Built for AI: How CrossTrade Talks to Agents

If you're building anything with Claude, Cursor, Copilot, or any of the new "agent" tools, you've probably hit the same wall I keep hitting: the agent guesses the API surface, gets it wrong, and you spend ten minutes pasting links into the chat.

The fix is to make the site itself answerable to a machine. Over the past few months we've shipped a full stack of small things that, together, let an AI agent walk up to crosstrade.io cold and figure out the whole API in a single round trip. We also shipped the big thing the original version of this post promised: a hosted MCP server that lets AI agents call CrossTrade directly. Here's the current state of the world.

Learn More

What we shipped (and what's now live)

The hosted MCP server

Model Context Protocol is the standard for letting AI agents call typed tools on a remote service. CrossTrade's MCP server is live at:

https://app.crosstrade.io/v1/api/mcp

Streamable HTTP transport. OAuth 2.1 with PKCE. Dynamic client registration per RFC 7591. Two scopes: mcp:read for inspection and mcp:trade for writes. The OAuth scope is enforced at the transport, so a mcp:read token cannot place an order no matter what the prompt says.

Compatible with any MCP client that follows the spec: Claude Desktop, Claude Code, Cursor, Continue, Cline, ChatGPT plans that support remote MCP connectors, and any custom agent built on the SDKs.

What the agent can do with read scope: inspect accounts, positions, orders, executions, the matched-trade journal, TradingView webhook signal history, CrossTrade Add-On activity log, watermarks, market data, and NinjaScript source files.

What it can do with trade scope (in addition): place, cancel, modify, flatten, and reverse orders; compile NinjaScript in memory or against disk; write NinjaScript files; run Strategy Analyzer backtests (bit-identical to NT8's UI for the documented reference); deploy and stop strategies; emit alerts.

Requires CrossTrade Elite and CrossTrade Add-On v1.13.0 or higher. The REST and WebSocket APIs remain available on Pro.

Setup is one URL. For Claude Desktop, paste it into the developer config. For Claude Code, run claude mcp add --transport http crosstrade https://app.crosstrade.io/v1/api/mcp. The rest is OAuth consent in your browser.

OAuth 2.1 discovery for any agent

The MCP server publishes the full OAuth 2.1 discovery chain, so a compatible agent never sees a bearer token in your terminal. Three well-known endpoints carry the handshake:

• /.well-known/oauth-protected-resource (RFC 9728) — the 401 on a bare MCP request points here.
• /.well-known/oauth-authorization-server (RFC 8414) — lists the authorization, token, registration, and revocation endpoints, plus supported scopes (mcp:read, mcp:trade) and PKCE methods.
• POST /v1/oauth/mcp/register (RFC 7591) — dynamic client registration, so clients self-register without an out-of-band developer signup.

The token endpoint runs authorization_code + PKCE with refresh tokens; revocation is RFC 7009. Combined, the handshake is the part that makes Claude Code "just work" when given only the MCP URL.

A real robots.txt, with AI rules and content signals

The old robots.txt was a one-line stub. The new one explicitly allows the major AI crawlers (GPTBot, ChatGPT-User, ClaudeBot, anthropic-ai, PerplexityBot, Google-Extended) and declares our content-usage preferences using the new Content Signals draft:

Content-Signal: search=yes, ai-input=yes, ai-train=yes

Translation: yes, AI assistants can use our docs as input, and yes, they can train on the public content. We want an LLM that's been pre-trained on how CrossTrade works, because that's a user who can hit the ground running.

llms.txt and llms-full.txt

These are the AI-equivalent of a sitemap. Instead of a human-readable index, they're a flat, paste-friendly text rendering of the API. llms.txt is the short index. llms-full.txt is every endpoint, every parameter, every body shape, every example, in one file you can drop into a model's context window.

Both live at:

• https://crosstrade.io/llms.txt
• https://crosstrade.io/llms-full.txt
• https://app.crosstrade.io/v1/api/llms.txt (server-rendered, always fresh)
• https://app.crosstrade.io/v1/api/llms-full.txt

OpenAPI 3.1 spec, YAML and JSON

The full machine-readable API surface, regenerated automatically from the actual code (the route decorators in nt.py and the C# methods in the NinjaTrader add-on). One source of truth, no drift.

• https://app.crosstrade.io/v1/api/openapi.yaml
• https://app.crosstrade.io/v1/api/openapi.json

A /.well-known/api-catalog (RFC 9727)

This is the new standard for "I have an API, here's where to find everything about it." A single JSON document at https://crosstrade.io/.well-known/api-catalog points to the OpenAPI spec, the human docs, the LLM-targeted docs, the live endpoint catalog, and the status endpoint. An agent reads one URL, gets all five.

Markdown negotiation

If you curl https://crosstrade.io/ with Accept: text/markdown, you get markdown back instead of HTML. Cloudflare's "agent ready" scanner picked it up; Claude and friends use it natively when they don't want to chew through HTML.

Link headers on the homepage (RFC 8288)

If an agent hits the homepage and only reads the response headers (no HTML parse), it still finds everything:

Link: </llms.txt>; rel="llms-txt"
Link: </llms-full.txt>; rel="alternate"; type="text/plain"
Link: </.well-known/api-catalog>; rel="api-catalog"
Link: </docs/api/overview>; rel="service-doc"
Link: <https://app.crosstrade.io/v1/api/openapi.yaml>; rel="service-desc"

A smart 404 that suggests the right path

Agents love to guess /api/orders/place or /api/v1/orders. We don't have those routes; the actual path is /v1/api/accounts/{account}/orders/place. When an agent guesses wrong under /v1/api/, the 404 response is a structured JSON with a did_you_mean array of close matches and a list of every discovery URL it should have hit instead. One round trip and the agent recovers on its own.

$ curl https://app.crosstrade.io/v1/api/wrong_path
{
  "success": false,
  "error": "unknown_endpoint",
  "detail": "No route matches GET /v1/api/wrong_path.",
  "did_you_mean": ["GET /v1/api/accounts", ...],
  "discovery": {
    "endpoints_catalog": "...",
    "openapi_yaml": "...",
    "llms_full_txt": "..."
  }
}

AI-assisted development guide

There's a dedicated section in the docs at crosstrade.io/docs/api/ai-assisted-development that explains how to point Claude / Cursor / Copilot at this stack. Paste two URLs into your AI of choice and you're trading.

The full MCP suite, now in one place

The MCP launch came with more than just the endpoint. We shipped a product hub, technical docs, trader-facing tutorials, public tools, and a prompt library. The whole cluster is designed so an AI agent (or a human reading over its shoulder) can find what they need without us in the loop.

Start here

• /mcp-trading — the product hub for AI trading agents on NinjaTrader 8.
• /docs/api/mcp-trading — the technical reference.
• /learn/mcp-trading-futures-traders — the trader-friendly explainer.
• /tools/mcp-compatibility-checker — five preconditions, one ready/not-ready answer.

Client setup

• ChatGPT + NinjaTrader 8
• Claude + NinjaTrader 8
• Setup docs
• OAuth flow
• Scopes: mcp:read and mcp:trade

Workflows worth running first

• Chat with your trade journal — read-only, no write permission needed.
• Webhook signal analysis — find the silent TradingView misses.
• Trade copier diagnostics — leader/follower timeline reconstruction.
• AI NinjaScript — compile loop, Strategy Analyzer parity, deploy gate.
• Vibe coding NinjaScript — prompt-to-compile-to-backtest in one conversation.

Funded futures

• AI for prop firm traders
• Firm-specific guardrails (Apex, Topstep, MyFundedFutures, Bulenox, TakeProfitTrader, TradeDay, Earn2Trade, Tradeify, BluSky, FundedNext)
• Prop firm guardrail generator

Safety

• AI trading agent safety — three layers: OAuth scope, state checks, confirmation gates.
• Read-only agent workflows
• Trade-enabled agent workflows

Proof

• NinjaScript backtest benchmark — public, reproducible parity between MCP RunStrategyBacktest and NT8 Strategy Analyzer UI on SampleMACrossOver.

Prompts

• NinjaTrader AI prompt library — read-only briefs, journal review, webhook audit, copier diagnostics, NinjaScript compile loops, Strategy Analyzer backtests, vibe coding, deploy gates.

What's still coming

A couple of pieces are still in the oven:

WebMCP. Same idea as the hosted MCP server, but in-browser: when you have the dashboard open, AI agents will see a navigator.modelContext surface with your live trading tools registered. No copy-paste, no extra setup.

Agent Skills index. A discoverable list of "things AI agents can do on CrossTrade" at /.well-known/agent-skills/index.json, so any agent that supports the spec can find our skills without us submitting them anywhere.

Why bother

Honestly, because the way you trade is going to change in the next year, and we'd rather build for that user now than retrofit later. Most of this is also just good API hygiene that helps human developers too. The OpenAPI spec, the markdown docs, the smart 404 with route hints, none of that is AI-specific. It just happens that AI is what finally made the standards mature enough to be worth implementing.

The MCP server is the part that goes beyond hygiene. It's the part that lets a trader open Claude and ask, "give me a pre-session brief on APEX1234 and tell me how close I am to my trailing drawdown" and get an answer pulled from the real account state in seconds, instead of a paragraph the model made up.

If you're using CrossTrade with an AI assistant and something doesn't quite click, tell us. We'd rather hear it from you than from a Cloudflare scan report.