Skip to main content

Agent Integration

Legend Prime gives AI agents native access to DeFi operations — check portfolios, earn yield, swap tokens, transfer assets, and execute transactions — all through a local MCP server, remote MCP server, or CLI.

The Agent Journey

Step by step

  1. Sign up at prime.legend.xyz — create your Prime Account via Google SSO
  2. Connect the local MCP server (claude mcp add legend -- legend-cli mcp serve), then run legend-cli login to authenticate
  3. Create an account using the create_account tool with keygen — it generates a P256 signing key (stored in Secure Enclave on macOS) and creates a sub-account with that key
  4. Use tools — the agent calls MCP tools to read portfolios, create plans, and execute transactions
  5. Execute in one shotplan_and_execute creates, signs, and executes a plan in a single tool call. The key never leaves your machine.

Three Integration Paths

The legend-cli mcp serve command runs a local MCP server via stdio. It exposes the same tools as the remote server, plus local-only tools for signing and one-shot execution. This is the recommended path for agents that need to execute transactions.
What you getHow it works
All tools including signingplan_and_execute creates, signs, and executes in one call
No separate CLI stepAgent never needs to shell out to Bash for signing
P256 keys in Secure EnclaveKeys never leave your hardware
claude mcp add legend -- legend-cli mcp serve

Remote MCP Server (for read-only or shared access)

The remote MCP server at https://prime-api.legend.xyz/mcp exposes tools that agents call natively. Works with Claude Code, Cursor, OpenAI Responses API, and any MCP-compatible host. Best for read-only operations or when a shared team server is preferred.
What you getHow it works
Native tools in the agent’s paletteget_portfolio, create_earn_plan, list_accounts, etc.
Structured JSON in/outNo HTTP, no curl, no parsing
OAuth or query key authAuthenticate once, tools just work
claude mcp add --transport http legend-remote https://prime-api.legend.xyz/mcp
The remote MCP server does not have access to your local P256 key. To execute plans via the remote server, the agent must separately invoke the CLI via Bash to sign digests. The local MCP server eliminates this extra step.

CLI (for signing + scripting)

The legend-cli binary handles key management, signing, and direct API access. Useful for scripting, CI/CD pipelines, and manual operations. 
# Generate a P256 key and create an account in one step
legend-cli accounts create --keygen

# Sign a plan digest
legend-cli sign 0xabc123...

# Create, sign, and execute in one step
legend-cli plan earn acc_xxx --amount 1000000 --asset USDC --network base --protocol compound --execute

# Or use it for any API operation
legend-cli folio acc_xxx --json
The CLI stores P256 keys in the Secure Enclave on macOS (non-exportable, hardware-protected). On other platforms, keys are stored on disk.

Authentication

MethodBest forHow
OAuth (Google SSO)CLI, Local MCPlegend-cli login — opens browser, saves JWT to profile
OAuth (browser flow)Remote MCP with Claude Code, Cursorclaude mcp add -> /mcp -> Authenticate in browser
Query KeyProgrammatic agents, CI/CDAuthorization: Bearer qk_... or legend-cli config set query-key qk_...
OAuth JWTs last 30 days. Both OAuth and query keys work with all integration paths.

Non-Custodial Design

Legend never holds signing keys. The security model:
  • Reading (portfolios, activities, reference data) — requires only API auth (query key or OAuth JWT)
  • Planning (create earn/swap/transfer plans) — same, just API auth. Plans are free previews.
  • Executing (moving funds) — requires a cryptographic signature from the account’s P256 key. The agent signs locally via the local MCP server or CLI. Legend verifies the signature but never has access to the key.

MCP Setup

Connect in 2 minutes

MCP Tools

Complete tool reference

CLI Reference

Full CLI command reference

Claude Code Guide

Full walkthrough

OpenAI / OpenClaw

OpenAI Responses API setup