Directory
Finance MCP Directory + Security Grader
Security-graded catalog of finance MCP servers: Alpaca, Polygon, Databento, IBKR, Tradier, Tiingo, NautilusTrader. Scope, auth, grade. Browser-only. Free.
- Inputs
- Filter / browse
- Runtime
- Instant
- Privacy
- Client-side · no upload
- API key
- Not required
- Methodology
- Open →
MCP servers tracked
7
2 production-ready · 2 usable with audit · finance-domain only · refreshed 2026-04-20
7servers
sorted by grade
Official Alpaca MCP server. Shipped April 2026 with 61 actions across equities, options, and crypto. Read + execute across the Alpaca brokerage API.
Scope
full
Auth
api-key
Transport
stdio+http
Idempotent
yes
Schema qual
A
License
MIT
Last commit
2026-04-15
Security notes
- API key has broad trading authority — store securely
- No scoping of key permissions in-server (rely on Alpaca dashboard key scopes)
- Idempotency key supported on order submission
Official Polygon.io MCP server. Read-only access to all Polygon equities, options, crypto, FX data endpoints.
Scope
read-only
Auth
api-key
Transport
stdio+http
Idempotent
no
Schema qual
A
License
Apache-2.0
Last commit
2026-04-10
Security notes
- Read-only scope — no trade execution surface
- API key required; safe to scope tightly
- No idempotency concern (no writes)
Community MCP wrapper around Interactive Brokers' TWS / IB Gateway. Requires running Gateway locally; auth via IBKR account.
Scope
full
Auth
bearer-token
Transport
stdio
Idempotent
yes
Schema qual
B
License
Apache-2.0
Last commit
2026-04-02
Security notes
- Requires TWS / Gateway running on the client machine
- IBKR token stored client-side — do not commit to repos
- Idempotency supported via client-supplied orderId
- Community project — audit before production trading
Community MCP wrapper for NautilusTrader — a Rust-based algo trading platform. Exposes backtesting + live-trading adapters to LLM agents.
Scope
full
Auth
api-key
Transport
stdio
Idempotent
yes
Schema qual
B
License
LGPL-3.0
Last commit
2026-04-18
Security notes
- LGPL license — review redistribution obligations if bundling
- Idempotency enforced by Nautilus core
- Local-only by default — exposes nothing to the network without configuration
Community-maintained Databento MCP server. Wraps historical + live data endpoints. Not endorsed by Databento; verify schemas against docs.
Scope
read-only
Auth
api-key
Transport
stdio
Idempotent
no
Schema qual
B
License
MIT
Last commit
2026-03-28
Security notes
- Unofficial — review schema fidelity before production use
- Does not rate-limit; relies on Databento's server-side meter
- Billing tracked via Databento meter — test runs cost money
Community Tiingo MCP. Read-only access to EOD equities, news API, fundamentals, crypto.
Scope
read-only
Auth
api-key
Transport
stdio
Idempotent
no
Schema qual
B
License
MIT
Last commit
2026-03-05
Security notes
- Read-only — no execution risk
- Does not expose API key in responses
Community Tradier brokerage MCP. Supports sandbox + live accounts, including options trading.
Scope
full
Auth
bearer-token
Transport
http-stream
Idempotent
no
Schema qual
C
License
MIT
Last commit
2026-02-14
Security notes
- No idempotency key — duplicate-submission risk on retry
- Sandbox + live on same server; verify account slug before every call
- Community maintained, audit activity gaps
About this directory
Grade = weighted composite of official-status, maintenance recency, schema quality, auth model, idempotency support (for execution servers), and license openness. Refreshed quarterly or when a notable change ships. See methodology for the exact scoring algorithm.
How to use
Step-by-step
- 1
Filter by scope (read-only vs. read-write) — read-write servers can place orders and need much more scrutiny.
- 2
Sort by security grade (A/B/C). Skip C-grade servers for production use.
- 3
Click into a server entry. Verify the listed manifest URL still resolves and the auth method matches your deployment.
- 4
Cross-check the security axes: scope clarity, authentication, idempotency, transport, audit logging. All five matter for production.
- 5
Test in paper mode first. Even an A-grade server can have edge-case bugs that surface only at integration time.
For agents
Use in an agent
Same math, same result shape as the UI above — as a static ES module. No HTTP request, no auth, no rate limit.
import { compute } from "https://aifinhub.io/engines/finance-mcp-directory.js";Contract: /contracts/finance-mcp-directory.json Full agent guide →
Glossary references
Terms used by this tool
Questions people ask next
FAQ
How are MCP servers security-graded?
Each entry is rated on five axes documented on the methodology page: scope clarity (does the manifest enumerate exactly which resources/tools are exposed?), authentication (API key / OAuth / unauthenticated), idempotency (does the server reject duplicate trade requests?), transport security (HTTPS-only enforced?), and audit logging (does the server emit structured logs?). Each axis is graded A/B/C with criteria written out.
Why isn't every broker MCP server listed?
The directory only includes MCP servers that are publicly documented and actively maintained as of the asOfDate. Closed-beta and corporate-only servers are excluded. If you publish an MCP server and want it reviewed, the methodology page includes the submission criteria.
Are these MCP servers safe to use with real funds?
The directory grades security baselines, not financial fitness. Even an A-grade MCP server is not a recommendation to wire it to a live trading account. Test in paper mode first, audit the request log, and use idempotency keys before placing real orders. The directory's purpose is filtering out servers with C-grade fundamentals (no auth, plain HTTP, no audit log) before evaluation.
What's the difference between scope: read-only vs scope: read-write?
Read-only servers expose market data and account-state queries. Read-write servers can place orders, cancel them, and move funds. The directory marks every server's scope explicitly because read-write servers carry materially different risk and need different audit-logging and rate-limit posture.
How often is the directory updated?
Quarterly review of every listed server, plus opportunistic updates when a vendor publishes a new manifest version. Each entry's last-verified date is shown inline. Servers that haven't responded to verification in 6+ months are marked stale or removed.
Related deep dive
All articles →Read further
Long-form context behind the tool output.
- Pillar · Guide·6 min
Twelve Data API Pricing 2026
Twelve Data API pricing 2026: free Basic is 8 credits/min and 800/day; paid Grow is $79/mo ($66 annual), not the stale $29 some sites cite. Verified.
Read - Pillar · Guide·10 min
The 2026 Engineer's Guide to AI in Markets
An engineer's map of where LLMs, MCP servers, and market-data APIs fit into a 2026 trading stack — and where they still break. Direct, no hype, no grift.
Read - Comparison · Benchmark·9 min
Market Data APIs Compared: Databento vs Polygon 2026
Market data APIs compared: six retail providers on pricing, tier coverage, real-time access, options and futures coverage, and who wins for each profile.
Read
Used in
Decision workflows that use this tool
Goal-driven flows that bundle this tool with adjacent ones.
Complementary tools
Users of this tool often explore
Data-Vendor TCO Calculator
Compute annual cost of market data across Databento, Polygon, Alpaca, Tiingo, FMP, and Alpha Vantage for your exact universe, bar resolution, history.
Trading System Blueprinter
Pick your data source, LLM, broker, storage, risk engine, and logger. Get a Mermaid architecture diagram, a starter repo scaffold (ZIP), and a list.
Prompt Injection Tester
Red-team a finance agent against 24 documented prompt-injection attacks — direct override, role confusion, indirect injection via retrieved content.