Connect SendGrid to Claude: Manage IPs, Domains, and Teammates

If you need to connect SendGrid to Claude to automate domain authentication, scale IP pools, and administer teammate access, you need a Model Context Protocol (MCP) server. This server acts as a translation layer, mapping Claude's JSON-RPC tool calls into secure REST API requests against SendGrid. If your team uses ChatGPT, check out our guide on connecting SendGrid to ChatGPT or explore our broader architectural overview on connecting SendGrid to AI Agents.

Giving a Large Language Model (LLM) read and write access to a sprawling email infrastructure platform like Twilio SendGrid is an engineering challenge. SendGrid's API is incredibly powerful, but it requires strict adherence to IP assignment rules, complex subuser impersonation, and specific domain validation sequences. Every time an API schema shifts, you have to update your server code, redeploy, and test the integration.

This guide breaks down exactly how to use Truto to dynamically generate a secure, authenticated MCP server for SendGrid, connect it natively to Claude, and execute complex deliverability workflows using natural language.

The Engineering Reality of the SendGrid API

A custom MCP server is a self-hosted integration layer. While the open MCP standard provides a predictable way for models to discover tools, the reality of implementing it against SendGrid's APIs is painful.

If you decide to build a custom MCP server for SendGrid, you own the entire integration lifecycle. Here are the specific challenges you will face when mapping SendGrid to an LLM:

Subuser Architecture and Impersonation Enterprise SendGrid accounts heavily utilize subusers to isolate sending reputation across different departments or tenant environments. Interacting with subuser data requires specific On-Behalf-Of header impersonation logic. Exposing this complexity directly to an LLM usually results in context loss or failed API calls, as the model struggles to consistently map subuser IDs to the correct operational headers. If you are building for a platform with many users, you should consider how to architect a multi-tenant MCP server to handle these requirements.

Aggressive Deliverability Operations SendGrid's global suppression, bounce, and spam report endpoints are notoriously unforgiving. A hallucinated array passed to a block deletion endpoint can wipe out thousands of suppression records, immediately tanking your domain reputation. You have to build strict schema validation between the LLM and the API to prevent catastrophic data loss.

Rate Limiting and Retry Handling SendGrid enforces varied rate limits depending on the endpoint category (e.g., mail send vs. marketing contacts vs. IP management). When an AI agent loops through paginated subuser statistics, it will hit an HTTP 429 Too Many Requests error. Truto does not absorb or automatically retry these errors. Instead, Truto passes the 429 error directly to Claude, while normalizing the upstream rate limit data into standard IETF headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset). This allows the LLM - or your agent orchestration framework - to read the headers and execute intelligent backoff logic.

Instead of building this infrastructure from scratch, you can use Truto. Truto normalizes authentication and pagination, exposing SendGrid's native endpoints as ready-to-use, documented MCP tools.

How to Generate a SendGrid MCP Server with Truto

Truto dynamically derives tool definitions directly from the SendGrid API schemas. When you generate an MCP server, Truto creates a self-contained endpoint bound to a specific SendGrid account.

You can generate this server via the Truto UI or programmatically via the API.

Method 1: Generating via the Truto UI

For ad-hoc agent configuration, you can generate an MCP server directly from the dashboard.

1. Log into your Truto environment and navigate to your connected SendGrid integrated account.
2. Click the MCP Servers tab.
3. Click Create MCP Server.
4. Configure your permissions (e.g., restrict to read operations or specific tags like deliverability).
5. Copy the generated MCP server URL. This URL contains a secure, hashed token.

Method 2: Generating via the API

For production workflows, you should generate MCP servers programmatically. This allows you to spin up ephemeral servers on demand.

Make a POST request to /integrated-account/:id/mcp. You can pass a config object to filter which tools are exposed to the LLM.

curl -X POST https://api.truto.one/integrated-account/{account_id}/mcp \
  -H "Authorization: Bearer <YOUR_TRUTO_API_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "SendGrid Deliverability Agent",
    "config": {
      "methods": ["read", "write"],
      "require_api_token_auth": false
    }
  }'

The API provisions the server and returns the endpoint URL:

{
  "id": "mcp_srv_9a8b7c6d5e4f",
  "name": "SendGrid Deliverability Agent",
  "config": { "methods": ["read", "write"] },
  "expires_at": null,
  "url": "https://api.truto.one/mcp/tkn_xyz123abc456..."
}

Connecting the SendGrid MCP Server to Claude

Once you have the server URL, you need to register it with your Claude client. You can do this through the Claude application UI or by modifying the background configuration file. For an overview of how this works at scale, read more about managed MCP for Claude.

Method 1: Via the Claude UI

Anthropic natively supports remote MCP servers.

1. Open Claude Desktop or the web interface.
2. Navigate to Settings - Integrations (or Connectors depending on your tier).
3. Click Add MCP Server or Add Custom Connector.
4. Give it a label (e.g., "SendGrid Infra").
5. Paste the Truto MCP URL into the endpoint field and click Add.

Claude will immediately ping the endpoint, execute the tools/list RPC protocol, and cache the available SendGrid operations.

Method 2: Via Manual Configuration File

If you are deploying Claude Desktop in a managed IT environment or want to configure it via code, you can update the claude_desktop_config.json file directly.

Because Truto exposes a standard SSE (Server-Sent Events) transport layer for remote servers, you use the @modelcontextprotocol/server-sse package as the command wrapper.

{
  "mcpServers": {
    "sendgrid_infrastructure": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "https://api.truto.one/mcp/tkn_xyz123abc456..."
      ]
    }
  }
}

Restart Claude Desktop. The model now has real-time access to your SendGrid environment.

Hero Tools for SendGrid Infrastructure

Truto exposes over a hundred SendGrid endpoints as MCP tools. For IT administrators and DevOps teams connecting SendGrid to Claude, here are the most powerful tools available for infrastructure management.

list_all_send_grid_subusers

Retrieves a paginated list of all subusers in your SendGrid architecture. This is critical for auditing which departments or tenants have active sending capabilities.

Usage note: Use this tool to identify orphaned subusers or check basic metadata before drilling down into specific subuser statistics.

"Claude, list all active subusers in our SendGrid account and format them into a markdown table with their usernames and email addresses."

get_single_send_grid_ip_address_management_by_id

Fetches deep telemetry on a specific IP address, including its assignment status, warmup setting, associated IP Pools, and lease status.

Usage note: Essential for diagnosing deliverability drops. If an IP is unintentionally stuck in auto-warmup mode, its throughput will be artificially throttled.

"Check the IP address management details for 192.0.2.50. Is it currently assigned to an IP pool, and is the auto-warmup feature enabled?"

update_a_send_grid_enforced_tl_by_id

Modifies the Enforced TLS settings for your account. You can force SendGrid to require TLS 1.1+ and a valid certificate from recipient mail servers.

Usage note: Use this for continuous compliance workflows. An agent can regularly audit and enforce strict TLS requirements for sensitive financial or healthcare sending accounts.

"Update our SendGrid account security settings to enforce TLS. Set require_tls to true and require_valid_cert to true."

list_all_send_grid_global_suppressions

Retrieves a list of globally suppressed email addresses. These are contacts who have completely unsubscribed from your infrastructure or bounced heavily.

Usage note: This tool handles pagination automatically. Claude will use standard limit and offset cursors to iterate through large suppression lists.

"Pull the most recent global suppressions from SendGrid. Show me the first 50 email addresses that are currently blocked from receiving mail."

create_a_send_grid_teammate

Invites a new teammate to your SendGrid organization, specifying their email, administrative status, and granular permission scopes.

Usage note: The scopes array requires exact SendGrid permission strings (e.g., user.profile.read, alerts.create).

"Invite devops-lead@company.com as a new SendGrid teammate. Do not grant them full admin status, but give them access to read IP management data."

list_all_send_grid_authenticated_domains

Returns a paginated list of all domains configured for Sender Authentication. It includes DNS records and current validation status.

Usage note: This is your primary tool for monitoring DNS drift. If a marketing team accidentally deletes a CNAME record, this endpoint will flag the domain as unauthenticated.

"Check our authenticated domains in SendGrid. Are there any domains where the authentication status is currently invalid or pending?"

To view the complete inventory of SendGrid endpoints, JSON schemas, and query parameters, visit the SendGrid integration page.

Workflows in Action

Once Claude is connected to your SendGrid MCP server, you can orchestrate multi-step infrastructure workflows using natural language.

Workflow 1: Auditing Domain and IP Reputation Infrastructure

DevOps teams need to regularly ensure that all sending domains are authenticated and IP pools are correctly assigned.

"Claude, run an audit on our SendGrid infrastructure. First, check all authenticated domains and list any that are failing validation. Then, pull our assigned IP addresses and tell me which subusers are tied to them."

How Claude executes this:

1. Calls list_all_send_grid_authenticated_domains to pull the active DNS configurations.
2. Filters the returned array for any domains where the status is not 'valid'.
3. Calls list_all_send_grid_ip_address to retrieve the list of assigned IPs.
4. Formats the findings into an operational summary report, explicitly flagging unauthenticated domains that risk hitting spam traps.

Workflow 2: Provisioning a New Developer Team Environment

When onboarding a new engineering team that needs programmatic email access, an agent can handle the rote configuration tasks.

"Provision access for a new backend developer at jane.doe@company.com. Invite them as a teammate in SendGrid. Then, verify that our account is strictly enforcing TLS connections for security compliance."

How Claude executes this:

1. Calls create_a_send_grid_teammate passing email: "jane.doe@company.com", isAdmin: false, and an array of necessary developer scopes.
2. Calls get_single_send_grid_enforced_tl_by_id to audit current TLS settings.
3. If TLS is disabled, it calls update_a_send_grid_enforced_tl_by_id to set require_tls to true.
4. Returns a confirmation that the invite was sent and TLS compliance is enforced.

sequenceDiagram
    participant User
    participant Claude
    participant Truto MCP
    participant SendGrid

    User->>Claude: "Provision Jane Doe and enforce TLS"
    Claude->>Truto MCP: call create_a_send_grid_teammate
    Truto MCP->>SendGrid: POST /v3/teammates
    SendGrid-->>Truto MCP: 201 Created (Invite sent)
    Truto MCP-->>Claude: Success payload
    Claude->>Truto MCP: call update_a_send_grid_enforced_tl
    Truto MCP->>SendGrid: PATCH /v3/user/settings/enforced_tls
    SendGrid-->>Truto MCP: 200 OK
    Truto MCP-->>Claude: Updated settings
    Claude->>User: "Invite sent and TLS is enforced."

Workflow 3: Investigating Deliverability Drops via Suppressions

If you receive alerts about a sudden drop in email delivery rates, the agent can correlate suppression data with subuser statistics.

"We have an issue with email deliverability today. Check the monthly stats for our subusers to see who has the highest bounce rate, then pull the most recent global suppressions so we can investigate the blocked addresses."

How Claude executes this:

1. Calls list_all_send_grid_subusers_stats_monthly for the current date string to fetch aggregated metrics (bounces, blocks, spam reports) across all subusers.
2. Analyzes the JSON array to identify which specific subuser is generating the anomaly.
3. Calls list_all_send_grid_global_suppressions to fetch the recent list of completely blocked email targets.
4. Presents a root-cause analysis detailing the offending subuser and a sample of the blocked addresses.

Security and Access Control

Exposing an enterprise SendGrid environment to an AI agent requires strict governance. Truto provides four architectural controls at the MCP server level to ensure your agent operates with least-privilege access:

• Method Filtering: Configure the server to only allow specific operation types. Setting methods: ["read"] ensures the LLM can query domain status and subusers, but physically cannot execute POST or DELETE requests.
• Tag Filtering: Restrict tools by functional domain. If you only want the agent to manage teammates, you can filter tools to only expose endpoints tagged for directory or RBAC management.
• Require API Token Auth: By setting require_api_token_auth: true, the generated MCP URL is not sufficient on its own. The connecting client must also pass a valid Truto API token in the Authorization header. This prevents unauthorized network actors from using the server if the URL leaks.
• Automatic Expiration: You can pass an expires_at ISO datetime when generating the server. Truto schedules a durable cleanup alarm that permanently deletes the server, its configuration, and its KV tokens at the exact timestamp. This is ideal for ephemeral CI/CD agents or temporary contractor access.

Summary

Managing SendGrid via an AI agent transforms reactive infrastructure tasks - like investigating bounced emails, rotating IP pools, and auditing DNS records - into natural language workflows.

Building this connectivity from scratch forces you to deal with subuser impersonation headers, complex pagination logic, and strict 429 rate limit management. By using Truto's dynamic MCP server generation, you offload the REST translation and authentication boilerplate. Your engineering team can focus entirely on prompting Claude to orchestrate secure, reliable email infrastructure operations.