.

Using a managed MCP server via Truto eliminates the API boilerplate. You get dynamically generated schemas, normalized pagination, and a self-contained token architecture that natively integrates with Claude.

Stop writing custom API wrappers for your AI agents. Let the protocol handle the plumbing, and let the LLM handle the compliance audits.