--- title: "Connect Zesty.io to Claude: Audit Instances and User Permissions" slug: connect-zesty-io-to-claude-audit-instances-and-user-permissions date: 2026-06-09 author: Uday Gajavalli categories: ["AI & Agents"] excerpt: "Learn how to connect Zesty.io to claude using Truto. Step-by-step guide to tool calling, API quirks, and autonomous workflows." canonical: https://truto.one/blog/connect-zesty-io-to-claude-audit-instances-and-user-permissions/ --- # Connect Zesty.io to Claude: Audit Instances and User Permissions If you are managing an enterprise content infrastructure on Zesty.io, you know that tracking instances, auditing user roles, and controlling access across multiple domains is a highly manual process. If you need to connect Zesty.io to Claude to automate instance auditing, permission mapping, and workspace administration, you need a [Model Context Protocol (MCP) server](https://truto.one/what-is-model-context-protocol-mcp/). This server acts as the translation layer between Claude's tool calls and Zesty.io's REST APIs. You can either build and maintain this infrastructure yourself, or use a [managed integration platform](https://truto.one/what-is-a-managed-integration-platform-for-developers/) like Truto to dynamically generate a secure, authenticated MCP server URL. If your team uses ChatGPT, check out our guide on [connecting Zesty.io to ChatGPT](https://truto.one/connect-zesty-io-to-chatgpt-manage-instances-and-user-access/) or explore our broader architectural overview on [connecting Zesty.io to AI Agents](https://truto.one/connect-zesty-io-to-ai-agents-sync-instance-data-and-user-roles/). Giving a Large Language Model (LLM) read and write access to a sprawling [headless CMS](https://truto.one/headless-cms-integration-guide/) ecosystem is an engineering challenge. You have to handle API key lifecycles, map massive JSON schemas to MCP tool definitions, and deal with Zesty.io's specific API design patterns. Every time you need a new endpoint mapped, you have to update your server code, redeploy, and test the integration. This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for Zesty.io, connect it natively to Claude, and execute complex audit workflows using natural language. ## The Engineering Reality of the Zesty.io API A custom MCP server is a self-hosted integration layer. While the open MCP standard provides a predictable way for models to discover tools, the reality of implementing it against vendor APIs is painful. If you decide to build a custom MCP server for Zesty.io, you own the entire API lifecycle. Here are the specific challenges you will face with this particular platform: **The ZUID Relational Graph** Zesty.io relies heavily on ZUIDs (Zesty Universal Identifiers) for data relationships. You do not simply fetch a user and see all their permissions globally. You have to query an instance ZUID, use that to query the instance users, and then map those users to specific role ZUIDs within that instance. Writing an integration to handle this relational graph requires extensive state management. If you expose raw endpoints to Claude without context, the model will hallucinate ZUID formats or attempt to pass user emails into parameters that strictly require alphanumeric ZUID strings. **Deeply Nested Permission Models** Role and permission management in Zesty.io is granular. When fetching user roles, the API returns deeply nested JSON objects detailing blueprint access, model permissions, and publishing rights. LLMs have finite context windows. Feeding unoptimized, heavily nested JSON schemas directly into Claude's tool context frequently results in token exhaustion or degraded reasoning capabilities. Truto automatically generates optimized schemas based on the integration's documentation, flattening the required inputs so Claude only sees exactly what it needs to execute the request. **Strict Rate Limits and Header Management** Headless CMS platforms are heavily trafficked, and Zesty.io enforces strict [rate limits](https://truto.one/api-rate-limiting-strategies-for-developers/) to protect its infrastructure. A common mistake engineers make when building custom MCP servers is attempting to absorb or silently retry these rate limits on behalf of the AI. Truto takes a deterministic approach: it does not retry, throttle, or apply backoff on rate limit errors. When the upstream Zesty.io API returns an HTTP 429 Too Many Requests error, Truto passes that error directly to the caller. Truto normalizes the upstream rate limit information into standardized headers (`ratelimit-limit`, `ratelimit-remaining`, `ratelimit-reset`) per the IETF specification. The caller - in this case, the Claude instance or the agent orchestration layer - is entirely responsible for reading these headers and executing its own backoff strategy. This prevents silent failures and allows the agent to reason about its current rate limits. Instead of building all of this boilerplate from scratch, you can use Truto. Truto normalizes authentication and pagination, exposing Zesty.io's endpoints as ready-to-use MCP tools. ## How to Generate a Zesty.io MCP Server Truto dynamically derives MCP tools from the integration's internal resource definitions and documentation records. A tool only appears in the MCP server if it has a corresponding documentation entry, ensuring that Claude only interacts with curated, well-described endpoints. You can generate an MCP server for Zesty.io in two ways: via the Truto UI or programmatically via the API. ### Method 1: Creating the MCP Server via the Truto UI For ad-hoc audits and individual agent deployments, the UI is the fastest path to a working server. 1. Log into your Truto account and navigate to the integrated account page for your connected Zesty.io instance. 2. Click the **MCP Servers** tab. 3. Click the **Create MCP Server** button. 4. Configure the server parameters. You can name it "Zesty.io Audit Server" and apply filters if you only want read-only access. 5. Click Save. The dashboard will immediately generate and display a unique MCP server URL. Copy this URL. ### Method 2: Creating the MCP Server via the API For automated deployments or multi-tenant SaaS platforms embedding AI functionality, you can provision MCP servers programmatically. Make a `POST` request to `/integrated-account/:id/mcp`. The API validates that the integration has tools available, generates a secure token, and returns a ready-to-use URL. ```bash curl -X POST https://api.truto.one/integrated-account/{integrated_account_id}/mcp \ -H "Authorization: Bearer YOUR_TRUTO_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "name": "Zesty.io Security Audit MCP", "config": { "methods": ["read"], "tags": ["instances", "users"] } }' ``` The response will contain the cryptographic URL needed to authenticate the MCP client: ```json { "id": "mcp_abc123", "name": "Zesty.io Security Audit MCP", "config": { "methods": ["read"], "tags": ["instances", "users"] }, "expires_at": null, "url": "https://api.truto.one/mcp/a1b2c3d4e5f67890" } ``` This URL is fully self-contained. It encodes the tenant routing and authentication details. Keep it secure. ## How to Connect Zesty.io to Claude Once you have your Truto MCP URL, you need to register it with your Claude client. You can do this through the Claude Desktop UI or by editing the configuration file manually. ### Method A: Via the Claude Desktop UI If you are using a version of Claude that supports visual connector management: 1. Open Claude Desktop. 2. Navigate to **Settings -> Integrations**. 3. Click **Add MCP Server** (or Custom Connector, depending on your tier). 4. Give the connector a name like "Zesty.io Production". 5. Paste the Truto MCP URL into the Server URL field. 6. Click **Add**. Claude will automatically ping the `initialize` endpoint, verify the connection, and load the available tools. ### Method B: Via the Manual Configuration File For advanced users, headless environments, or strict CI/CD deployments, you can register the MCP server by modifying Claude's JSON configuration file. Because Truto MCP servers run remotely over HTTPS, you use the `@modelcontextprotocol/server-sse` package to bridge the standard MCP transport to the remote SSE endpoint. Locate your `claude_desktop_config.json` file. On macOS, this is typically located at `~/Library/Application Support/Claude/claude_desktop_config.json`. Add the following configuration, replacing the URL with your actual Truto MCP server URL: ```json { "mcpServers": { "zesty_io_audit": { "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-sse", "--url", "https://api.truto.one/mcp/a1b2c3d4e5f67890" ] } } } ``` Save the file and restart Claude Desktop. When the application launches, it will read the configuration, execute the command, and ingest the tool schemas. You can now prompt Claude to interact with your Zesty.io environment. ## Core Zesty.io MCP Tools for Claude Truto exposes a comprehensive set of operations for Zesty.io. When Claude requests the tool list via the `tools/list` protocol method, Truto dynamically generates the definitions based on the integration schema. Here are the 5 hero tools you will use most frequently for auditing instances and mapping user permissions. ### list_all_zesty_io_instances This tool retrieves a paginated list of all Zesty.io instances the authenticated service account has access to. It returns core metadata including the ZUID, name, domain, creation timestamps, and blueprint identifiers. **Usage Notes:** This is almost always the starting point for any administrative workflow. Because most other API operations require an `instance_zuid`, Claude will use this tool to discover the correct identifiers before executing follow-up queries. > "List all of the Zesty.io instances in our account and generate a markdown table showing the instance name, domain, and its ZUID." ### get_single_zesty_io_instance_by_id Retrieves detailed metadata for a specific instance using its unique ZUID. It returns the instance's name, domain, `createdAt`, `updatedAt`, and `screenshotURL` fields providing key instance details. **Usage Notes:** Use this when you already know the instance ZUID (or have retrieved it via a previous tool call) and need to verify the instance's current state or specific domain routing configurations without pulling the entire instance directory. > "Fetch the details for the Zesty.io instance with ZUID '8-abcd1234-efgh' and tell me when it was last updated." ### list_all_zesty_io_instance_users Retrieves all users provisioned within a specific instance. It requires the `instance_zuid` as an argument and returns each user's ZUID, email, firstName, lastName, role, and lifecycle timestamps. **Usage Notes:** This tool is critical for basic access auditing. It allows the model to see exactly who is inside a given environment. The `limit` and `next_cursor` fields are handled cleanly by Truto, allowing Claude to iterate through large user bases if necessary. > "Get the user list for the 'Marketing Website' instance (ZUID: 8-xyz-123). Extract all user emails ending in '@vendor-domain.com'." ### list_all_zesty_io_instance_users_with_roles A deeper, more granular version of the standard user lookup. It requires the `instance_zuid` and returns each user's details including their ZUID, email, name, and their explicitly associated Role object containing its specific permissions and metadata. **Usage Notes:** This is the ultimate tool for security audits. Instead of just seeing that a user exists, Claude can analyze the exact permissions attached to their role. If you are conducting a SOC 2 access review, this tool provides the exact evidence required. > "List all users and their roles for the 'E-commerce Staging' instance. Identify any users who have the 'Admin' or 'Publisher' role attached to their profile." ### list_all_zesty_io_user_instances This tool operates from the user perspective rather than the instance perspective. It accepts a `user_zuid` and returns a list of all instances that specific user has access to, including details like name, domain, and blueprintZUID. **Usage Notes:** This is highly useful for offboarding analysis. Before you disable or delete a user from your identity provider, you can ask Claude to map out their entire blast radius across the Zesty.io ecosystem. > "Check user ZUID '5-user987-abc'. List every Zesty.io instance they currently have access to, so we can prepare their offboarding ticket." To view the complete inventory of available operations and exact schema definitions, visit the [Zesty.io integration page](https://truto.one/integrations/detail/zesty). ## Workflows in Action Connecting tools to an LLM is only valuable if it solves real operational problems. Here is how IT administrators and DevOps teams actually use these tools in production environments. ### Scenario 1: Automated Security Audit for a Specific Instance **The Problem:** Your compliance team needs a report showing exactly who has administrative access to the primary production website, and they need it formatted for an audit review. **The Prompt:** > "Run a security audit on our 'Main Corporate Site' Zesty.io instance. First, find its ZUID. Then, fetch all users and their roles for that instance. Generate a markdown report listing only the users who hold 'Admin' or 'Owner' level roles, including their email addresses and role names." **The Execution Flow:** 1. Claude calls `list_all_zesty_io_instances` to retrieve the directory. 2. Claude scans the response, matches "Main Corporate Site", and extracts its ZUID. 3. Claude calls `list_all_zesty_io_instance_users_with_roles`, passing the extracted ZUID as the argument. 4. Claude processes the nested JSON role data, filtering out standard authors and readers. 5. Claude outputs a clean markdown table containing only the high-privilege users, ready to be pasted into a Jira compliance ticket. ### Scenario 2: Offboarding Impact Analysis **The Problem:** A senior developer is leaving the company. They have been involved in multiple projects over the years. Before IT disables their access, you need to know exactly which Zesty.io environments they are attached to. **The Prompt:** > "We are offboarding the developer with email 'alex.dev@company.com'. Find their ZUID by searching the 'Global Infrastructure' instance first. Once you have their ZUID, find every Zesty.io instance they are attached to and list the instance names and domains." **The Execution Flow:** 1. Claude calls `list_all_zesty_io_instances` to find the "Global Infrastructure" ZUID. 2. Claude calls `list_all_zesty_io_instance_users` on that instance. 3. Claude parses the user array, finds "alex.dev@company.com", and extracts the user ZUID. 4. Claude calls `list_all_zesty_io_user_instances` using Alex's ZUID as the argument. 5. Claude formats the response, listing the exact projects (e.g., "Staging Server B", "Q3 Marketing Promo") that Alex still has access to. ## Security and Access Control Exposing your headless CMS infrastructure to an AI model requires strict governance. Truto MCP servers are highly configurable, allowing you to lock down exactly what Claude can see and do. * **Method Filtering:** You can restrict the MCP server to specific operation types. By setting `config.methods` to `["read"]` during server creation, Truto will only expose `get` and `list` operations to Claude. The model physically cannot write or delete data. * **Tag Filtering:** You can organize tools by functional area using `config.tags`. For example, setting tags to `["instances", "users"]` ensures Claude can audit access but cannot touch unrelated resources like content models or webhooks. * **Require API Token Auth:** By default, anyone with the MCP URL can connect. For higher security, setting `require_api_token_auth: true` forces the client to also provide a valid Truto API token in the Authorization header. This adds a second authentication layer beyond URL possession. * **Server Expiration:** If you only need an agent to run a temporary audit, you can pass an ISO datetime to the `expires_at` field. Once the timestamp passes, the server self-destructs, eliminating stale credentials and reducing your attack surface. ## Stop Building Boilerplate Building a custom integration between Zesty.io and Claude requires handling pagination edge-cases, maintaining OAuth tokens, flattening nested JSON schemas, and building your own backoff logic for rate limits. It is a maintenance burden that distracts engineering teams from building actual product features. By generating a managed MCP server with Truto, you abstract away the API mechanics. You get a secure, filtered, and documented JSON-RPC endpoint that plugs directly into Claude or any compatible agent framework. Your AI agents get the exact data they need, and your engineering team gets their time back. > Stop wasting sprints maintaining custom integration code. Use Truto to generate secure, reliable MCP servers for your SaaS stack today. > > [Talk to us](https://cal.com/truto/partner-with-truto)