Connect Ironclad to Claude: Orchestrate Legal Tasks and User Groups

If you need to give your AI assistants the ability to draft contracts, audit legal approval pipelines, or manage identity via SCIM, you need to connect Ironclad to your LLM framework. You can achieve this using a Model Context Protocol (MCP) server. If your team uses ChatGPT, check out our guide on connecting Ironclad to ChatGPT or explore our broader architectural overview on connecting Ironclad to AI Agents.

Giving a Large Language Model (LLM) read and write access to a sprawling enterprise contract lifecycle management (CLM) platform is a formidable engineering challenge. You have to handle OAuth 2.0 token lifecycles, parse dynamic workflow schemas into MCP tool definitions, and deal with Ironclad's specific rate limits. Every time an API endpoint shifts, you must update your server code, redeploy, and test.

This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for Ironclad, connect it natively to Claude Desktop or custom agents, and execute complex legal workflows using natural language.

The Engineering Reality of the Ironclad API

A custom MCP server is a self-hosted integration layer. While the open MCP standard provides a predictable way for models to discover tools, the reality of implementing it against Ironclad's APIs is painful. You are dealing with a platform that splits its logic between highly dynamic workflow endpoints and strict SCIM-compliant identity endpoints.

If you decide to build a custom MCP server for Ironclad, you own the entire API lifecycle. Here are the specific challenges you will face:

Dynamic Workflow Launch Schemas You cannot hardcode a JSON payload to create a contract in Ironclad. Every single workflow template (NDA, MSA, Order Form) has a unique, dynamically generated launch schema. To successfully launch a workflow, your agent must first query the schema API to determine the required fields and data types for that specific template, and then construct a valid payload. Exposing this two-step dance to an LLM requires perfectly crafted system prompts and strictly enforced JSON schema translations in your MCP tool definitions.

Asynchronous Execution Models Ironclad heavily relies on asynchronous processing for workflow creation. When you launch a workflow, especially one that includes file attachments, the API returns a success response immediately while the actual document generation queues in the background. If your agent assumes the contract is instantly ready for download, it will fail. You have to build polling mechanisms or webhook listeners into your custom architecture.

Strict SCIM Pagination and Identity Models Managing users and groups in Ironclad means interfacing with their SCIM (System for Cross-domain Identity Management) API. SCIM has its own specific querying syntax, filtering parameters, and pagination rules that differ entirely from the core workflow APIs. Normalizing these distinct API paradigms into a unified interface for Claude requires significant boilerplate.

Rate Limits and 429 Errors Ironclad enforces strict API rate limits to protect its infrastructure. A common misconception is that middleware should blindly absorb and retry these limits. Truto takes a precise, deterministic approach: Truto does not retry, throttle, or apply backoff on rate limit errors. When the Ironclad API returns an HTTP 429, Truto passes that error directly to the caller. However, Truto normalizes the upstream rate limit information into standardized headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) per the IETF spec. The caller - your agent - is strictly responsible for interpreting these headers, applying exponential backoff, and retrying the request.

How to Generate an Ironclad MCP Server

Instead of building a custom translation layer from scratch, Truto dynamically derives MCP tools from your integrated Ironclad account's documentation and resource definitions. This generates a production-ready JSON-RPC 2.0 endpoint that any MCP client can connect to.

You can generate the MCP server via the Truto UI or programmatically via the API.

Method 1: Via the Truto UI

For internal tooling and rapid deployment, the UI is the fastest path.

1. Log into your Truto environment and navigate to the integrated account page for your Ironclad connection.
2. Click the MCP Servers tab.
3. Click Create MCP Server.
4. Select your desired configuration (name, allowed methods, specific tool tags, and expiration dates).
5. Copy the generated MCP server URL (e.g., https://api.truto.one/mcp/a1b2c3d4e5f6...).

Method 2: Via the Truto API

If you are dynamically provisioning AI capabilities for your end users, you will orchestrate this programmatically. The API validates that tools exist, provisions a secure token in cloud KV storage, and returns a ready-to-use URL.

curl -X POST https://api.truto.one/integrated-account/{integrated_account_id}/mcp \
  -H "Authorization: Bearer YOUR_TRUTO_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Ironclad Legal Ops Agent",
    "config": {
      "methods": ["read", "write"],
      "require_api_token_auth": false
    }
  }'

The response contains the unique, self-contained MCP server URL:

{
  "id": "mcp_8a9b0c1d",
  "name": "Ironclad Legal Ops Agent",
  "config": { "methods": ["read", "write"] },
  "expires_at": null,
  "url": "https://api.truto.one/mcp/a1b2c3d4e5f67890"
}

Connecting the MCP Server to Claude

Once you have the Truto MCP URL, connecting it to Claude requires zero custom code. The URL acts as the definitive translation layer between the model and Ironclad. You can learn more about this approach in our guide on managed MCP for Claude.

Method A: Via the Claude UI

If you are using Claude Desktop (or the ChatGPT web UI with custom connectors), you can add the server directly through the interface.

1. In Claude Desktop, open Settings -> Integrations -> Add MCP Server.
2. Provide a logical name (e.g., "Ironclad Operations").
3. Paste your Truto MCP server URL into the endpoint field.
4. Click Add.

Claude will immediately ping the endpoint, execute the initialization handshake, and pull down the normalized JSON schemas for every available Ironclad tool.

Method B: Via Manual Config File

For automated deployments or strict local configurations, you can register the server using the standard claude_desktop_config.json file. Because Truto MCP servers operate over standard HTTP POST with Server-Sent Events (SSE) transport, you use the official @modelcontextprotocol/server-sse package as the bridge.

Edit your configuration file (typically located at ~/Library/Application Support/Claude/claude_desktop_config.json on macOS):

{
  "mcpServers": {
    "ironclad-truto": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "https://api.truto.one/mcp/a1b2c3d4e5f67890"
      ]
    }
  }
}

Restart Claude Desktop. The application will initialize the connection and map Ironclad's API surface into native function calls.

Hero Tools for Ironclad

Truto exposes Ironclad's API surface as distinct, descriptive tools. The system normalizes pagination and error handling natively. Here are the most critical operations you can execute out of the box.

list_all_ironclad_workflows

Retrieves the workflows in your Ironclad account. This tool returns deeply nested data, including the workflow ID, title, associated template, current step, and status. It also includes structured schema definitions for all fields used in the workflow.

"Audit our Ironclad account and list the last 10 workflows that are currently stuck in the 'review' step. Summarize the creation dates and the associated templates."

get_single_ironclad_workflow_schema_by_id

Retrieves a single workflow schema from your Ironclad account. This is a mandatory prerequisite tool. Because Ironclad templates require specific dynamic fields (like Counterparty Name or Effective Date), the agent must call this tool to understand the required JSON structure before launching a new workflow.

"Fetch the schema for the Standard Mutual NDA template (ID: 88bb99cc). Tell me exactly which fields are marked as required before I attempt to draft a new contract."

create_a_ironclad_async_workflow

Launches a new Workflow asynchronously. This provides non-blocking performance and is necessary when supplying complex attribute payloads or files. The agent constructs the payload based on the schema retrieved in the previous step.

"Using the schema requirements we just verified, launch a new Standard Mutual NDA workflow. Set the counterparty name to 'Acme Corp' and the effective date to today. Return the new workflow ID once initiated."

ironclad_workflows_cancel

Cancels a workflow by ID. The Ironclad API enforces strict auditing, so this tool requires a comment object in the request body to explain why the workflow is being terminated.

"Cancel workflow ID 'wf_394829'. Provide the cancellation comment: 'Counterparty rejected core terms, moving to manual paper process'."

list_all_ironclad_users

Retrieves all users belonging to the organization via the SCIM interface. Useful for access auditing and mapping employee emails to internal ID strings.

"List all active Ironclad users. Extract their email addresses and check if any contractor domains (@external-agency.com) currently hold active accounts."

list_all_ironclad_groups

Retrieves the list of user groups via SCIM. The response includes details such as the group ID, display name, and a list of group members. This tool is vital for orchestrating RBAC (Role-Based Access Control) audits.

"Fetch all user groups in Ironclad. Identify the group ID for 'Legal Approvers' and list the emails of every current member in that group."

To view the complete inventory of available endpoints, data models, and query parameters, view the Ironclad integration page.

Workflows in Action

Connecting tools to an LLM is only useful if it orchestrates real work. Here is how Claude combines these tools to automate complex, multi-step operations.

Scenario 1: Automating NDA Generation

Legal operations teams spend significant time manually keying data into Ironclad launch forms. You can instruct your AI agent to handle the entire intake and generation process.

"I need to issue an NDA to Globex Corporation. Their primary contact is Jane Doe (jane@globex.com). Please fetch the NDA template schema, figure out the required fields, and launch the workflow. Give me the resulting Workflow ID."

Step-by-step execution:

1. The agent calls list_all_ironclad_workflow_schemas to find the ID of the NDA template.
2. The agent calls get_single_ironclad_workflow_schema_by_id using the retrieved ID to inspect the expected payload (e.g., discovering it needs counterparty_name and counterparty_email).
3. The agent maps the user's natural language input to the required JSON structure.
4. The agent calls create_a_ironclad_async_workflow, injecting the structured attributes.
5. Claude parses the successful HTTP 202 response and outputs the new Workflow ID to the user.

Scenario 2: Identity and Access Audits

IT teams frequently need to ensure that offboarded employees or transitioned team members no longer have access to sensitive legal pipelines.

"Run a security audit on the 'Executive Approvers' group in Ironclad. Cross-reference the members against the general user list, and output a table showing the full names, emails, and active status of everyone in that group."

Step-by-step execution:

1. The agent calls list_all_ironclad_groups to retrieve the directory structure and locates the 'Executive Approvers' entity.
2. The agent parses the array of member IDs nested inside that specific group.
3. The agent calls list_all_ironclad_users (iterating through pagination cursors if necessary) to pull the global user directory.
4. Claude cross-references the member IDs from the group against the global directory to resolve names and emails.
5. The agent formats the final output as a markdown table for the IT admin.

Security and Access Control

Giving an LLM direct access to your contract lifecycle system requires stringent security guardrails. Truto MCP servers provide configuration primitives to lock down the execution environment:

• Method Filtering: Restrict an MCP server to specific HTTP verbs. If you only want an agent to audit users and read workflow statuses, configure the server with methods: ["read"]. This drops create, update, and delete tools from the LLM's context entirely.
• Tag Filtering: Group tools logically. If a server should only manage identity, you can supply tags: ["directory"] to ensure the agent cannot access contract-specific tools.
• Require API Token Auth: By default, possessing the MCP URL grants access. For production agents, set require_api_token_auth: true. The client must then pass a valid Truto API token in the Authorization header, providing a secondary layer of authentication.
• Expiration Controls: Use the expires_at property to generate ephemeral access. You can spin up an MCP server for an automated CI/CD pipeline script and have it mathematically expire an hour later via automated durable object alarms.

Moving Forward with Agentic Integrations

Architecting custom integrations for Ironclad means wrestling with dynamic schemas, abstracting SCIM behaviors, and writing defensive code for rate limit management. Truto abstracts this completely, serving standardized, auto-generated tools directly to your LLM.

Whether you are building internal AI tooling to unblock your legal ops team or embedding legal operations capabilities into a customer-facing AI agent, offloading the infrastructure boilerplate allows you to focus on the intelligence layer.