Connect Torii to Claude: Audit SaaS Usage, Contracts, and Workflows

If you need to connect Torii to Claude to automate SaaS discovery, user access reviews, or contract management, you need a Model Context Protocol (MCP) server. This server acts as the translation layer between Claude's tool calls and Torii's REST APIs. You can either build and maintain this infrastructure yourself, or use a managed integration platform like Truto to dynamically generate a secure, authenticated MCP server URL. If your team uses ChatGPT, check out our guide on connecting Torii to ChatGPT or explore our broader architectural overview on connecting Torii to AI Agents.

Giving a Large Language Model (LLM) read and write access to your SaaS Management Platform (SMP) is an engineering challenge. You have to handle OAuth 2.0 token lifecycles, map Torii's specific data models to MCP tool definitions, and deal with highly variable rate limits across different endpoints. Every time Torii updates an endpoint or deprecates a field, you have to update your server code, redeploy, and test the integration.

This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for Torii, connect it natively to Claude, and execute complex IT administration workflows using natural language.

The Engineering Reality of the Torii API

A custom MCP server is a self-hosted integration layer. While the open MCP standard provides a predictable way for models to discover tools over JSON-RPC, the reality of implementing it against Torii's APIs requires managing significant technical debt.

If you decide to build a custom MCP server for Torii, you own the entire API lifecycle. Here are the specific challenges you will face:

Endpoint-Specific Rate Limits Torii does not enforce a single, global rate limit. Instead, quotas vary wildly depending on the specific resource you are calling. For example, fetching a single contract (get_single_torii_contract_by_id) allows up to 800 requests per minute. Creating an app (create_a_torii_app) is capped at 200 requests per minute. Fetching roles (list_all_torii_roles) is restricted to just 100 requests per minute.

This makes generic backoff strategies highly inefficient. If an AI agent attempts to iterate through a list of roles, it will hit a 429 Too Many Requests error much faster than if it were auditing contracts. Truto does not retry, throttle, or apply backoff on rate limit errors. When an upstream API returns HTTP 429, Truto passes that error to the caller and normalizes upstream rate limit info into standardized headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset) per the IETF spec. The AI agent (the caller) is responsible for reading these headers and executing appropriate retry/backoff logic.

Strict Data Formats and Nested Objects Torii strictly enforces how certain data types are formatted. When creating or updating contracts, dates must be provided in valid ISOString format. Furthermore, currency data cannot be passed as top-level fields; it must be structured as specific nested objects. If you expose raw schema requirements to an LLM without strict JSON Schema definitions and clear parameter descriptions, the model will hallucinate payload structures and trigger 400 Bad Request errors. Truto automatically generates and enforces these schemas in the MCP tool definitions.

Cursor-Based Pagination for Audits Extracting audit logs (list_all_torii_audit_logs) or workflow executions (list_all_torii_workflow_action_executions) requires traversing cursor-based pagination. If you pass raw Torii pagination tokens to an LLM, it often attempts to decode, modify, or increment them like integers. Truto normalizes this into a standard limit and next_cursor schema, explicitly instructing the LLM to pass cursor values back unchanged.

How to Generate a Torii MCP Server with Truto

Truto dynamically generates MCP tools from Torii's API documentation and your connected tenant. The tools are not hardcoded - they are built at runtime based on the actual endpoints and configurations available to your integrated account.

You can generate the MCP server URL in two ways.

Method 1: Via the Truto UI

This is the fastest method for internal IT teams and developers setting up local environments.

1. Log into your Truto dashboard and navigate to the integrated account page for your Torii connection.
2. Click the MCP Servers tab.
3. Click Create MCP Server.
4. Configure your server settings (assign a name, select allowed methods like read or write, add resource tags, or set an expiration date).
5. Copy the generated MCP server URL (e.g., https://api.truto.one/mcp/a1b2c3d4e5f6...).

Method 2: Via the Truto API

For production deployments, multi-tenant AI products, or automated infrastructure provisioning, you can generate MCP servers programmatically.

Make a POST request to /integrated-account/:id/mcp. You can pass a configuration object to strictly limit what the LLM can do.

curl -X POST https://api.truto.one/integrated-account/{integrated_account_id}/mcp \
  -H "Authorization: Bearer YOUR_TRUTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Torii Security Auditor MCP",
    "config": {
      "methods": ["read"],
      "tags": ["audit", "users"]
    }
  }'

The API returns a secure, unique URL containing a cryptographic token. This URL is completely self-contained - it routes the JSON-RPC traffic, handles Torii authentication, and enforces the configuration rules you defined.

Connecting the Torii MCP Server to Claude

Once you have the MCP server URL, you need to connect it to your LLM client.

Method A: Via the UI (Claude Desktop or ChatGPT)

If you are using Claude Desktop:

1. Open Settings -> Integrations.
2. Click Add MCP Server.
3. Paste the Truto MCP URL into the connection field and save.

If your team uses ChatGPT (requires Developer Mode on Pro/Enterprise plans):

1. Go to Settings -> Apps -> Advanced settings.
2. Enable Developer Mode.
3. Under MCP servers / Custom connectors, click Add new.
4. Name the server "Torii" and paste the URL.

Method B: Via the Claude Desktop Config File

If you are managing your Claude Desktop environment programmatically, you can add the server directly to your claude_desktop_config.json file using the Server-Sent Events (SSE) transport.

{
  "mcpServers": {
    "torii-admin": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "--url",
        "https://api.truto.one/mcp/a1b2c3d4e5f6..."
      ]
    }
  }
}

Restart Claude Desktop. The model will send an initialize request to the server, and Truto will return the available Torii tools.

Hero Tools for Torii Administration

Truto exposes Torii's API as discrete, highly-typed MCP tools. Here are the highest-leverage tools for automating SaaS management.

list_all_torii_users

Retrieves a complete list of users in your Torii tenant. This tool returns essential fields such as id, email, lifecycleStatus, isDeletedInIdentitySources, and activeAppsCount. It is the foundation for any identity auditing or offboarding workflow.

"Fetch a list of all Torii users and find anyone who has an active lifecycle status but is flagged as deleted in our identity sources."

list_all_torii_apps

Lists all applications detected or managed within the organization. The response includes the app id, name, state, category, and primaryOwner. Use this tool to discover Shadow IT or assign owners to newly discovered software.

"List all active applications in Torii that do not currently have a primary owner assigned. Group them by category."

list_all_torii_contracts

Retrieves active SaaS contracts managed within the organization. This tool returns an array of contracts including id, name, status, and monetary values in the contract's native currency.

"Review our Torii contracts and list any that are currently in an 'active' status. Summarize their names and associated app IDs."

update_a_torii_user_by_id

Updates a specific user's record in Torii. This is primarily used to alter the lifecycleStatus of an employee during onboarding or offboarding procedures, ensuring their state in Torii matches your HRIS or Identity Provider.

"Update the Torii user with ID 'usr_98765'. Change their lifecycle status to 'offboarded'."

list_all_torii_audit_logs

Retrieves admin audit logs sorted by creation time in descending order. The response includes performedByEmail, type, requestDetails, and properties. This tool is essential for compliance checks and investigating administrative actions.

"Pull the most recent Torii audit logs and filter for any actions related to modifying contract amounts or statuses. Who performed the changes?"

create_a_torii_contract

Logs a new SaaS contract into Torii. Requires name, idApp, and status in the request body. Dates must be passed as ISOStrings, and currency values must be formatted according to Torii's nested object rules.

"Create a new contract in Torii for 'Figma Enterprise'. Set the status to active, link it to app ID 'app_123', and set the start date to today in ISOString format."

To view the complete schemas, required fields, and the full list of available Torii endpoints, refer to the Torii integration page.

Workflows in Action

By chaining these tools together, Claude can execute complex, multi-step IT and procurement workflows autonomously.

Scenario 1: Automated Offboarding Audit

The Problem: IT needs to ensure that when an employee leaves, their Torii user profile is correctly updated and they no longer have access to critical applications.

"Audit the user 'alex.chen@company.com'. Check their lifecycle status in Torii. If they are marked as deleted in our identity provider but their Torii status is still active, update their Torii status to 'offboarded'. Then, list any applications they still have active access to."

How the agent executes this:

1. Calls list_all_torii_users filtering by the email alex.chen@company.com to retrieve the user ID, lifecycleStatus, and isDeletedInIdentitySources.
2. Observes that the user is deleted in the IdP but active in Torii.
3. Calls update_a_torii_user_by_id using the retrieved user ID, passing lifecycleStatus: "offboarded" in the body schema.
4. Calls list_all_torii_user_applications using the user ID to fetch any apps where isUserRemovedFromApp is still false.

The result: The agent standardizes the employee's state in the SMP and outputs a concise list of SaaS apps that IT still needs to manually de-provision.

Scenario 2: Shadow IT and App Categorization Recon

The Problem: Procurement and Security teams need to identify unsanctioned applications that have crept into the environment and lack proper ownership.

"Run a scan of all Torii apps. Find any app categorized as 'File Sharing' or 'Cloud Storage' that is in an active state but does not have a primary owner. For each app found, check if we have any active Torii contracts associated with them."

How the agent executes this:

1. Calls list_all_torii_apps and parses the response array.
2. Filters the JSON output internally for apps where category matches file sharing/storage, state is active, and primaryOwner is null.
3. Extracts the id values for the matching unowned applications.
4. Calls list_all_torii_contracts to retrieve the organization's contracts.
5. Cross-references the idApp field in the contracts array against the unowned app IDs.

The result: The agent provides the Security team with a specific list of unowned, unsanctioned storage apps, while simultaneously alerting Procurement to any active financial contracts tied to that Shadow IT.

Security and Access Control

Giving an LLM direct access to a SaaS Management Platform like Torii requires strict security boundaries. Truto provides configuration settings on the MCP token to restrict agent capabilities at the infrastructure level.

• Method Filtering: Prevent agents from accidentally deleting data or changing statuses by restricting the MCP server to specific HTTP methods. Passing config: { methods: ["read"] } during creation ensures the server only exposes get and list tools. The LLM simply will not see create, update, or delete tools.
• Tag Filtering: Group tools by functional area using resource tags. If you only want an agent to access application catalogs and not user directories, you can filter the tools using config: { tags: ["apps", "contracts"] }.
• Double Authentication: By setting require_api_token_auth: true, the generated MCP URL alone is not enough to execute tools. The caller must also pass a valid Truto API token in the Authorization header, preventing unauthorized access if the URL is leaked in logs.
• Server Expiration: Use the expires_at parameter to generate short-lived MCP servers. If you are granting a temporary auditing agent access to Torii, set the server to expire after 24 hours. Once expired, Truto automatically deletes the server and its associated KV records.

The Smart Way to Automate IT Ops

Building a custom MCP server for Torii forces your engineering team to become experts in SaaS integration edge cases. You have to handle ISOString parsing, nested currency schemas, cursor-based pagination normalization, and highly specific rate limits (100 req/min vs 800 req/min).

Truto removes the integration boilerplate. By dynamically generating your MCP server from API documentation, Truto normalizes the protocol translation, enforces schemas automatically, and exposes clean headers for rate limit backoff. Your engineers can stop maintaining JSON-RPC endpoints and start writing prompts that actually orchestrate your SaaS ecosystem.