# Ironclad Managed MCP Server

> For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [agentic-data-plane-full.txt](https://docs.redpanda.com/agentic-data-plane-full.txt)

---
title: Ironclad Managed MCP Server
page-beta-text: This is a beta feature. Beta features are available for testing and feedback. They are not supported by Redpanda and should not be used in production environments.
latest-operator-version: v26.1.5
latest-console-tag: v3.7.4
latest-connect-version: 4.96.1
latest-redpanda-tag: v26.1.10
docname: managed/ironclad
page-component-name: agentic-data-plane
page-version: master
page-component-version: master
page-component-title: Agentic Data Plane
page-relative-src-path: managed/ironclad.adoc
page-edit-url: https://github.com/redpanda-data/adp-docs/edit/main/modules/connect/pages/managed/ironclad.adoc
# Beta release status
page-beta: "true"
description: Read and manage contracts in Ironclad CLM. Per-user OAuth so each agent action runs as the calling end-user with their own Ironclad permissions.
page-topic-type: how-to
personas: agent_builder, platform_engineer
learning-objective-1: Configure the Ironclad managed MCP server with per-user OAuth
learning-objective-2: Pick the right region and scopes for your tenant
learning-objective-3: List, fetch, and launch contract workflows from an agent
page-git-created-date: "2026-05-28"
page-git-modified-date: "2026-06-10"
release-status: beta - This is a beta feature. Beta features are available for testing and feedback. They are not supported by Redpanda and should not be used in production environments.
---

<!-- Source: https://docs.redpanda.com/agentic-data-plane/connect/managed/ironclad.md -->

The **Ironclad** managed MCP server gives an LLM read and write access to [Ironclad](https://ironcladapp.com/), a contract lifecycle management (CLM) platform. Useful for agents that need to find contracts, check signature status, launch new contracts from templates, or retrieve executed documents.

After reading this page, you will be able to:

-   Configure the Ironclad managed MCP server with per-user OAuth

-   Pick the right region and scopes for your tenant

-   List, fetch, and launch contract workflows from an agent


## [](#what-this-mcp-server-does)What this MCP server does

Per-user OAuth 2.0 (Authorization Code grant). No static API key is stored in the MCP config; each user authorizes their own Ironclad account through AI Gateway’s OAuth flow.

It is **not** a replacement for the Ironclad web UI for complex workflow management or template authoring.

## [](#prerequisites)Prerequisites

Before you create the server, make sure you have:

-   An Ironclad tenant where you can register an OAuth app.

-   An [OAuth Provider](https://docs.redpanda.com/agentic-data-plane/reference/glossary/#oauth-provider) configured in Redpanda ADP for Ironclad. See [Configure an OAuth Provider](https://docs.redpanda.com/agentic-data-plane/connect/oauth-providers/).

-   Familiarity with [User-delegated OAuth](https://docs.redpanda.com/agentic-data-plane/connect/user-delegated-oauth/).


## [](#get-ironclad-credentials)Get Ironclad credentials

Set up the OAuth app on Ironclad and the matching OAuth Provider in ADP:

1.  Log in to your Ironclad account and go to **Settings > API > OAuth Apps**.

2.  Create a new OAuth app. Set the redirect URI to your AI Gateway callback URL (typically `https://aigw.<cluster-id>.clusters.rdpa.co/oauth/v1/callback`).

3.  Select the following scopes:

    -   `public.workflows.readWorkflows`

    -   `public.workflows.readSchemas`

    -   `public.workflows.createWorkflows`

    -   `public.workflows.readDocuments`


4.  Copy the `Client ID` and `Client Secret`.

5.  In ADP, register an OAuth Provider with:

    -   **Authorization endpoint**: `https://na1.ironcladapp.com/oauth/authorize` (use `eu1` for EU-hosted accounts; `demo` for sandbox)

    -   **Token endpoint**: `https://na1.ironcladapp.com/oauth/token` (adjust region accordingly)

    -   The Client ID and a secret-store reference for the Client Secret



## [](#configure)Configure

Create a new Ironclad MCP server in ADP:

1.  Open **MCP Servers > Create Server**.

2.  Pick `Ironclad` from the marketplace picker.

3.  Fill in identity fields (`name`, `description`).

4.  In the Ironclad configuration form:

    | Field | Notes |
    | --- | --- |
    | region | IRONCLAD_REGION_NA (default), IRONCLAD_REGION_EU for EU-hosted accounts, or IRONCLAD_REGION_DEMO for sandbox testing. |
    | OAuth Provider | The Ironclad OAuth Provider you configured. |
    | Required scopes | public.workflows.readWorkflows, public.workflows.readSchemas, public.workflows.createWorkflows, public.workflows.readDocuments. |

5.  Click **Create**.


### [](#configure-from-the-cli)Configure from the CLI

Ironclad authenticates per-user through the Ironclad OAuth Provider you configured. Reference that provider in the managed config’s `userOauth.providerName` field. Ironclad supports per-user OAuth only, so the `userOauth` block is required. The `--user-oauth-provider` and `--user-oauth-scopes` flags apply to remote (`--url`) servers only.

```bash
rpk ai mcp create --name my-ironclad --managed-config '{
  "@type": "type.googleapis.com/redpanda.mcps.ironclad.v1.IroncladMCPConfig",
  "region": "IRONCLAD_REGION_NA",
  "userOauth": {
    "providerName": "ironclad"
  }
}'
```

For EU-hosted accounts, use `"IRONCLAD_REGION_EU"`. For sandbox testing, use `"IRONCLAD_REGION_DEMO"`. `userOauth.providerName` is the resource name of the Ironclad OAuth Provider you registered.

## [](#tools)Tools

The Ironclad MCP exposes the following tools:

| Tool | Description |
| --- | --- |
| list_workflows | List contracts with optional status filter and page/per_page pagination. |
| get_workflow | Get full details of a contract by workflow_id. |
| list_workflow_schemas | List available contract templates with their field IDs. |
| create_workflow | Launch a new contract from a template (schema_id + attributes_json). |
| list_workflow_documents | List documents attached to a contract. |

### [](#example-find-all-contracts-awaiting-signature)Example: Find all contracts awaiting signature

```bash
curl -X POST https://aigw.<cluster-id>.clusters.rdpa.co/mcp/v1/my-ironclad \
  -H "Authorization: Bearer <user-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0", "id": 1, "method": "tools/call",
    "params": {
      "name": "list_workflows",
      "arguments": {"status": "signing", "per_page": 10}
    }
  }'
```

## [](#troubleshooting)Troubleshooting

Common symptoms and fixes:

| Symptom | What to check |
| --- | --- |
| OAuthConnectionRequired | First call from a user with no stored token. The user completes Ironclad’s OAuth consent flow, the token lands in the vault, and subsequent calls reuse it. |
| scope_upgrade_required | Server’s required_scopes was extended after users had already consented. Users re-consent with the higher scope. |
| Wrong region results | Confirm the Region field matches your Ironclad tenant. EU-hosted accounts use IRONCLAD_REGION_EU; sandbox tenants use IRONCLAD_REGION_DEMO. |
| schema_id not found in create_workflow | Run list_workflow_schemas first to get valid IDs for your tenant. |

## [](#limitations)Limitations

This page does not cover:

-   **Template authoring**: Define templates in the Ironclad web UI, then reference them by `schema_id`.

-   **eSignature flows**: Handled inside Ironclad; this MCP launches and reads workflow state.


## [](#next-steps)Next steps

-   [Configure an OAuth Provider](https://docs.redpanda.com/agentic-data-plane/connect/oauth-providers/)

-   [User-delegated OAuth](https://docs.redpanda.com/agentic-data-plane/connect/user-delegated-oauth/)

-   [Create an MCP Server](https://docs.redpanda.com/agentic-data-plane/connect/create-server/)