---
title: "Connect Sprinto to ChatGPT: Manage Evidence and Compliance Checks"
slug: connect-sprinto-to-chatgpt-manage-evidence-and-compliance-checks
date: 2026-07-16
author: Nachi Raman
categories: ["AI & Agents"]
excerpt: "Learn how to connect Sprinto to ChatGPT using Truto's managed MCP server. Automate evidence uploads, manage staff compliance scopes, and query workflow checks with AI agents."
tldr: "Connect Sprinto to ChatGPT via Truto's MCP Server to automate compliance tasks. This guide covers managing staff scopes, uploading evidence, handling Sprinto's API rate limits, and executing AI workflows."
canonical: https://truto.one/blog/connect-sprinto-to-chatgpt-manage-evidence-and-compliance-checks/
---

# Connect Sprinto to ChatGPT: Manage Evidence and Compliance Checks


You want to connect Sprinto to ChatGPT so your AI agents can manage compliance scopes, audit workflow checks, and upload security evidence without forcing your team to navigate complex GRC dashboards. If your team uses Claude, check out our guide on [connecting Sprinto to Claude](https://truto.one/connect-sprinto-to-claude-automate-staff-scoping-and-verifications/) or explore our broader architectural overview on [connecting Sprinto to AI Agents](https://truto.one/connect-sprinto-to-ai-agents-orchestrate-security-audit-workflows/).

Automating a Governance, Risk, and Compliance (GRC) platform is an engineering challenge. Giving a Large Language Model (LLM) read and write access to your Sprinto instance requires an integration layer that translates an LLM's natural language tool calls into structured REST API requests. 

You either spend weeks building, hosting, and maintaining a custom server, or you use a managed infrastructure layer to handle the boilerplate. This guide breaks down exactly how to use Truto to dynamically generate a secure Model Context Protocol (MCP) server for Sprinto, connect it natively to ChatGPT, and execute complex security workflows using natural language.

## The Engineering Reality of the Sprinto API

A custom MCP server is a self-hosted integration layer. While Anthropic's [open MCP standard](https://truto.one/what-is-mcp-and-mcp-servers-and-how-do-they-work/) provides a predictable way for models to discover tools over JSON-RPC, implementing it against specific vendor APIs is painful. If you decide to build a custom MCP server for Sprinto, you own the entire API lifecycle. Here are the specific integration challenges you will face:

**State Lifecycle and Staff Scoping**
In Sprinto, staff members are not just passive records. Marking a user as "in scope" (`sprinto_staff_members_mark_in_scope`) actively maps them against configured controls and triggers automated security tasks like mandatory policy acceptance and security training. If your AI agent lacks precise schema definitions and accidentally scopes in a batch of temporary contractors, you instantly fail compliance checks and skew your audit readiness. Your integration must strictly define the required parameters and map them accurately to avoid cascading state failures.

**Complex Evidence Uploads**
Uploading evidence for a workflow check or a background verification report requires handling file payloads alongside metadata. You are not just passing JSON strings. An LLM cannot natively formulate the required multi-part form data or binary uploads without a precise proxy wrapper. The MCP tool must define exact schemas for `evidenceFile` and `evidenceRecordDate`, ensuring the LLM knows exactly what file references to pass to the integration layer.

**Strict Rate Limits and Aggressive Pagination**
When preparing for an audit, an LLM might attempt to read hundreds of workflow checks at once. Sprinto enforces strict rate limits to protect its infrastructure. If an AI agent attempts to pull too much data, Sprinto will reject the requests with an HTTP 429 error.

**Factual note on rate limits:** Truto does not retry, throttle, or apply exponential backoff on rate limit errors. When the upstream Sprinto API returns an HTTP 429, Truto passes that exact error back to the caller. Truto normalizes the upstream rate limit information into standardized IETF headers (`ratelimit-limit`, `ratelimit-remaining`, `ratelimit-reset`). The caller - in this case, your AI agent framework or ChatGPT client - is entirely responsible for reading these headers and implementing its own retry or backoff logic. Do not assume the integration layer will magically absorb rate limits.

Furthermore, querying massive lists requires rigid cursor-based pagination. You must explicitly instruct the LLM to pass cursor values back unchanged to fetch the next set of records, or the agent will get stuck in an infinite loop reading the first page of compliance checks over and over.

## Generating the Managed MCP Server

Instead of writing the JSON-RPC translation layer from scratch, you can use Truto to [dynamically generate an MCP server](https://truto.one/how-do-mcp-servers-auto-generate-tools-from-api-documentation/). The server derives its tool definitions directly from Sprinto's API documentation, meaning tools are only exposed if they have validated schemas. 

You can generate the MCP server in two ways: via the Truto UI or programmatically via the API.

### Method 1: Via the Truto UI

For one-off agents or internal testing, the UI is the fastest path:

1. Navigate to the **Integrated Accounts** page in your Truto dashboard.
2. Select your connected Sprinto account.
3. Click the **MCP Servers** tab.
4. Click **Create MCP Server**.
5. Select your desired configuration (name, allowed methods, tags, and expiration).
6. Copy the generated MCP server URL (e.g., `https://api.truto.one/mcp/a1b2c3d4e5f6...`).

### Method 2: Via the Truto API

If you are provisioning AI agents programmatically for your customers, you will use the API. This endpoint generates a secure, hashed token and returns a ready-to-use JSON-RPC 2.0 URL.

**Request:**
```bash
curl -X POST https://api.truto.one/integrated-account/{integrated_account_id}/mcp \
  -H "Authorization: Bearer YOUR_TRUTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Sprinto Compliance Agent",
    "config": {
      "methods": ["read", "write"],
      "tags": ["compliance", "staff"]
    },
    "expires_at": "2026-12-31T23:59:59Z"
  }'
```

**Response:**
```json
{
  "id": "abc-123-def-456",
  "name": "Sprinto Compliance Agent",
  "config": {
    "methods": ["read", "write"],
    "tags": ["compliance", "staff"]
  },
  "expires_at": "2026-12-31T23:59:59Z",
  "url": "https://api.truto.one/mcp/a1b2c3d4e5f6..."
}
```

This URL is fully self-contained. The cryptographic token in the URL path encodes the linked Sprinto account, the tool filters, and the expiration time. 

## Connecting the MCP Server to ChatGPT

Once you have your MCP server URL, you must connect it to your LLM client. You can do this natively in ChatGPT's interface, or by configuring a standard MCP client via a config file.

### Method A: Via the ChatGPT UI

ChatGPT natively supports MCP servers as [Custom Connectors](https://truto.one/bring-100-custom-connectors-to-chatgpt-with-superai-by-truto/).

1. Log in to ChatGPT and navigate to **Settings** -> **Apps** -> **Advanced settings**.
2. Enable **Developer mode** (MCP support requires this toggle to be active).
3. Under **MCP servers / Custom connectors**, click **Add new server**.
4. Enter a recognizable name (e.g., "Sprinto Compliance").
5. Paste the Truto MCP server URL into the **Server URL** field.
6. Click **Save**.

ChatGPT will immediately perform an initialization handshake with the URL, discover the Sprinto tools, and make them available in your chat context. 

### Method B: Via Manual Config File (Claude Desktop / CLI)

If you are using a local MCP client, an agent framework, or Claude Desktop, you connect the server using a JSON configuration file. You instruct the client to use the official MCP Server SSE transport to connect to the Truto endpoint.

Add this to your `mcp_config.json` (or `claude_desktop_config.json`):

```json
{
  "mcpServers": {
    "sprinto_compliance": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "https://api.truto.one/mcp/a1b2c3d4e5f6..."
      ]
    }
  }
}
```

## Security and Access Control

Giving an LLM access to your compliance platform requires strict boundaries. Truto MCP servers enforce access control at the token generation layer:

*   **Method Filtering (`methods`)**: Restrict the server to specific operation types. Set `methods: ["read"]` to allow the LLM to query workflow checks without the ability to modify staff scopes or upload files.
*   **Tag Filtering (`tags`)**: Group tools by functional area. By setting `tags: ["evidence"]`, the LLM will only see tools related to evidence uploads, hiding unrelated endpoints.
*   **Dual-Layer Authentication (`require_api_token_auth`)**: By default, the MCP URL acts as a bearer token. If you enable this flag, the client must also pass a valid Truto API token in the Authorization header. This ensures that even if the URL leaks in a log file, the tools cannot be executed by unauthorized users.
*   **Ephemeral Access (`expires_at`)**: Generate time-bound servers for temporary audits. Once the ISO datetime is reached, the underlying KV storage drops the token and a scheduled alarm cleans up the database record, ensuring zero lingering access.

## Sprinto Hero Tools

When the LLM connects, Truto dynamically generates highly descriptive tools based on Sprinto's API schemas. The LLM receives a flat input namespace, meaning it simply passes arguments, and the server automatically routes them into the correct query parameters or request body.

Here are the critical tools for automating Sprinto.

### list_all_sprinto_workflow_checks

This tool retrieves a paginated list of workflow checks across your organization. It returns edges containing the check's `pk` (primary key) and title, along with a cursor string.

**Contextual usage notes:** The LLM must pass the exact cursor string back to fetch subsequent pages. Because of rate limits, if the LLM attempts to paginate too aggressively, it must handle the resulting 429 headers and retry accordingly.

> "List all active workflow checks in Sprinto. If there are multiple pages, use the cursor to fetch the first three pages, then summarize the titles of the checks that require manual evidence."

### create_a_sprinto_background_verification_report

Uploads a background verification report for a specific staff member. This satisfies critical HR security controls.

**Contextual usage notes:** The agent must provide the user's `email`, the `verificationCompletedOn` timestamp, and the `verificationReportFile` reference. 

> "Upload this PDF as the background verification report for engineering-contractor@company.com. Set the completion date to today."

### create_a_sprinto_workflow_check_evidence

Submits artifacts as evidence for a specific compliance workflow check. It returns the updated `evidenceStatus` of the check.

**Contextual usage notes:** You must first obtain the `workflowCheckPk` using the list tool. The agent needs to pass the primary key, the `evidenceRecordDate`, and the `evidenceFile`.

> "Find the workflow check titled 'Q3 AWS Architecture Diagram' and upload the attached image as evidence, setting the record date to yesterday."

### sprinto_staff_members_mark_in_scope

Includes a staff member account in the audit compliance scope. This maps them against configured controls and triggers automated checks.

**Contextual usage notes:** Requires the user's `email`. This is a consequential action that alters the user's state in Sprinto and kicks off mandatory tasks. 

> "Mark alice.chen@company.com as in-scope for compliance so she receives her security training assignments."

### sprinto_staff_members_mark_not_in_scope

Excludes a staff member from the audit compliance scope, preventing Sprinto from tracking security tasks for that account.

**Contextual usage notes:** Requires the `email` and an optional `reason` for the exclusion (e.g., "Temporary external contractor without production access").

> "Mark external-auditor@company.com as not in-scope and add the reason 'Temporary external read-only auditor'."

For the complete inventory of available tools, schemas, and endpoints, visit the [Sprinto integration page](https://truto.one/integrations/detail/sprinto).

## Workflows in Action

Here is how an AI agent uses these tools sequentially to automate complex GRC tasks without human intervention.

### Workflow 1: Employee Onboarding and Scoping

When a new engineer joins, the IT admin asks ChatGPT to handle the compliance onboarding. The agent must scope the user correctly and log their background check.

> "We just hired bob@company.com as a full-time engineer. Mark him as in-scope for compliance. Once that is done, upload this completed background check file for his profile."

**Execution Steps:**
1. **`sprinto_staff_members_mark_in_scope`**: The agent calls this tool with `email: "bob@company.com"`. Sprinto returns the updated user object, confirming Bob is now tracked for policy acceptance.
2. **`create_a_sprinto_background_verification_report`**: The agent immediately calls this tool, passing Bob's email, the current date, and the file payload provided in the chat.

**Result:** The admin receives a single conversational confirmation that Bob is scoped and his background check is securely logged in Sprinto.

### Workflow 2: Audit Evidence Collection

During an audit prep cycle, the compliance officer asks the agent to attach architecture diagrams to a specific workflow check.

> "Find the workflow check for 'Cloud Infrastructure Diagram' and upload the attached network map as evidence for today."

**Execution Steps:**
1. **`list_all_sprinto_workflow_checks`**: The agent queries the checks. If the list is long, it reads the cursor and paginates until it finds the node where `title` matches "Cloud Infrastructure Diagram". It extracts the `pk` (e.g., `chk_98765`).
2. **`create_a_sprinto_workflow_check_evidence`**: The agent uses the extracted `pk`, sets `evidenceRecordDate` to the current date, and uploads the network map file.

```mermaid
sequenceDiagram
    participant User as User (ChatGPT)
    participant TrutoMCP as Truto MCP Server
    participant SprintoAPI as "Sprinto API"

    User->>TrutoMCP: Call list_all_sprinto_workflow_checks
    TrutoMCP->>SprintoAPI: GET /workflow-checks
    SprintoAPI-->>TrutoMCP: Returns list with cursors
    TrutoMCP-->>User: Returns check pk (chk_98765)
    
    User->>TrutoMCP: Call create_a_sprinto_workflow_check_evidence
    TrutoMCP->>SprintoAPI: POST /workflow-checks/chk_98765/evidence (Multipart)
    SprintoAPI-->>TrutoMCP: Success, status updated
    TrutoMCP-->>User: Confirms evidence uploaded
```

**Result:** The compliance officer avoids clicking through dozens of folders in the Sprinto UI. The agent resolves the exact internal ID and maps the evidence cleanly.

> Stop writing manual JSON-RPC wrappers for vendor APIs. Connect your AI agents to Sprinto, Jira, and 100+ other enterprise platforms using Truto's managed MCP infrastructure.
>
> [Talk to us](https://cal.com/truto/partner-with-truto)

## Strategic Wrap-up

Connecting an LLM to Sprinto transforms compliance from a manual dashboard chore into an automated, conversational workflow. By leveraging a dynamically generated MCP server, you eliminate the need to write custom JSON-RPC routers, manage complex multi-part form data uploads, or maintain rigid schema definitions in your own codebase.

Whether your agents are marking new hires in-scope, paginating through hundreds of workflow checks, or uploading critical audit evidence, the MCP architecture ensures your AI has secure, strictly scoped access to your GRC environment. By handling rate limits gracefully and enforcing method-level security, you ensure your compliance operations scale safely alongside your AI initiatives.
