Skip to content
Truto
Back
AI & Agents

Connect The Auth API to Claude: Sync projects, webhooks, and teams

Learn how to connect The Auth API to Claude via an MCP server. Automate project syncs, manage user roles, and audit API keys using natural language.

Uday Gajavalli Uday Gajavalli · · 9 min read
Connect The Auth API to Claude: Sync projects, webhooks, and teams

If your engineering team uses The Auth API to manage identity, API keys, and project infrastructure, you know how tedious manual administrative tasks can be. Rotating compromised keys, auditing user roles, and configuring webhooks across multiple environments takes time away from core product development. By connecting The Auth API to Claude using a Model Context Protocol (MCP) server, you can execute these infrastructure operations securely using natural language.

If your team uses ChatGPT, check out our guide on connecting The Auth API to ChatGPT or explore our broader architectural overview on connecting The Auth API to AI Agents.

Giving a Large Language Model (LLM) read and write access to your authentication and authorization infrastructure is a significant engineering challenge. You must handle complex relational data dependencies, strict security constraints, and unpredictable API error responses. Every time an endpoint changes, you must update your local tool definitions. This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for The Auth API, connect it natively to Claude, and execute complex security workflows.

The Engineering Reality of The Auth API

A custom MCP server is a self-hosted integration layer. While the open MCP standard provides a predictable way for models to discover tools over JSON-RPC 2.0, the reality of implementing it against specific vendor APIs is difficult.

If you decide to build a custom MCP server for The Auth API, you own the entire API lifecycle. Here are the specific challenges you will face:

Strict Relational Dependencies The Auth API is highly relational. You cannot simply query a webhook or an access key in isolation. The API relies heavily on hierarchical context. To list webhooks, you must provide an accountId and a projectId. For an LLM to successfully perform this operation, your MCP tool schema must perfectly enforce these required fields. If you hand-roll this, you will write hundreds of lines of JSON Schema just to teach Claude how to resolve an account ID before attempting to look up a webhook.

Flat Input Namespaces vs Nested Payloads When Claude calls a tool, it passes all arguments as a single flat JSON object. However, The Auth API expects specific parameters in the URL path, some in the query string, and others deeply nested in the request body. Your custom MCP server must parse Claude's flat input, separate the query arguments from the body payload, and reconstruct the exact HTTP request The Auth API demands.

Rate Limits and 429 Handling The Auth API enforces rate limits to prevent abuse. If your AI agent attempts to audit hundreds of API keys in a tight loop, it will hit a rate limit. Factual note on rate limits: Truto does not retry, throttle, or apply backoff on rate limit errors. When the upstream API returns an HTTP 429, Truto passes that error directly to the caller. Truto normalizes upstream rate limit info into standardized headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) per the IETF spec. The caller - whether that is your custom script or the LLM agent framework - is entirely responsible for implementing retry and backoff logic. Building a custom server means you must catch these opaque upstream errors and translate them into something the LLM understands.

Instead of building this routing and schema translation layer from scratch, you can use Truto. Truto derives tool definitions dynamically from the integration's resource configurations and automatically handles the query-to-body parameter splitting.

How to Generate The Auth API MCP Server with Truto

Truto dynamically generates MCP tools based on the API documentation for a connected integration. The server URL contains a cryptographic token that securely links to a specific tenant's account.

You can create this MCP server in two ways: via the Truto UI or programmatically via the API.

Method 1: Generating via the Truto UI

For internal IT admins or developers testing workflows, the UI is the fastest method.

  1. Navigate to the Integrated Accounts page in your Truto dashboard.
  2. Select your connected The Auth API account.
  3. Click the MCP Servers tab.
  4. Click Create MCP Server.
  5. Select your desired security configuration (e.g., restrict to read-only methods or specify specific tool tags).
  6. Copy the generated MCP server URL (it will look like https://api.truto.one/mcp/a1b2c3...).

Method 2: Generating via the API

If you are building an application that provisions AI agents for your end-users, you can generate MCP servers programmatically.

Make a POST request to /integrated-account/:id/mcp. You must authenticate this request using your Truto API token.

// Example: Creating a scoped MCP server for The Auth API
const response = await fetch('https://api.truto.one/integrated-account/YOUR_ACCOUNT_ID/mcp', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer YOUR_TRUTO_API_TOKEN',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    name: "The Auth API Security Auditor",
    config: { 
      methods: ["read", "write"], // Filter operations
      require_api_token_auth: false
    },
    expires_at: "2026-12-31T23:59:59Z"
  })
});
 
const data = await response.json();
console.log(data.url); // The connection URL for Claude

How to Connect the MCP Server to Claude

Once you have your Truto MCP server URL, you must configure Claude Desktop to connect to it. You can do this through the Claude UI or via a configuration file.

Method 1: Via the Claude UI

Anthropic provides a native way to add custom connectors if your organization plan supports it.

  1. Open Claude Desktop or the web interface.
  2. Navigate to Settings -> Integrations (or Connectors).
  3. Click Add MCP Server.
  4. Paste the Truto MCP URL generated in the previous step.
  5. Click Add.

Claude will immediately perform a protocol handshake, requesting the tools/list endpoint to discover all available operations for The Auth API.

Method 2: Via Manual Configuration File

If you are running Claude Desktop locally and need strict control over the connection transport, you can modify the claude_desktop_config.json file. Because Claude Desktop natively expects stdio communication for local servers, connecting to a remote HTTP endpoint requires an SSE (Server-Sent Events) bridge.

You can use the official MCP SSE client to proxy the connection:

{
  "mcpServers": {
    "the-auth-api-truto": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "https://api.truto.one/mcp/YOUR_SECURE_TOKEN_HERE"
      ]
    }
  }
}

Restart Claude Desktop. The application will execute the bridge command and pull the tool definitions from Truto.

Hero Tools for The Auth API

Truto provides dozens of endpoints for The Auth API, mapped directly to their REST resources. To prevent context window exhaustion, you should only expose the highest-leverage tools to your LLM.

Here are the critical tools for automating identity and infrastructure workflows.

list_all_the_auth_api_access_keys

This tool retrieves all access keys associated with a specific account. It is the foundation for any security auditing or key rotation workflow. The LLM must pass the accountId to execute this successfully.

"Claude, pull a list of all active access keys for account ID req-9876. Format the output as a table showing the key snippet, the associated project ID, and whether it is currently active."

create_a_the_auth_api_webhook

Automating event infrastructure is tedious. This tool allows Claude to dynamically register new webhooks for specific projects and topics. It requires the accountId, projectId, and the target topic.

"We need to listen for user signup events. Provision a new webhook in The Auth API for project ID prj-123 under account acc-456. Set the topic to 'user.created' and point it to our internal staging ingestion endpoint."

update_a_the_auth_api_user_role_by_id

Managing Role-Based Access Control (RBAC) often requires navigating complex UIs. This tool lets Claude apply partial JSON patches to a user's role configuration based on their unique identifier.

"A developer is moving to the admin team. Take user ID usr-555 and update their role assignment to include the 'super_admin' privileges for the production environment."

list_all_the_auth_api_projects

Projects act as organizational boundaries within The Auth API. Before Claude can manage keys or webhooks, it often needs to discover the internal IDs of your existing projects using this tool.

"Query The Auth API for all projects under my main account. I need the internal ID for the project named 'Customer Portal v2' so we can rotate its API keys."

create_a_the_auth_api_api_key_rotate

Security best practices mandate frequent key rotation. Instead of manually invalidating and reissuing keys, this tool allows Claude to trigger the rotation endpoint for a specific key ID, ensuring continuous security compliance.

"The access key ID key-999 was flagged in a potential exposure event. Immediately trigger the rotation process for this key to invalidate the old token and generate a new one."

create_a_the_auth_api_invitation

Automating employee or contractor onboarding saves hours of administrative work. This tool dispatches an invitation to a target email, granting them access to a specific account and project.

"We have a new contractor joining the backend team. Generate an invitation in The Auth API for contractor@example.com, assigning them to the 'Backend Services' project with standard read access."

To view the complete inventory of available endpoints, parameter requirements, and JSON schemas, visit the The Auth API integration page.

Workflows in Action

Giving Claude individual tools is helpful, but the real power of MCP lies in chained workflows. Here is how Claude handles complex administrative requests by orchestrating multiple The Auth API endpoints.

Scenario 1: Auditing and Rotating Stale API Keys

Security teams frequently need to identify keys that have been active for too long and systematically replace them.

"Claude, find all active API keys in our 'Staging' project. If any key has been active for more than 90 days, rotate it immediately and give me a summary of the new key IDs."

  1. Discovery: Claude calls list_all_the_auth_api_projects (passing the root accountId) to find the ID for the "Staging" project.
  2. Auditing: Claude calls list_all_the_auth_api_api_keys, filtering the results by the projectId it just retrieved.
  3. Evaluation: The LLM inspects the JSON response, checking the creation dates or activity status of each returned key against the 90-day requirement.
  4. Execution: For every flagged key, Claude iteratively calls create_a_the_auth_api_api_key_rotate using the specific key id.
  5. Reporting: Claude formats the responses into a clear summary table for the user.
sequenceDiagram
    participant User as User Prompt
    participant Claude as Claude Desktop
    participant MCP as Truto MCP Server
    participant AuthAPI as The Auth API

    User->>Claude: "Rotate stale keys in Staging"
    Claude->>MCP: Call tools/call<br>(list_all_the_auth_api_projects)
    MCP->>AuthAPI: GET /projects?accountId=...
    AuthAPI-->>MCP: Returns project list
    MCP-->>Claude: JSON response
    Claude->>MCP: Call tools/call<br>(list_all_the_auth_api_api_keys)
    MCP->>AuthAPI: GET /api-keys?projectId=...
    AuthAPI-->>MCP: Returns key list
    MCP-->>Claude: JSON response
    Claude->>MCP: Call tools/call<br>(create_a_the_auth_api_api_key_rotate)
    MCP->>AuthAPI: POST /api-keys/{id}/rotate
    AuthAPI-->>MCP: 201 Created
    MCP-->>Claude: Success payload
    Claude-->>User: "Rotated 3 keys successfully."

Scenario 2: Provisioning a New Microservice Environment

When a development team spins up a new microservice, they need a dedicated project and an event listening layer.

"We are launching the 'Billing Sync' service. Create a new project for it in The Auth API, then immediately set up a webhook listening for 'payment.failed' topics pointing to our internal ingest URL."

  1. Project Creation: Claude calls create_a_the_auth_api_project using the root account ID and the name "Billing Sync".
  2. ID Extraction: Claude reads the resulting JSON payload and extracts the newly generated projectId.
  3. Webhook Provisioning: Claude calls create_a_the_auth_api_webhook, passing the accountId, the new projectId, the required topic ('payment.failed'), and the specified target URL.
  4. Confirmation: Claude outputs the final configuration details so the development team can update their environment variables.

Security and Access Control

Exposing your authentication infrastructure to an LLM introduces significant risk. If an agent hallucinates a destructive command, it could wipe out production API keys. Truto MCP servers include specific safeguards to enforce the principle of least privilege.

  • Method Filtering: You can explicitly block destructive operations. By configuring the MCP server with methods: ["read"], you guarantee the server will drop any create, update, or delete tool calls before they ever reach The Auth API.
  • Tag Filtering: If you only want the LLM to access webhook data, you can specify tags like config: { tags: ["webhooks"] }. Truto will filter out the documentation for keys, projects, and users, ensuring Claude does not even know those tools exist.
  • Token Expiration: You can set an expires_at timestamp when creating the MCP server. Once the timestamp passes, the server URL automatically invalidates, cutting off the LLM's access. This is ideal for granting a contractor temporary auditing capabilities.
  • Secondary Authentication: By default, the cryptographic MCP URL is the only credential needed. By enabling require_api_token_auth: true, you force the MCP client to also pass a valid Truto API token via the Authorization header, preventing unauthorized execution even if the URL leaks.

Final Thoughts

Connecting The Auth API to Claude transforms your administration workflows. Instead of clicking through dashboards or writing single-use Python scripts to audit keys and provision webhooks, your engineering team can orchestrate infrastructure entirely through natural language.

Building this capability in-house requires managing strict relational data schemas, parsing nested JSON inputs, and handling rate limits without masking the underlying errors from the LLM. Truto removes this boilerplate, dynamically generating secure MCP tools directly from The Auth API's architecture.

FAQ

How does Truto handle The Auth API rate limits?
Truto does not retry, throttle, or apply backoff on rate limit errors. When The Auth API returns an HTTP 429, Truto passes that error directly to the caller, normalizing the upstream rate limit info into standardized headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) per the IETF spec. The caller or LLM framework is responsible for retry and backoff.
Do I need to write custom JSON schemas for Claude?
No. Truto dynamically generates MCP-compatible tool definitions, including full query and body schemas, directly from The Auth API's underlying resource documentation.
Can I restrict what The Auth API endpoints Claude can access?
Yes. When creating the MCP server in Truto, you can use method filtering (e.g., read-only) or tag filtering to restrict the exact tools exposed to the LLM.
Does Claude need an additional API token to connect?
By default, the MCP server URL contains a cryptographic token for authentication. However, you can enforce the require_api_token_auth flag, which forces Claude to also pass a valid Truto API token in the Authorization header.

More from our Blog