Agentic Data Plane
beta

Ironclad Managed MCP Server

The Ironclad managed MCP server gives an LLM read and write access to Ironclad, a contract lifecycle management (CLM) platform. Useful for agents that need to find contracts, check signature status, launch new contracts from templates, or retrieve executed documents.

After reading this page, you will be able to:

  • Configure the Ironclad managed MCP server with per-user OAuth

  • Pick the right region and scopes for your tenant

  • List, fetch, and launch contract workflows from an agent

What this MCP server does

Per-user OAuth 2.0 (Authorization Code grant). No static API key is stored in the MCP config; each user authorizes their own Ironclad account through AI Gateway’s OAuth flow.

It is not a replacement for the Ironclad web UI for complex workflow management or template authoring.

Prerequisites

Before you create the server, make sure you have:

Get Ironclad credentials

Set up the OAuth app on Ironclad and the matching OAuth Provider in ADP:

  1. Log in to your Ironclad account and go to Settings > API > OAuth Apps.

  2. Create a new OAuth app. Set the redirect URI to your AI Gateway callback URL (typically https://aigw.<cluster-id>.clusters.rdpa.co/oauth/v1/callback).

  3. Select the following scopes:

    • public.workflows.readWorkflows

    • public.workflows.readSchemas

    • public.workflows.createWorkflows

    • public.workflows.readDocuments

  4. Copy the Client ID and Client Secret.

  5. In ADP, register an OAuth Provider with:

    • Authorization endpoint: https://na1.ironcladapp.com/oauth/authorize (use eu1 for EU-hosted accounts; demo for sandbox)

    • Token endpoint: https://na1.ironcladapp.com/oauth/token (adjust region accordingly)

    • The Client ID and a secret-store reference for the Client Secret

Configure

Create a new Ironclad MCP server in ADP:

  1. Open MCP Servers > Create Server.

  2. Pick Ironclad from the marketplace picker.

  3. Fill in identity fields (name, description).

  4. In the Ironclad configuration form:

    Field Notes

    region

    IRONCLAD_REGION_NA (default), IRONCLAD_REGION_EU for EU-hosted accounts, or IRONCLAD_REGION_DEMO for sandbox testing.

    OAuth Provider

    The Ironclad OAuth Provider you configured.

    Required scopes

    public.workflows.readWorkflows, public.workflows.readSchemas, public.workflows.createWorkflows, public.workflows.readDocuments.

  5. Click Create.

Configure from the CLI

Ironclad authenticates per-user through the Ironclad OAuth Provider you configured. Reference that provider in the managed config’s userOauth.providerName field. Ironclad supports per-user OAuth only, so the userOauth block is required. The --user-oauth-provider and --user-oauth-scopes flags apply to remote (--url) servers only.

rpk ai mcp create --name my-ironclad --managed-config '{
  "@type": "type.googleapis.com/redpanda.mcps.ironclad.v1.IroncladMCPConfig",
  "region": "IRONCLAD_REGION_NA",
  "userOauth": {
    "providerName": "ironclad"
  }
}'

For EU-hosted accounts, use "IRONCLAD_REGION_EU". For sandbox testing, use "IRONCLAD_REGION_DEMO". userOauth.providerName is the resource name of the Ironclad OAuth Provider you registered.

Tools

The Ironclad MCP exposes the following tools:

Tool Description

list_workflows

List contracts with optional status filter and page/per_page pagination.

get_workflow

Get full details of a contract by workflow_id.

list_workflow_schemas

List available contract templates with their field IDs.

create_workflow

Launch a new contract from a template (schema_id + attributes_json).

list_workflow_documents

List documents attached to a contract.

Example: Find all contracts awaiting signature

curl -X POST https://aigw.<cluster-id>.clusters.rdpa.co/mcp/v1/my-ironclad \
  -H "Authorization: Bearer <user-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0", "id": 1, "method": "tools/call",
    "params": {
      "name": "list_workflows",
      "arguments": {"status": "signing", "per_page": 10}
    }
  }'

Troubleshooting

Common symptoms and fixes:

Symptom What to check

OAuthConnectionRequired

First call from a user with no stored token. The user completes Ironclad’s OAuth consent flow, the token lands in the vault, and subsequent calls reuse it.

scope_upgrade_required

Server’s required_scopes was extended after users had already consented. Users re-consent with the higher scope.

Wrong region results

Confirm the Region field matches your Ironclad tenant. EU-hosted accounts use IRONCLAD_REGION_EU; sandbox tenants use IRONCLAD_REGION_DEMO.

schema_id not found in create_workflow

Run list_workflow_schemas first to get valid IDs for your tenant.

Limitations

This page does not cover:

  • Template authoring: Define templates in the Ironclad web UI, then reference them by schema_id.

  • eSignature flows: Handled inside Ironclad; this MCP launches and reads workflow state.

Next steps