Inside the Tradeshift MCP Server: How We Connected Amazon Quick to Bring Agentic AI to Accounts Payable

Recently, Raphael Bres laid out our 2026 vision for Agentic AI at Tradeshift. He described a horizon where finance teams stop managing processes and start managing outcomes, where the boundary between software and agent quietly disappears.

That vision rests on a layer of plumbing that does most of the heavy lifting without ever asking for the spotlight. It is what lets an AI agent log into your account, understand your data, respect your permissions, and act on your behalf, always within the security envelope you have already approved. 

For us, that layer is the Tradeshift MCP Server. It is the reason our Reporting and Analytics customers can ask a question in plain English and get a complete answer, with visuals and supporting analysis, in the time it takes to make coffee. It is also the reason we believe Tradeshift is among the first B2B platforms to ship genuine, enterprise grade agentic AI into production for Accounts Payable.

This is the story of how we built it, why security sits at the centre of every design choice, and why we think it matters.

✨ I recently presented the latest agentic AI innovations in Reporting & Analytics at AWS Summit Stockholm. Check out the summary here.

Why Tradeshift built its own MCP Server

The Model Context Protocol, introduced by Anthropic in late 2024, gave the industry a common language for AI agents to talk to systems and data. Before MCP, every team building an agent had to invent its own integration layer, which meant brittle connections, inconsistent security, and constant rework.

When we evaluated the protocol in early 2025, the decision was easy. Tradeshift sits at the intersection of more than one million suppliers, one hundred ninety countries, and over one point seven trillion dollars in processed volume. Our customers do not need another bolted on chatbot. They need agents that can move through their own data with the same authority and the same limits they already have themselves, and they need assurance that no agent can ever step outside those limits.

We decided to engineer the Tradeshift MCP Server in house for three reasons. First, we wanted the security model to be ours, designed against our specific authentication, RBAC, audit, and tenant isolation requirements rather than retrofitted onto a generic framework. Second, we wanted agents to access the same domain logic our human users rely on, not a thinner copy. Third, we wanted to be among the first enterprise platforms in B2B trade to ship this capability into production, not just talk about it.

Security was not an afterthought we layered on. It was the precondition. The result went live earlier this year.

What the Tradeshift MCP Server actually does

Under the hood, our MCP Server is a small, opinionated piece of software with big responsibilities. It exposes ninety five tools across six domains, organised around how our platform is built: core services, the supplier network, documents, company data, the Business Firewall, Ada AI – our document intelligence layer, and our AI Assistant –  AskAda.  

Each tool is a verb an agent can use. Search for a document. Read a supplier connection. Validate a UBL invoice. Look up a tax identifier. Update a property, only when the user is allowed to do so. Every call passes through the standard authentication mechanism that protects human sessions, and inherits the permissions the human has on the Tradeshift resources. The MCP Server is authoritative for user access. If you do not have permission to perform an action, the agent does not have it either, and the call is refused before it ever touches the data layer.

The service runs natively on AWS, in our EKS cluster in Ireland, with a PostgreSQL database for audit logging, encryption at rest and in transit by default. We built it on FastAPI with two transports, so local agents can connect directly through stdio and remote agents can use HTTP and Server Sent Events. 

A plugin based tool registry lets us add new capabilities without restarting the world, and a two level description system means agents browse a tidy summary first and only pull full documentation when they need it. Every tool execution is recorded with full request correlation, giving security and compliance teams an immutable audit trail. The whole service runs against a 99.9% uptime objective.

None of this is flashy. It is the kind of engineering that quietly decides whether agentic AI works in production or stays a demo, and whether enterprise security teams will sign off on putting it in front of real data.

How Tradeshift connected Amazon Quick to live AP data, securely

In June 2025, we launched our Reporting and Analytics app at London Tech Week, with Amazon Quick as the in-memory, columnar Business Intelligence database underneath. Eleven months later, we had turned the same app into a fully agentic AI experience by wiring Amazon Quick agents directly into the Tradeshift MCP Server.

The combination is genuinely new. Amazon Quick gives users a natural language interface and a generative AI runtime that understands questions and requests in all the AWS Quick supported languages. The Tradeshift MCP Server gives those agents authenticated, real-time access to live Tradeshift data and the ability to take real actions on the platform, every call signed, scoped, and logged. Nothing is exported, nothing is staged, and nothing is duplicated. The agent sees what you see, and only what you see, the moment you see it. Authentication tokens never leave our security perimeter.

For an Accounts Payable Manager, this looks like asking a question or putting in a request in the Quick console and watching an agent spin up parallel analyses, walk through cost reduction scenarios, run anomaly detection on transaction history, and present a strategy ready report. For her IT and security colleagues, it looks like a single audited path between every agent action and every platform call, with every tool execution logged, every permission boundary respected, and every interaction reviewable after the fact.

To our knowledge, we are among the first AP platforms to ship this combination in production.

👉 Watch this video for a walk-through of a few Accounts Payable use cases, but think of these as just a sample. The capabilities you’ll see can tackle a much broader range of AP challenges and workflows.

What changes for Tradeshift customers when days become minutes

Three patterns have surfaced from early use.

The first is parallelism. A human analyst runs queries one after another. An agent dispatched through the Tradeshift MCP Server runs them simultaneously, fanning out across datasets and bringing the threads back together. Scenario planning that previously required several days and multiple team members can now be done by one person in minutes, without ever exporting sensitive data outside the platform.

The second is judgement at the right altitude. AP Managers no longer rebuild the same anomaly report every month. They review the agent’s findings, push back, and refine. The work shifts upward, from extraction to interpretation, which is precisely where finance professionals want to spend their time.

The third is reach. With agents handling analysis, more people in the organisation can ask harder questions, each one bounded by their own role and permissions. The team’s expertise compounds rather than acting as a bottleneck. That is what we mean when we say we want to enable actionable intelligence, not simply more dashboards.

Across our Scenarios, Flows, and Chat use cases, customers are seeing days collapse into minutes. It is not subtle, and it is not theoretical.

What is next for the Tradeshift MCP Server and our Reporting and Analytics App

The MCP Server is the foundation, not the finish line. Over the next few releases we will turn on write access in production, securely, so agents can not only read but act, while preserving every permission boundary and every audit obligation. We will embed a generic chat agent in the Standard tier of the Reporting and Analytics app, so every customer benefits from agentic AI by default. And we will extend Reporting and Analytics to as many Seller users as we can, so the value spreads across both sides of the network.

We will also keep evolving the agents that lean on the MCP Server: Ada AI for invoice auto coding, the AP Auditor Specialist for fraud and risk, the AP Compliance Expert pre-trained on local regulation and documentation provided by the customer, and the AI Document Extractor that orchestrates extraction across document types. Each one inherits the same security model, the same audit trail, and the same authoritative permission checks.

This is what we mean by being an innovator. Not a press release, but a working production stack that already changes the day to day life of finance teams, without asking them to compromise on the security their organisation requires.

If you are leading finance, accounts payable, digital transformation, or information security in your organisation and you also want to move from days to minutes, get in touch. 

We would love to show you what is possible when your platform, your data, and your agents all speak the same language, securely.