Connect Strac to Claude: Monitor Risks and Manage Secure Tokens

If you need to connect Strac to Claude to automate data redaction, tokenization, or security risk monitoring, you need a Model Context Protocol (MCP) server. This server acts as the translation layer between Claude's tool calls and Strac's DLP (Data Loss Prevention) APIs. You can either build and maintain this infrastructure yourself, or use a managed integration platform like Truto to dynamically generate a secure, authenticated managed MCP server URL. If your team uses ChatGPT, check out our guide on connecting Strac to ChatGPT or explore our broader architectural overview on connecting Strac to AI Agents.

Giving a Large Language Model (LLM) read and write access to a secure vault like Strac is a high-stakes engineering challenge. You are dealing with highly sensitive Personally Identifiable Information (PII). When building SOC 2 or GDPR compliant AI agents, you have to manage complex API behaviors, handle raw binary streams for document uploads, and carefully navigate atomic batching rules. Every time Strac updates an endpoint or deprecates a schema field, you have to update your server code, redeploy, and test the integration.

This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for Strac, connect it natively to Claude, and execute complex security workflows using natural language.

The Engineering Reality of the Strac API

A custom MCP server is a self-hosted integration layer. While the open MCP standard provides a predictable way for models to discover tools, the reality of implementing it against a specialized security platform like Strac is difficult. You are not just building standard CRUD endpoints - you are interfacing with a high-compliance data vault.

If you decide to build a custom MCP server for Strac, you own the entire API lifecycle. Here are the specific challenges you will face:

Opaque Binary Streams and Multipart Data Strac handles physical files and documents differently than standard JSON APIs. When an LLM calls a tool to download a redacted document, the Strac API does not return a neat JSON response. It returns an opaque binary stream. LLMs inherently operate on text - if you directly pass a binary buffer back to Claude as a tool response, it will either fail to parse or hallucinate file contents. A proper MCP server must handle the file extraction, store it locally or temporarily, and return a reference ID or a structured text summary to the model.

Immutability vs. Idempotency Conflicts Strac enforces strict rules around state changes. Document uploads to the vault are inherently immutable - repeating a call creates a completely new stored document and issues a new reference ID. Conversely, token creation (create_a_strac_token) supports an idempotent flag allowing you to reuse an existing token for duplicate sensitive data. If an AI agent blindly retries a failed operation without understanding these context-specific rules, it will quickly bloat the vault with duplicate documents or fail to retrieve the correct tokenized value. Your MCP server must enforce strict schema definitions to guide the LLM's behavior.

Atomic Batch Operations When you use Strac's batch tokenization (create_a_strac_tokens_batch), the entire operation is atomic. You can send up to 200 elements, but if a single element fails to tokenize, the entire batch request fails. LLMs often generate imperfectly formatted arrays when instructed to bulk-process data. If Claude attempts a batch operation with one malformed SSN string, the Strac API will reject the entire payload.

Strict API Rate Limits and 429 Handling Strac enforces rate limits to maintain vault stability. It is critical to understand how a managed infrastructure layer handles these limits. Truto does not retry, throttle, or apply automatic exponential backoff on rate limit errors. When Strac returns an HTTP 429 Too Many Requests, Truto passes that exact error back to the caller. However, Truto normalizes the upstream rate limit information into standardized headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) according to the IETF specification. This means your Claude client or agent orchestrator is fully responsible for reading these headers and executing the appropriate retry and backoff logic.

How to Generate a Strac MCP Server with Truto

Instead of building an integration layer from scratch, Truto dynamically generates MCP tools from Strac's existing API documentation and resource schemas. When you provision an MCP server, Truto provides a single, secure URL backed by edge-stored authentication tokens. This abstracts away the underlying HTTP requests and authentication headers.

You can generate this server using the Truto UI or programmatically via the API.

Method 1: Generating via the Truto UI

If you are configuring access for a single internal use case or testing an agent locally, the UI is the fastest route.

1. Log into your Truto environment.
2. Navigate to the Integrated Accounts page and select your connected Strac instance.
3. Click the MCP Servers tab.
4. Click Create MCP Server.
5. Select your desired configuration. You can optionally filter by methods (e.g., only read operations) or apply tag filters to restrict access.
6. Click Save and copy the generated MCP server URL (e.g., https://api.truto.one/mcp/a1b2c3d4...).

Method 2: Generating via the Truto API

If you are building a B2B SaaS application and need to programmatically provision MCP servers for your own end-users, you can use the REST API. This generates a cryptographic token and registers the server configuration.

Make a POST request to the /integrated-account/:id/mcp endpoint:

curl -X POST https://api.truto.one/admin/integrated-accounts/{integrated_account_id}/mcp \
  -H "Authorization: Bearer YOUR_TRUTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Strac Risk Monitoring Agent",
    "config": {
      "methods": ["read", "list", "create"],
      "require_api_token_auth": false
    }
  }'

The API returns the provisioned server details, including the secure URL:

{
  "id": "mcp_srv_9x8y7z",
  "name": "Strac Risk Monitoring Agent",
  "config": {
    "methods": ["read", "list", "create"],
    "require_api_token_auth": false
  },
  "expires_at": null,
  "url": "https://api.truto.one/mcp/a1b2c3d4e5f6g7h8i9j0"
}

Connecting the Strac MCP Server to Claude

Once you have the Truto MCP URL, you need to register it with your LLM client. MCP servers communicate using JSON-RPC 2.0. Because Truto handles the protocol translation natively, connecting the server requires zero custom code.

Method A: Connecting via the UI (Claude / ChatGPT)

If you are using a consumer-facing AI interface that supports UI-based MCP connector setup (like ChatGPT's Developer Mode or upcoming Claude web features):

1. Open your AI client settings.
2. Navigate to Integrations or Custom Connectors.
3. Select Add MCP Server.
4. Paste your Truto MCP URL (https://api.truto.one/mcp/...) and save.

The model will immediately send an initialize request to the server, discover the available Strac tools, and await your prompts.

Method B: Connecting via Manual Configuration (Claude Desktop & Custom Agents)

If you are using Claude Desktop or an open-source agent orchestrator, you configure the connection using a JSON file. Because Truto MCP servers use HTTP endpoints, you bridge the connection using the official Server-Sent Events (SSE) transport adapter provided by the MCP project.

Open your claude_desktop_config.json file (typically located at ~/Library/Application Support/Claude/claude_desktop_config.json on macOS) and add the following entry:

{
  "mcpServers": {
    "strac_vault": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "https://api.truto.one/mcp/a1b2c3d4e5f6g7h8i9j0"
      ]
    }
  }
}

Save the file and restart Claude Desktop. The desktop app will spin up the SSE proxy, establish the handshake with Truto, and pull the Strac tool schemas.

Hero Tools for Strac

Truto automatically generates a comprehensive set of tools based on Strac's resources. The MCP router handles the flat input namespace from the LLM, intelligently routing arguments into the correct query parameters and body payloads based on the schemas.

Here are the highest-leverage tools available for Strac.

Detect Sensitive Data

Tool: create_a_strac_detect

Submits a payload to the Strac engine to detect sensitive data within a document or raw text block. It returns the resulting sensitive-data findings. This is the foundation of any automated risk monitoring workflow.

"I have a plaintext transcript from a recent sales call. Run a detection scan on the following text using Strac to identify if any credit card numbers or SSNs were mentioned during the conversation: [Transcript text]."

Redact Inline Text

Tool: create_a_strac_redact

Redacts sensitive data from inline text content, replacing detected PII and other sensitive fields according to the configured redact mode. This tool is essential for PII redaction when passing SaaS data to LLMs via MCP. For example, it substitutes real values with tokenized Strac vault links.

"Take this customer support email and redact all sensitive information using Strac. Return the fully redacted text so I can safely log it in our internal wiki. Here is the email: [Email text]."

Create a Vault Token

Tool: create_a_strac_token

Creates a single token in the Strac vault by sending sensitive data and receiving back a secure reference identifier. By default, a new token is generated per request. Set idempotent to true if you want to reuse an existing token for duplicate data.

"Take this user's Social Security Number and create a token in the Strac vault. Ensure you set the idempotent flag to true so we don't create duplicates. Return the secure token ID to me."

Batch Tokenization

Tool: create_a_strac_tokens_batch

Creates a batch of up to 200 Strac tokens by sending sensitive data elements to the vault simultaneously. Remember that this operation is atomic - if Claude hallucinates an invalid element format, the whole batch fails.

"I have a list of 50 customer phone numbers. Send them to Strac using a batch tokenization request. Provide me with the mapping of the generated token IDs."

List Data Security Risks

Tool: list_all_strac_data_security_risks

Lists data security risks discovered by Strac across your integrated applications. You can filter the results by app type, date ranges, and sensitive data types to perform targeted security audits.

"List all data security risks detected by Strac in the last 7 days across our integrated Zendesk account. Specifically look for events involving unencrypted passwords or credit card data."

Redact via Outbound Proxy

Tool: create_a_strac_proxy_redact

Sends an HTTP request through Strac's outbound proxy to a third-party URL, replacing sensitive data with redacted equivalents before forwarding. The response shape is entirely determined by the target endpoint.

"Send a POST request to our external analytics vendor at api.analytics.com/ingest using the Strac redact proxy. Send this user event payload, but ensure Strac intercepts it and redacts any PII before the vendor receives it."

To view the complete inventory of available tools, including document uploading and webhook management, visit the Strac integration page.

Workflows in Action

Connecting Strac to Claude transforms static security endpoints into active, conversational workflows. Here are two real-world scenarios showing how Claude navigates the MCP tools.

Workflow 1: Automated PII Redaction and Logging

Customer support teams often receive emails or tickets containing unprompted PII (like a customer emailing their full credit card number). An AI agent can intercept the text, redact it via Strac, and safely log the sanitized version.

"Check the latest security risks in Strac for any Zendesk tickets flagged today. If you find a ticket containing an SSN, extract the text, run it through the Strac redaction tool, and give me the clean text to update the ticket."

Execution Steps:

1. Claude calls list_all_strac_data_security_risks with filters set for today's date and the Zendesk app type.
2. Claude parses the event data to identify the flagged text block.
3. Claude calls create_a_strac_redact passing the raw text.
4. Strac returns the sanitized redacted_text string, which Claude presents to the user.

sequenceDiagram
    participant User as User
    participant Claude as Claude Desktop
    participant Truto as Truto MCP Server
    participant Strac as Strac API

    User ->> Claude: "Check risks and redact flagged ticket text."
    Claude ->> Truto: Call list_all_strac_data_security_risks
    Truto ->> Strac: GET /data-security-risks?appType=Zendesk
    Strac -->> Truto: [Risk events array]
    Truto -->> Claude: Return JSON results
    Claude ->> Truto: Call create_a_strac_redact (raw_text)
    Truto ->> Strac: POST /redact (payload)
    Strac -->> Truto: { redacted_text: "..." }
    Truto -->> Claude: Return redacted string
    Claude ->> User: "Here is the safe, redacted text..."

Workflow 2: Secure Batch Tokenization

Data engineering teams frequently need to tokenize large datasets before moving them into a data warehouse. Claude can act as an orchestration layer to batch-process these records securely.

"I have a list of 15 email addresses and phone numbers. Tokenize all of them at once using the Strac batch endpoint. Give me a table mapping the original identifiers to their new vault tokens."

Execution Steps:

1. Claude structures the 15 records into the precise array format required by the Strac schema.
2. Claude calls create_a_strac_tokens_batch, passing the structured array in the body arguments.
3. Truto proxies the request to the Strac vault. Because the formatting is correct, the atomic batch succeeds.
4. Claude receives the array of reference tokens and formats them into a markdown table for the user.

Security and Access Control

When exposing a DLP platform like Strac to an LLM, security controls are paramount. You must restrict exactly what the model can do. Truto's MCP servers provide strict, granular control mechanisms engineered directly into the token layer:

• Method Filtering: You can configure the config.methods property on the MCP token to restrict the server to specific HTTP verbs. For example, setting it to ["read"] ensures the LLM can only execute get and list operations (like fetching risk reports) and cannot mutate tokens or upload documents.
• Tag Filtering: Strac resources are mapped to specific tags (e.g., vault, proxy, audit). By applying tag filters during server creation, you can isolate the LLM to only proxying tasks without giving it access to the core vault tokens.
• Require API Token Auth: By default, possessing the MCP URL is sufficient to connect. For enterprise deployments, setting require_api_token_auth: true forces the connecting client to also pass a valid Truto API token in the Authorization header, adding a strict second layer of identity verification.
• Automatic Expiration: You can set an expires_at timestamp when creating the server. Truto enforces this at the edge via key-value storage expirations and scheduled cleanup alarms, ensuring temporary contractors or test agents automatically lose access precisely when intended.

Architecting for Secure AI

Connecting Strac to Claude is not about giving an LLM god-mode over your security infrastructure. It is about securely automating the repetitive tasks that slow down IT and security teams - detecting risks, tokenizing batch data, and proxying requests safely.

By leveraging a managed MCP server, you eliminate the operational burden of translating binary streams, managing tokenization schemas, and writing boilerplate JSON-RPC handlers. You let the model focus on orchestration while the underlying infrastructure enforces strict schema definitions and authentication boundaries.