Connect The Auth API to ChatGPT: Manage user roles and API keys

If you need to connect The Auth API to ChatGPT to automate tenant provisioning, rotate API keys, or manage role-based access control, you need a Model Context Protocol (MCP) server. This infrastructure layer translates an LLM's natural language tool calls into structured REST API requests. You can either spend weeks building, hosting, and maintaining a custom MCP server, or you can use a managed integration platform like Truto to dynamically generate a secure, authenticated MCP server URL. If your team uses Claude, check out our guide on connecting The Auth API to Claude or explore our broader architectural overview on connecting The Auth API to AI Agents.

Giving a Large Language Model (LLM) read and write access to your core identity and access management infrastructure is a serious engineering undertaking. You have to map highly nested JSON schemas to MCP tool definitions, handle strict pagination, and securely route payloads without logging sensitive access tokens. Every time The Auth API updates an endpoint or deprecates a legacy authentication method, you have to update your server code, redeploy, and test the integration.

This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for The Auth API, connect it natively to ChatGPT, and execute complex security workflows using natural language.

The Engineering Reality of The Auth API

A custom MCP server is a self-hosted translation layer. While the open MCP standard provides a predictable way for models to discover tools using JSON-RPC, the reality of implementing it against a specialized authentication vendor's API is painful.

If you decide to build a custom MCP server for The Auth API, you own the entire integration lifecycle. Here are the specific challenges that break standard CRUD assumptions when working with this specific API:

Multi-Tenant Entity Hierarchies The Auth API is designed for B2B SaaS platforms managing thousands of downstream tenants. Its data model relies heavily on a strict hierarchy: Accounts contain Projects, and Projects contain Access Keys and Webhooks. When an LLM wants to retrieve a specific key or list webhooks, it cannot just call a flat /webhooks endpoint. It must simultaneously pass the correct accountId and projectId. If your MCP server does not expose these required parameters explicitly in the JSON schema with clear descriptions, the LLM will hallucinate IDs or fail the request entirely.

Complex Authentication Endpoints The Auth API provides multiple ways to authenticate and verify a key, reflecting different historical versions of their service. There is a legacy GET endpoint (authenticateKeyLegacy), a newer POST endpoint (authenticateKey), and an ID-specific lookup. You must accurately map these discrete paths as separate tools in your MCP server so the LLM knows exactly which endpoint to call based on the data it possesses (a raw key string versus a key ID).

Rate Limits and 429 Errors Authentication APIs are high-throughput by nature and enforce strict rate limits to prevent abuse. If your AI agent gets stuck in a loop attempting to validate thousands of keys, The Auth API will return a 429 Too Many Requests error. Crucially, Truto does not retry, throttle, or apply backoff on rate limit errors. When the upstream API returns an HTTP 429, Truto passes that error directly to the caller. Truto normalizes the upstream rate limit information into standardized headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) per the IETF specification. The caller (your LLM framework or custom agent) is entirely responsible for catching these 429s, reading the headers, and executing its own exponential backoff and retry logic. If you build this yourself, you have to write all of this error handling from scratch.

Step 1: Generate the MCP Server for The Auth API

Instead of hand-coding tool definitions, Truto dynamically derives them from The Auth API's underlying resources and schema documentation. A tool only appears in the MCP server if it has a corresponding definition, ensuring only curated endpoints are exposed to ChatGPT.

You can generate an MCP server for your connected The Auth API account using either the Truto UI or the REST API.

Method A: Via the Truto UI

This is the fastest path for administrators configuring tools manually.

1. Log into Truto and navigate to the Integrated Accounts page.
2. Select your connected The Auth API account.
3. Click the MCP Servers tab.
4. Click Create MCP Server.
5. Select your desired configuration (e.g., allow all methods, or restrict to read-only).
6. Copy the generated MCP server URL (it will look like https://api.truto.one/mcp/abc123def456...).

Method B: Via the Truto API

For engineering teams building multi-tenant AI agents, you can provision MCP servers programmatically.

Send a POST request to the /integrated-account/:id/mcp endpoint. The resulting URL contains a secure, hashed token that authenticates requests strictly to that specific integrated account.

// Example: Generating a read-only MCP server for The Auth API
const response = await fetch('https://api.truto.one/integrated-account/YOUR_ACCOUNT_ID/mcp', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer YOUR_TRUTO_API_KEY`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    name: "The Auth API Security Auditor",
    config: {
      methods: ["read"] // Restricts the LLM to get/list operations
    }
  })
});
 
const mcpServer = await response.json();
console.log(mcpServer.url); 
// Output: https://api.truto.one/mcp/a1b2c3d4e5f6...

Step 2: Connect the MCP Server to ChatGPT

Once you have the Truto MCP URL, you need to register it as a tool provider. You can do this directly in the ChatGPT UI for enterprise users, or via a manual configuration file for local/custom desktop clients.

Method A: Via the ChatGPT UI

If you are using ChatGPT Enterprise, Team, or Pro with Developer Mode enabled:

1. In ChatGPT, navigate to Settings -> Apps -> Advanced settings.
2. Ensure Developer mode is enabled.
3. Under MCP servers / Custom connectors, click Add a new server.
4. Name: "The Auth API"
5. Server URL: Paste the Truto MCP URL.
6. Click Save.

ChatGPT will immediately ping the server, execute the MCP handshake, and ingest the tool definitions for The Auth API.

Method B: Via Manual Config File

If you are connecting from a local desktop client (like Claude Desktop or Cursor) or building a custom agent wrapper that relies on file-based configuration, you can use the official @modelcontextprotocol/server-sse CLI to proxy the connection.

Add the following to your MCP configuration JSON file:

{
  "mcpServers": {
    "the_auth_api": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "https://api.truto.one/mcp/YOUR_TRUTO_TOKEN"
      ]
    }
  }
}

Restart your client. The agent will read the config, establish an SSE connection, and discover the tools.

Hero Tools for The Auth API

Truto exposes the entirety of The Auth API as discrete, callable tools. By flattening the query and body parameters into a single JSON schema, Truto ensures the LLM understands exactly what data is required.

Here are the highest-leverage tools available for your AI agents.

create_a_the_auth_api_project

Creates a new project container inside a specific account. Projects are required before you can provision access keys or set up webhooks.

Contextual usage notes: The LLM must supply the accountId. If the agent does not know the account ID, instruct it to call the list accounts tool first.

"We are onboarding a new enterprise customer, Cyberdyne. Please create a new project in The Auth API for them. You can find their account ID by searching the accounts list for 'Cyberdyne'."

create_a_the_auth_api_access_key

Provisions a new API key within a specific project. This is the core provisioning operation for the platform.

Contextual usage notes: Requires the accountId parameter. The tool returns the raw key string in the response. Ensure your prompt instructions dictate how the agent should handle the returned key (e.g., mask it in the chat, or pass it to another system immediately).

"Generate a new active access key for the project ID 'proj_98765' under the Acme Corp account. Output the key exactly once so I can copy it into our environment variables."

create_a_the_auth_api_api_keys_auth

Authenticates an API key via a POST request to verify its validity and permissions.

Contextual usage notes: This expects the key's internal id, not the raw key string. Use this to validate that a key is still active and possesses the correct scopes before allowing an external system to proceed.

"A user is reporting an invalid token error for key ID 'key_88442'. Run an authentication check against this key ID and tell me if the API returns a success response or an error."

update_a_the_auth_api_access_key_reactivate_by_id

Reactivates a previously deactivated or suspended access key.

Contextual usage notes: Rather than performing a standard PUT/PATCH update on a status field, The Auth API uses this specific operational endpoint to toggle key state. It requires the key's id.

"The billing dispute with Globex has been resolved. Please reactivate their access key (ID: key_11223) so their integrations come back online."

list_all_the_auth_api_user_roles

Retrieves the complete list of user roles available within The Auth API environment.

Contextual usage notes: Essential for auditing RBAC setups or preparing to assign a new team member to a project. You can optionally filter the results by accountId.

"List all the available user roles in our account. I need to know which role has the minimum permissions necessary to just view analytics without being able to create keys."

create_a_the_auth_api_invitation

Generates an invitation to bring a new user into a specific account or project.

Contextual usage notes: Useful for automating onboarding pipelines. Returns the invitation id and status.

"Invite sarah.connor@example.com to the Skynet account. Assign her to the 'Developer' role. Confirm when the invitation has been sent."

list_all_the_auth_api_analytics_api_key_totals

Retrieves aggregate usage analytics for API keys over a specified date grouping.

Contextual usage notes: Requires projectId and a dateGrouping string. This allows ChatGPT to act as a natural language data analyst for your API traffic.

"Pull the API key usage totals for the 'Production Data Sync' project for the last 7 days. Summarize which keys have seen the highest volume of requests."

Workflows in Action

Single tool calls are useful, but the real power of an MCP server is orchestrating multi-step API workflows. Here is how ChatGPT executes complex operations using Truto's The Auth API tools.

Scenario 1: Developer Account Provisioning

Persona: DevOps Engineer automating environment setup.

"We just signed a new client, Initech. First, check if an account exists for them. If not, create an account. Then, create a project named 'Initech Production Sync'. Finally, generate a new access key for this project and invite peter.gibbons@initech.com to the account."

Execution Steps:

1. list_all_the_auth_api_accounts: The agent searches for "Initech". Finding nothing, it proceeds.
2. create_a_the_auth_api_account: The agent creates the account and extracts the new accountId.
3. create_a_the_auth_api_project: Using the new accountId, the agent creates the project and extracts the projectId.
4. create_a_the_auth_api_access_key: The agent provisions the key using the accountId and projectId.
5. create_a_the_auth_api_invitation: The agent sends an invite to the provided email.

Result: The DevOps engineer receives a summary confirming the account, project, and key creation, along with confirmation that the invitation was sent—all without opening a single dashboard.

Scenario 2: API Key Usage Audit and Security Revocation

Persona: Security Operations (SecOps) Analyst responding to anomalous traffic.

"We saw a huge spike in traffic yesterday. Pull the API key analytics for the 'Legacy Importer' project. If any key exceeded 50,000 requests in that date grouping, find the key's ID and deactivate it immediately."

Execution Steps:

1. list_all_the_auth_api_analytics_api_key_totals: The agent passes the projectId and queries the totals for the previous day.
2. The LLM analyzes the returned data arrays in context, identifying a specific key string that hit 85,000 requests.
3. the_auth_api_api_keys_list_2: The agent looks up the raw key string to find its internal database id.
4. update_a_the_auth_api_access_key_by_id: The agent issues an update payload setting the key to an inactive state.

Result: The SecOps analyst gets a natural language report stating exactly which key breached the threshold and confirmation that the key has been successfully suspended.

sequenceDiagram
    participant SecOps as SecOps Analyst
    participant ChatGPT as ChatGPT
    participant Truto as Truto MCP
    participant Upstream as The Auth API

    SecOps->>ChatGPT: "Analyze traffic and deactivate offending key"
    ChatGPT->>Truto: call list_all_the_auth_api_analytics_api_key_totals
    Truto->>Upstream: GET /analytics/api-keys/totals
    Upstream-->>Truto: Aggregate usage data
    Truto-->>ChatGPT: Analytics JSON
    
    Note over ChatGPT: Analyzes data,<br>finds key > 50k
    
    ChatGPT->>Truto: call the_auth_api_api_keys_list_2 (key string)
    Truto->>Upstream: GET /api-keys/lookup
    Upstream-->>Truto: Key metadata (includes ID)
    Truto-->>ChatGPT: Key ID
    
    ChatGPT->>Truto: call update_a_the_auth_api_access_key_by_id
    Truto->>Upstream: PATCH /api-keys/{id} (status: inactive)
    Upstream-->>Truto: 200 OK
    Truto-->>ChatGPT: Success response
    
    ChatGPT-->>SecOps: "Key deactivated successfully."

Security and Access Control

Giving an AI agent access to API keys and tenant data requires strict boundaries. Truto provides multiple layers of security at the MCP token level:

• Method Filtering: When creating the server via the API or UI, you can restrict the token to specific method types. Setting methods: ["read"] ensures the LLM can only execute get and list operations, preventing accidental key deletions or unapproved project creation.
• Tag Filtering: Limit the server to specific resource tags. For example, you can expose only analytics resources to a reporting agent, entirely hiding the access_keys and webhooks endpoints.
• Additional Authentication (require_api_token_auth): By default, possessing the MCP URL grants access. By enabling the require_api_token_auth flag, clients must also pass a valid Truto API token in the Authorization header. This guarantees that only authenticated internal services can execute tools.
• Automatic Expiration (expires_at): You can set an exact ISO datetime for the MCP server to self-destruct. This is perfect for granting a contractor or temporary AI agent ephemeral access to The Auth API for an audit, knowing access will be cleanly revoked at midnight.

Final Thoughts

Building a custom integration to give ChatGPT control over The Auth API forces your engineering team to manage complex authentication state, multi-tenant parameter mapping, and rigorous error handling.

By leveraging Truto's dynamically generated MCP servers, you eliminate the boilerplate. Your AI agents get immediate, documented, and strictly controlled access to your identity and authentication infrastructure, allowing you to automate security audits and tenant provisioning in minutes instead of months.