MCP, explained for traders
The open standard behind agentic trading, in plain English: what your broker exposes to an agent, why it is safer than the old hacks, and where the hard limits sit.
In May 2026, Robinhood launched agentic trading: AI agents that can read your account and place orders for you, with your permission. Under the hood, the connection between the agent and the brokerage runs on something called MCP. If you have seen that acronym in every announcement about agentic trading and quietly nodded along, this post is the plain-English version. No code, just the mental model.
What MCP actually is
MCP stands for Model Context Protocol. It is an open standard, originally published by Anthropic and since adopted across the industry, that defines how an AI agent connects to external tools. Before MCP, every integration was a one-off: a custom bridge between one model and one service, rebuilt from scratch for the next pair. MCP replaces those one-offs with a common plug.
The standard has two sides. A server sits in front of a service and exposes a menu of tools, each with a name, a description, and a defined set of inputs and outputs. A client is the agent that reads that menu and calls the tools. The agent never touches the service's internal systems. It sees only the list of actions the server chose to offer, in a format it can parse reliably.
That division matters for everything that follows, so it is worth being precise about who is who. Your broker runs the MCP server. The agent software you run, for example Coil (coil.trade), is a client of that server. Coil does not ship an MCP server of its own; it reads the broker's menu the same way any compliant agent would.
What a broker's MCP server exposes
Robinhood's agentic trading works exactly this way: the brokerage publishes an MCP server, and an agent connects to it with your authorization. The menu is the broker's decision, but a trading MCP typically covers four things:
- Market data. Real-time quotes, historical prices, fundamentals, earnings dates.
- Account state. Current positions, balances, open orders, realized gains and losses.
- Order actions. Place an order, review it before submission, cancel it.
- Housekeeping. Watchlists, screens, and other organizational tools.
The key property is that all of this is structured. When the agent asks for positions, it gets clean fields it can act on, not a webpage it has to interpret. And anything not on the menu simply does not exist from the agent's point of view. If there is no tool for wiring money to an outside account, the agent cannot invent one. For the practical walkthrough of the Claude-plus-Robinhood setup, the guide to running an agent on Robinhood covers it step by step.
Why this beats scraping and pasted keys
Before broker-sanctioned MCP servers, software that traded a retail account had two bad options.
The first was screen-scraping: a bot drives a browser, reads page markup or pixels, and clicks buttons meant for humans. It is brittle in the way you would expect. A layout change breaks it, a slow page confuses it, and a misread number becomes a mis-sized order. It also usually violates the platform's terms, which means it can be cut off at any moment, possibly while holding positions.
The second was pasting credentials into scripts, through unofficial APIs or a login stored in plain text next to the code. Those credentials are all-or-nothing. Anything the account can do, the script can do, and anyone who gets the file can do too. No scoping, no approval step, no audit trail beyond whatever the script bothers to log.
An MCP connection fixes both failure modes at the root. Authorization goes through the broker's own login flow, so no password lives in a script. The agent gets scoped tools rather than raw account control. Results come back structured, so there is no pixel-reading step to silently go wrong. And because the broker built the server on purpose, both sides of the connection know it exists and can see what it did.
The safety layers on top
The protocol is the floor, not the whole safety story. In practice, agentic trading stacks several more layers on top of it.
Scoped permissions. The server only offers what the broker chose to expose, and the client side can narrow that further. Agent harnesses like Claude Code let you allowlist specific tools, so an agent can be permitted to read quotes and positions while every order call still requires a human yes.
Approval modes. You choose where the human sits. Fully manual, where the agent proposes and you confirm each order. Or bounded autonomy, where pre-agreed rules run without a prompt and anything outside them stops and asks. The right choice depends on how well-tested the rules are, which is worth being honest with yourself about.
Dedicated accounts. The simplest and most underrated layer: run the agent against a separate brokerage account funded only with the capital you intend it to manage. The blast radius is then a number you picked in advance.
Deliberate arming. Coil ships disarmed by default: it will scan and score, but turning on live orders is a manual human step, and the rules it trades once armed are documented at /how-it-works. Whatever software you use, off until a human says otherwise is the right default.
MCP secures the pipe, not the judgment. A clean, broker-sanctioned connection removes the mechanical failure modes: brittle scraping, leaked keys, misread pages. It does nothing to make a strategy good. An agent with a perfect connection and bad rules will lose money smoothly and reliably. Evaluate the rules first, the plumbing second.
What an agent still cannot do through it
Worth stating plainly, because the fear here is usually vaguer than the reality.
An agent cannot call tools that do not exist. If the broker's server has no tool for external transfers, account changes, or security settings, those actions are unreachable no matter what the agent decides to attempt. It cannot bypass broker-side checks either: buying-power limits, tradability restrictions, and market-hours rules are enforced by the broker, not negotiated with the client. And the connection grants no custody. Your money stays at your broker, in your name, the same as before, which is the core of the self-custody model for trading software.
What MCP does not protect you from is the market. Orders placed through the cleanest connection in the world can still lose money, and leveraged products can lose it quickly. The protocol answers whether an agent can talk to your broker safely. Whether the agent should be trading at all is a separate question, covered from a different angle in can Claude trade stocks.
FAQ
Is MCP only for trading?
No. MCP is a general standard for connecting AI agents to any external tool: databases, calendars, code repositories, and much else. Broker MCP servers are one application of it. The trading-specific parts, like order review steps and scoped account tools, are choices the broker makes on top of the standard.
Does Coil run its own MCP server?
No. Coil is an MCP client. It connects to the broker's server, in its case Robinhood's, reads the tools the broker exposes, and trades through them by rule. Nothing routes through Coil's infrastructure, and your credentials stay on your own machine.
Can an agent withdraw money from my account over MCP?
Only if the broker exposed a tool for that, and brokers have strong reasons not to. On a typical trading MCP the agent can read data and place orders inside the account, nothing more. Check the published tool list before authorizing any server, and treat that list as the full extent of what the agent can reach.
The client side, already built
Coil is an agent-native trading system that runs as an MCP client of your own broker: a scanner that scores the market's leaders, a dashboard, and a rule-following engine, installed on your machine and armed only by you. Trading involves risk and can lose money.
See how Coil works — $29 onceCoil is software you install and run yourself, with your own brokerage credentials and capital. It is not investment advice, not a managed account, and not a signal service. Markets can lose money, and leveraged ETFs can lose value rapidly, including total loss. Backtested research is not a promise of returns.