Your AI Agent Can Now Trade Your Money — What Alpaca's MCP Server v2 Actually Lets You Do

Two days ago, Alpaca shipped version 2 of its MCP Server — a small release on the surface with a disturbingly large implication underneath: your AI assistant can now place real trades in a real brokerage account, in plain English.

Not "surface a recommendation you then execute manually." Not "generate Python code you then run yourself." Actual orders, routed to Alpaca's live trading engine, through a conversation.

If you've been watching the agentic-AI space suspecting that "agent" still mostly means "chatbot that reads one extra API," this is where the line moves. Alpaca's MCP Server is the first production-grade example of an LLM being handed a fully-armed trading desk — research, portfolio analysis, option-chain exploration, and execution — all through the same natural-language interface you're already using in Claude, Cursor, ChatGPT, and VS Code.

That is a meaningful moment, and it's worth a clear-eyed look at what just shipped, what it actually does, and where the guardrails have to come from (spoiler: you put most of them there yourself).

What v2 actually changed

Alpaca launched the original MCP Server in November 2025. It worked, but it was hand-built — 43 manually coded functions that had to be patched every time Alpaca's underlying API moved. Verbose, brittle, and a maintenance tax that was eventually going to slow the whole project down.

Version 2 is a complete rewrite on FastMCP and OpenAPI. The server now generates its tools dynamically from Alpaca's OpenAPI specification at startup, which means two things: it stays current automatically whenever the Alpaca API changes, and the available surface area just jumped from 43 tools to 61 distinct actions (Crowdfund Insider's count) — around a 42% increase. The GitHub README lists roughly 70+ tools across nine capability groups, depending on how you slice "distinct action."

The distinction matters less than the *kind* of new capabilities. Order replacements, comprehensive option-chain exploration, market screening, detailed account activity logs — exactly the operations you'd want if you're building anything that looks like an agent rather than a one-shot trader.

One caveat Alpaca is upfront about: v2 is not backward compatible with v1. Tool names, parameters, and schemas have all changed. If you built anything on the November release, you rewrite. The upgrade guide is serviceable, but the message is unambiguous — treat this as a new product.

One operational win worth calling out: v2 dumps the old `.env` + `init` dance in favour of a single config block in your MCP client. Credentials live in one place. Fewer chances to leak them into a commit.

What you can actually do today, in plain English

The easiest way to understand the shift is to see the prompts. These come directly from Alpaca's documentation and from my own testing this week:

• *"What's my current account balance and buying power on Alpaca?"*
• *"Show me AAPL's daily price history for the last 5 trading days."*
• *"Analyse NVDA news and corporate announcements this month, summarise P&L, and allocate 2% of my buying power to shares."*
• *"Place a bull call spread using AAPL June 6th options."*
• *"Get all corporate actions for SPY including dividends and splits."*

The second-to-last one is where it gets real. A bull call spread is a multi-leg options strategy — you buy one call and sell another at a higher strike, same expiration, to cap the upside in exchange for a lower cost basis. In traditional API land you'd write code that constructs both legs, checks the option chain for valid strikes, calculates the net debit, and submits the combined order. In v2, you can say "bull call spread on AAPL June 6th" and the LLM handles leg construction, chain lookup, and submission.

That's not a small UX improvement. It's the difference between "the API is available to technical users" and "the API is available to anyone who can describe what they want." Those two audiences behave very differently, and the distinction is the whole point.

Why this isn't a gimmick

The easy critique here is: "so you wired ChatGPT to a brokerage — so what, you could already do this with Zapier and a bit of glue."

Two reasons that misses the point.

First, research and execution live in one loop. The MCP Server doesn't just submit orders. It gives the LLM structured, real-time access to market data, news, option Greeks, portfolio state, and activity logs — alongside the ability to act on what it reads. You can prompt an analysis, get a thesis, ask for the trade that matches the thesis, and submit it, without ever leaving the conversation. That's a qualitatively different workflow from "bot that fires an order when a rule triggers."

Second, the tool discovery is the product. FastMCP exposes the entire tool surface to the LLM as a schema. The model *knows* it can screen the market by fundamentals, pull an option chain, check the corporate-actions calendar. A human builder doesn't have to pick the right API call — they describe the intent and the model selects the tool. That pattern generalises far beyond trading, but Alpaca is the first serious financial infrastructure company to ship it end-to-end.

The combination — structured tool access, reliable schemas, a reasoning model in the loop — is what "agentic finance" was always supposed to look like once the hype cycle caught up with the substance. With v2, it actually does.

The three things that should make you uncomfortable

None of this is safe by default. Three risks worth being honest about.

1. LLMs hallucinate, and tickers don't forgive typos.

An LLM confidently telling you it just bought "TSAL" when you meant "TSLA" is not a joke. Paper trading exists for a reason, and the reason is that language models still occasionally confabulate symbols, strike prices, and expiration dates. Alpaca's default configuration is paper trading; that is the right default, and most people should stay in it longer than they think.

Before you wire real money in, you want: (a) a pre-flight step that echoes the parsed order back to you before submission, (b) hard limits on position size per order and per day, and (c) a human checkpoint for anything above a small threshold. The MCP Server surfaces the inputs, parameters, and results at every step — Alpaca's phrasing is "full visibility at every step" — but *you* are the one reading them. If you're not, you're running a bot with delusions.

2. Who's liable when the LLM is wrong?

The regulatory posture on LLM-executed trades is charitably described as "emerging." Alpaca, as the broker, is not liable for the prompt you gave the model. The model vendor (Anthropic, OpenAI, Google) explicitly disclaims financial advice. That leaves you, the prompter, holding the risk — both financial and regulatory.

For individual hobbyists trading their own money, this is manageable: you clicked "yes" on the config. For fintechs building on top of Alpaca's Broker API and exposing agentic flows to their own customers, it's a major product-safety question. "The AI said so" is not an audit trail. Anyone productising this for end-users needs a logged, replayable trail of the prompt, the tool call, the response, and the executed order. That infrastructure doesn't come with the MCP Server. You build it.

3. Tool permissions aren't fine-grained by default.

Out of the box, an MCP client with Alpaca credentials has access to every tool the server exposes. That's fine for paper trading. For live accounts, it's an argument for the new `ALPACA_TOOLSETS` environment variable, which lets you restrict which tools the LLM can even see.

The conservative default for anyone touching a live account: read-only tools for research, no execution tools, and a separate, deliberately awkward channel for actual orders. If your AI assistant can suddenly buy 400 shares on a whim, the problem isn't the AI — it's the permission model you set up.

Setup, without risking real money

If you want to try this in the next ten minutes without losing any: the flow is straightforward.

1. Create a free Alpaca account. Paper trading is free, unlimited, and mirrors the real API. You get $100k of fake money. Live retail accounts are US-only; UK-based readers can use paper trading today, but going live requires either a US entity or running on a partner that uses Alpaca's Broker API underneath.

2. Install Python 3.10+ and the `uv` package manager. Clone the official repo (`alpacahq/alpaca-mcp-server`) and follow the README. Setup in v2 is a config-block-and-done affair.

3. Add the MCP server to your client's config — Claude Desktop, Cursor, VS Code, PyCharm, Claude Code, or Gemini CLI all work. Credentials go in the config, not a `.env` file.

4. Confirm your account type before the first prompt. Both Alpaca's docs and I will tell you: the single most important check is that your API keys point to the paper environment, not live. Label them in your password manager. Colour-code them in your terminal. This is the one thing where being paranoid is the correct posture.

5. Use it. Ask the model to describe your positions. Ask it to screen for something. Once you're confident, submit a paper order. Watch the dashboard update. Notice whether the model got what it said it got.

The `ALPACA_TOOLSETS` filter is worth configuring even in paper mode, because it builds the habit. Start read-only. Add execution later only where you want it.

Who should actually care

Three audiences are getting real value from v2 today. A fourth is getting seduced.

Quant developers and algorithmic traders. This is the headline audience. The research-to-execution loop in natural language is a step-change in iteration speed. You can prototype a strategy conversationally, sanity-check it on historical data via the MCP Server's stock-data tools, and move it to automated execution only when you're sure. The workflow replaces a lot of Jupyter notebook glue.

Fintechs and neo-brokers built on Alpaca's Broker API. If you're already running an Alpaca-backed brokerage product, the MCP Server is how you retrofit a serious AI experience without rebuilding. Expose a curated toolset to your customers' AI assistants, keep execution on your own guarded path, and you've shipped "chat with your portfolio" in a weekend.

AI builders experimenting with agentic workflows. This is the second-order audience. Finance is one of the few domains where tools are structured, state is objective, and feedback is immediate — which makes it one of the best environments to study whether agents actually work. Alpaca's server is a gift to researchers trying to measure agent performance on something real.

Casual retail users looking to "chat with my brokerage." This is the seductive one. It will be fun. Most people should not do it with live money for a while. The tech is ahead of the literacy. If you've never paper-traded options before, don't let the LLM be the difference between you understanding the Greeks and you filing a confused loss on your self-assessment next January.

UK readers sit slightly awkwardly in this picture: Alpaca does not serve UK retail directly, so "live trading my own money" isn't on the menu. But paper trading is, and for the purposes of learning, building, and testing agentic workflows — which is genuinely what most of the interesting use cases look like right now — you don't need a live account. If you're a UK fintech, the Broker API + MCP combination is the most interesting thing in the category this quarter.

What this signals for the next 18 months

The pattern Alpaca is demonstrating — a well-structured API, an MCP layer on top, and AI clients treating the combination as a first-class tool — is going to repeat across finance, operations, healthcare, and any domain where the work is "read, reason, act."

Brokerages are the leading indicator because the work has always been API-shaped. Banking will follow; accounting platforms are already moving (watch QuickBooks, Xero, and the mid-market ERPs through the rest of the year). The companies that win the next phase won't be the ones that bolt a chatbot onto an existing dashboard — they'll be the ones that expose their full capability as structured tools to an AI client and trust the model to orchestrate.

Alpaca happens to have been building in that direction for years. MCP didn't rescue them; MCP unlocked the shape they already had. That's worth watching: the companies that are API-first by architecture are going to ship these experiences cleanly. The ones that need to retrofit will struggle, loudly.

And on the agent-safety question: if you've been dismissing "agentic AI" as marketing, v2 is a useful forcing function. An LLM given real credentials to a real brokerage is a concrete test case for permissions, logging, human-in-the-loop thresholds, and liability models. Solve those problems here and the solutions generalise. Fail to solve them and the next category of "AI agent controls real system" inherits the same bugs. The first wave of bad incidents in agentic finance will teach the industry what the guardrails actually need to look like — and the serious builders are going to learn from those publicly rather than the hard way.

Alpaca has built the infrastructure. The interesting work is now the rest of the stack — the permission layers, the audit trails, the regret systems, the human-in-the-loop patterns that make delegating to an AI safe enough to scale. Whoever builds those next is going to matter a lot.

If you want to try Alpaca with a safe sandbox: their page on our marketplace has the specifics, and the free paper-trading account takes about five minutes to set up. If you're curious which other tools are already exposing themselves to MCP clients, the marketplace is tagged up — look for anything in Developer Tools or Finance & Accounting with LangChain, Python, or Claude listed under integrations. The companies that are already there are the ones worth paying attention to as agentic workflows keep maturing this year.