---
title: "Connect Lenses to Claude: Audit logs, ACLs, and schema governance"
slug: connect-lenses-to-claude-audit-logs-acls-and-schema-governance
date: 2026-07-16
author: Uday Gajavalli
categories: ["AI & Agents"]
excerpt: "A complete engineering guide to connecting Lenses to Claude via a managed MCP server. Automate Kafka ACLs, schema governance, and audit logs using Truto."
tldr: "Learn how to build a managed MCP server for Lenses using Truto to give Claude secure access to Kafka clusters. Covers dynamic tool execution, rate limit handling, ACL generation, and schema governance."
canonical: https://truto.one/blog/connect-lenses-to-claude-audit-logs-acls-and-schema-governance/
---

# Connect Lenses to Claude: Audit logs, ACLs, and schema governance


If you need to connect Lenses to Claude to automate Kafka stream governance, Access Control Lists (ACLs), or Schema Registry administration, you need a [Model Context Protocol (MCP) server](https://truto.one/what-is-mcp-and-mcp-servers-and-how-do-they-work/). This server acts as the translation layer between Claude's tool calls and the Lenses REST API. You can either build and maintain this infrastructure yourself, or use a managed integration platform like Truto to dynamically generate a secure, authenticated MCP server URL. If your team uses ChatGPT, check out our guide on [connecting Lenses to ChatGPT](https://truto.one/connect-lenses-to-chatgpt-manage-kafka-clusters-and-data-pipelines/) or explore our broader architectural overview on [connecting Lenses to AI Agents](https://truto.one/connect-lenses-to-ai-agents-automate-kafka-connect-and-sql-streams/).

Giving a Large Language Model (LLM) read and write access to a sprawling enterprise ecosystem like Lenses - which manages your entire Kafka DataOps footprint - is an engineering challenge. You have to handle service account lifecycles, map massive JSON schemas for stream processors to MCP tool definitions, and deal with strict security perimeters. Every time Lenses updates an endpoint, you have to update your server code, redeploy, and test the integration. This guide breaks down exactly how to use Truto to generate a secure, [managed MCP server](https://truto.one/managed-mcp-for-claude-full-saas-api-access-without-security-headaches/) for Lenses, connect it natively to Claude, and execute complex governance workflows using natural language.

## The Engineering Reality of the Lenses API

A custom MCP server is a self-hosted integration layer. While the [open MCP standard](https://truto.one/what-is-mcp-and-mcp-servers-and-how-do-they-work/) provides a predictable way for models to discover tools, the reality of implementing it against the Lenses API is painful. Lenses is an infrastructure-grade control plane. You are not just dealing with generic CRUD - you are dealing with Kafka Connect lifecycles, Avro/Protobuf schema compatibility matrices, and deeply nested RBAC policies.

If you decide to build a custom MCP server for Lenses, you own the entire API lifecycle. Here are the specific challenges you will face:

**Strict RBAC and ACL Definitions**
Kafka ACLs in Lenses require exact string formatting for principals (e.g., `User:service-account-123`), specific host IPs, and explicit operation enumerations (`Read`, `Write`, `IdempotentWrite`). If you expose an unconstrained API endpoint to Claude, the model will frequently hallucinate permission strings or omit required host definitions, resulting in upstream 400 errors. A proper MCP layer needs strictly typed JSON schemas derived directly from Lenses documentation to force the LLM into returning valid payloads.

**Schema Registry Idiosyncrasies**
Managing a Schema Registry via API requires parsing and validating deeply nested JSON or Avro payload strings before submission. When an LLM attempts to register a new schema version, it must specify the exact compatibility level (`BACKWARD`, `FORWARD`, `FULL`) and subject name conventions. If the LLM generates malformed JSON inside the schema string payload, Lenses will reject the request. 

**Rate Limits and Streaming Metrics**
Fetching partition offsets, audit logs, or streaming consumer group metrics at scale triggers rate limits. Lenses enforces quota policies to protect the underlying broker health. It is critical to note that Truto does not retry, throttle, or apply backoff on rate limit errors. When the Lenses upstream API returns an HTTP 429, Truto passes that error straight to the caller. Truto normalizes upstream rate limit info into standardized headers (`ratelimit-limit`, `ratelimit-remaining`, `ratelimit-reset`) per the IETF spec. The caller is responsible for retry and backoff logic. Do not expect the MCP server to magically absorb rate limits; your agent framework must handle the HTTP 429s correctly.

Instead of building all this custom parsing and token management from scratch, Truto dynamically generates MCP tools based on Lenses documentation records, standardizing the schemas and managing the authentication proxy layer automatically.

## How to Generate a Lenses MCP Server with Truto

Truto creates MCP servers dynamically. The tool list is generated from actual API documentation records, meaning an endpoint is only exposed to Claude if it has a documented schema. This serves as a quality gate, preventing LLMs from guessing how an undocumented endpoint works. 

You can generate the MCP server URL through the Truto dashboard or programmatically via the API.

### Method 1: Via the Truto UI

This is the fastest method for internal tooling and testing.

1. Navigate to the integrated account page for your connected Lenses instance.
2. Click the **MCP Servers** tab.
3. Click **Create MCP Server**.
4. Configure your filters. For example, you might want to restrict the server to only allow `read` operations to prevent Claude from accidentally deleting a Kafka topic.
5. Click Save and copy the generated MCP server URL (e.g., `https://api.truto.one/mcp/a1b2c3d4e5f6...`).

### Method 2: Via the Truto API

If you are provisioning MCP servers for your end-users dynamically, you will use the REST API. The API validates the configuration, generates a cryptographically hashed token, stores it in distributed edge storage, and returns a ready-to-use URL.

```typescript
// POST https://api.truto.one/integrated-account/{integrated_account_id}/mcp

const response = await fetch(
  'https://api.truto.one/integrated-account/xyz-789/mcp',
  {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${TRUTO_API_KEY}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      name: "Lenses Governance MCP",
      config: {
        methods: ["read", "write"], // Filter to specific methods
        tags: ["audit", "acls"]     // Only expose tools related to security
      },
      expires_at: "2025-12-31T23:59:59Z" // Optional automated cleanup
    })
  }
);

const mcpServer = await response.json();
console.log(mcpServer.url); // Pass this URL to Claude
```

## How to Connect the MCP Server to Claude

Once you have the Truto MCP URL, you need to register it with Claude. Because the Truto URL contains a cryptographic token mapped to a specific tenant's Lenses environment, no extra authentication headers are required by default. 

### Method A: Via the Claude UI

If you are using Claude Desktop or ChatGPT for Teams, you can add the server directly via the interface.

**For Claude Desktop:**
1. Open Claude Desktop.
2. Go to **Settings -> Integrations -> Add MCP Server**.
3. Paste the Truto MCP Server URL.
4. Click **Add**.

**For ChatGPT (Developer Mode):**
1. Go to **Settings -> Apps -> Advanced settings**.
2. Enable **Developer mode**.
3. Under MCP servers / Custom connectors, click **Add new**.
4. Provide a name (e.g., "Lenses DataOps") and paste the Truto URL.

### Method B: Via Manual Config File

If you are deploying Claude Desktop programmatically or running headless environments, you can inject the server via the `claude_desktop_config.json` file. Truto provides an SSE transport proxy via the `@modelcontextprotocol/server-sse` package.

```json
{
  "mcpServers": {
    "lenses_governance": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "https://api.truto.one/mcp/a1b2c3d4e5f6..."
      ]
    }
  }
}
```

Restart Claude Desktop. The application will handshake with the Truto router, dynamically request the `tools/list`, and inject the Lenses capabilities into the agent context.

## Security and Access Control

Exposing Lenses to an autonomous model requires strict blast-radius controls. Truto handles this at the token layer, simplifying how you [manage auth and tool sharing](https://truto.one/handling-auth-tool-sharing-in-multi-agent-frameworks-via-mcp/) across complex infrastructure:

*   **Method Filtering:** Restrict servers to specific operation types (`config.methods: ["read"]`). If Claude attempts to hallucinate a `create` tool call, the request is blocked at the routing layer before it ever reaches Lenses.
*   **Tag Filtering:** Group Lenses resources by tags (e.g., `config.tags: ["compliance"]`). This ensures the LLM only sees the tools relevant to its specific workflow, saving context window tokens and reducing error surface.
*   **Extra Authentication:** For sensitive deployments, set `require_api_token_auth: true`. This forces the caller to provide a valid Truto API token in the `Authorization` header on top of the URL token, adding defense-in-depth.
*   **Automated Expiry:** Using the `expires_at` property registers a scheduled cleanup task. Once the timestamp is reached, the token is automatically purged from edge storage and the database, instantly revoking the LLM's access.

## Lenses Hero Tools for Claude

Truto automatically translates Lenses endpoints into flat, LLM-friendly schemas. Here are the highest-leverage tools available for your AI agents.

### list_all_lenses_audit_logs

Extracts immutable audit log records from Lenses. This is critical for SOC 2 evidence collection, tracking exactly which principal executed specific queries or altered ACLs. 

> "Fetch the Lenses audit logs from the past 24 hours specifically looking for any 'DELETE' operations on topics, and summarize which service accounts performed them."

### lenses_proxy_acls_bulk_update

Creates or updates Kafka Access Control Lists. This tool requires the LLM to format the principal, resource type, and operation permissions according to Kafka's strict security standards.

> "Create a new Kafka ACL granting the service account 'User:analytics-consumer' read access to the 'transactions.live' topic from any host."

### create_a_lenses_current_version

Registers a new Schema Registry version for a specific subject. The LLM can draft the Avro schema based on a plain-text data structure request and push it to Lenses.

> "I need to track 'event_timestamp' and 'user_id' in our clickstream data. Draft a backward-compatible Avro schema for the 'clickstream-value' subject and register it in Lenses."

### lenses_user_groups_bulk_update

Assigns a Lenses user to exactly the provided groups, enforcing strict RBAC synchronization. This removes them from any groups not explicitly listed in the payload.

> "Update the Lenses user 'jdoe' to only be a member of the 'DataEngineering' and 'Read-Only' groups, stripping any other administrative access."

### create_a_lenses_protection_policy

Creates data governance policies. You can instruct Claude to define obfuscation rules for PII fields across all Kafka topics, ensuring sensitive data is masked before consumers read it.

> "Create a new data protection policy in Lenses named 'Mask-PII' that applies a SHA-256 hash obfuscation to any field named 'credit_card' or 'ssn' across all datasets."

### list_all_lenses_kafka_connect_connectors

Retrieves the current state and configuration of all Kafka Connect connectors running in the environment, useful for troubleshooting failed pipelines.

> "List all Kafka Connect connectors in the primary cluster and identify any that are currently in a 'FAILED' or 'PAUSED' state."

For the complete inventory of Lenses tools, including Kafka topic management, data querying, and K2K application endpoints, review the [Lenses integration page](https://truto.one/integrations/detail/lenses).

## Workflows in Action

When Claude is equipped with the Lenses MCP server, you can orchestrate multi-step data governance tasks natively.

### Scenario 1: Automated Security Audits and RBAC Remediation

IT Admins frequently need to verify that users have not accumulated excessive permissions and check audit logs for anomalies.

> "Audit the Lenses environment. Find any user in the 'Admin' group who has executed a destructive query in the last 7 days. If you find one, downgrade them to 'Read-Only' and output an incident summary."

1.  **list_all_lenses_groups** - Claude identifies the internal ID for the `Admin` group.
2.  **list_all_lenses_users** - Claude retrieves all users and filters for those matching the `Admin` group ID.
3.  **list_all_lenses_audit_logs** - Claude fetches recent logs, filtering by the identified Admin principals and searching for DROP/DELETE operation signatures.
4.  **lenses_user_groups_bulk_update** - If a violation is found, Claude immediately updates the user's group array to only contain the `Read-Only` group.

The LLM processes the pagination and filtering entirely on its own, providing the administrator with a clean incident report and executing the remediation instantly.

```mermaid
sequenceDiagram
    participant User as IT Admin
    participant Claude as Claude Desktop
    participant MCP as Truto MCP Server
    participant Lenses as Lenses API

    User->>Claude: "Audit Admins and downgrade violators"
    Claude->>MCP: Call list_all_lenses_users
    MCP->>Lenses: GET /api/v1/users
    Lenses-->>MCP: Return users array
    MCP-->>Claude: JSON response
    Claude->>MCP: Call list_all_lenses_audit_logs
    MCP->>Lenses: GET /api/v1/audit
    Lenses-->>MCP: Return logs
    MCP-->>Claude: JSON response
    Claude->>MCP: Call lenses_user_groups_bulk_update
    MCP->>Lenses: PUT /api/v1/users/{user}/groups
    Lenses-->>MCP: 200 OK
    MCP-->>Claude: Success
    Claude-->>User: "Downgraded 1 user. Report attached."
```

### Scenario 2: Developer Self-Service Topic Provisioning

Data engineering teams often bottleneck on tickets requesting new Kafka topics, corresponding schemas, and ACLs. Claude can act as an intelligent self-service bot.

> "I need a new Kafka topic called 'payment-events' with 6 partitions. Generate a secure Avro schema for it containing transaction_id and amount. Finally, grant the 'billing-service' service account write access to this topic."

1.  **create_a_lenses_proxy_topic** - Claude provisions the Kafka topic with the requested 6 partitions.
2.  **create_a_lenses_current_version** - Claude drafts the Avro schema syntax for the `payment-events-value` subject and submits it to the Schema Registry.
3.  **lenses_proxy_acls_bulk_update** - Claude formulates the exact principal string for the `billing-service` and registers an `Allow` `Write` ACL for the new topic.

Instead of submitting three separate Jira tickets to CloudOps, Data Architecture, and Security, the developer gets a fully provisioned, governed streaming resource in seconds.

## Scaling AI Integrations

Connecting an LLM to a complex data operations platform like Lenses requires more than just passing an API key. You have to handle rate limit architectures, dynamic tool discovery, strict input schemas, and [handling auth and tool sharing](https://truto.one/handling-auth-tool-sharing-in-multi-agent-frameworks-via-mcp/) safely. Truto abstracts these complexities into a single managed MCP endpoint, letting your engineering team focus on building the agent's core logic rather than maintaining boilerplate integration code.

:::cta{buttonText="Talk to us" buttonUrl="https://cal.com/truto/partner-with-truto"} 
Ready to connect your AI agents to enterprise streaming platforms? Talk to our engineering team today.
:::
