WebMCP: how websites will talk to AI agents natively
Every browser agent today works the same way: take a screenshot, try to figure out what the UI is, plan a click sequence, hope nothing shifted, and pray the form submits. It works about 60% of the time. WebMCP is Google's proposal to make that loop obsolete — and it shipped as a Chrome origin trial on June 2.
The idea is straightforward: instead of making agents guess your interface, you tell them exactly what your site can do. Sites declare structured tools with JSON schemas. Agents call those tools directly. No screenshot loop. No DOM fragility. No broken selectors when your designer renames a class.
Why browser agents break today
The current approach is called actuation — the agent takes a screenshot, identifies UI elements, generates click/type sequences, and re-screenshots to verify. It is vision-based automation, and it has three fundamental problems.
First, it is slow. A single multi-step task might require 8 to 15 screenshot-analyze-act cycles. Each cycle costs tokens, adds latency, and can fail independently.
Second, it is brittle. A CSS class rename, an A/B test variant, or a lazy-loaded modal breaks the entire task. The agent has no idea what your site intended — it can only see what was rendered.
Third, it cannot know intent. An agent staring at a checkout form does not know if submitting it will charge a card, save a draft, or delete the cart. It cannot distinguish between a destructive action and a safe one without guessing from context clues.
WebMCP fixes all three by moving the contract from the visual layer to the application layer.
What WebMCP actually is
WebMCP is an open web standard, incubated in the W3C Web Machine Learning Community Group and co-authored by Google and Microsoft. It extends Anthropic's Model Context Protocol into the browser, letting any site expose named, schema-typed tools that AI agents can discover and call.
Microsoft shipped Edge 147 support in March 2026. Chrome 149's origin trial opened June 2. Currently only Gemini in Chrome consumes WebMCP tools natively, but the major browser vendors and several large platforms committed to the standard at I/O 2026.
The performance gap versus vision-based agents is significant: end-to-end task completion on WebMCP-enabled sites runs 8 to 12 times faster, and error rates drop substantially because the agent is working from a schema rather than interpreting pixels.
Two ways to implement it
WebMCP gives you two implementation paths. Use the imperative API for dynamic behaviors. Use HTML annotations for existing forms.
Imperative API — call navigator.modelContext.registerTool()
with a name, description, JSON input schema, and an async handler:
// Register a search tool
navigator.modelContext.registerTool({
name: "search_products",
description: "Search the product catalog by keyword, category, or price range.",
inputSchema: {
type: "object",
properties: {
query: { type: "string", description: "Search terms" },
category: { type: "string", enum: ["electronics", "clothing", "home"] },
maxPrice: { type: "number", description: "Maximum price in USD" }
},
required: ["query"]
},
handler: async ({ query, category, maxPrice }) => {
const results = await api.searchCatalog({ query, category, maxPrice });
return { products: results, count: results.length };
}
});
// Flag destructive or financial tools — browser shows a confirmation UI
navigator.modelContext.registerTool({
name: "place_order",
description: "Place order for items currently in the cart.",
requiresUserApproval: true,
inputSchema: {
type: "object",
properties: {
shippingAddress: { type: "string" },
paymentMethodId: { type: "string" }
},
required: ["shippingAddress", "paymentMethodId"]
},
handler: async ({ shippingAddress, paymentMethodId }) => {
const order = await api.checkout({ shippingAddress, paymentMethodId });
return { orderId: order.id, total: order.total };
}
});
Declarative HTML — annotate existing forms with data-mcp-tool
and data-mcp-description attributes. No JavaScript required:
<form
data-mcp-tool="newsletter_signup"
data-mcp-description="Subscribe to the weekly newsletter"
>
<input
name="email"
type="email"
data-mcp-description="Subscriber email address"
/>
<select name="frequency" data-mcp-description="Email frequency preference">
<option value="weekly">Weekly</option>
<option value="monthly">Monthly</option>
</select>
<button type="submit">Subscribe</button>
</form>
The browser reads the annotations, generates a JSON schema from the input types and names, and registers the form submission as a callable tool. Your backend receives an ordinary form POST — nothing changes server-side.
The security model
Tools execute inside the page's same-origin sandbox. The agent runs with exactly the permissions the logged-in user already has — no more, no less. It cannot call tools on other origins or escalate beyond the user's existing session.
Two things to get right in your implementation:
- Sanitize tool descriptions. The description string goes straight into the agent's context window. An attacker who can inject text into your tool descriptions can attempt prompt injection. Treat descriptions as user-facing strings: escape them, validate them, and do not interpolate untrusted content into them.
-
Use
requiresUserApproval: trueon anything consequential. Transactions, deletions, form submissions that charge money — all of these should require explicit browser confirmation. The browser renders a native UI showing the user what the agent is about to do and lets them approve or reject it before the handler fires.
How to opt in today
The origin trial token is available at the Chrome origin trial registration page. Add it to
your HTML head or as an Origin-Trial HTTP response header, and the API is live
for Chrome 149 users:
<!-- Option 1: HTML meta tag --> <meta http-equiv="origin-trial" content="<YOUR_TRIAL_TOKEN>"> <!-- Option 2: HTTP response header --> Origin-Trial: <YOUR_TRIAL_TOKEN>
Test with the Model Context Tool Inspector extension (Chrome Web Store) — it shows which tools your page has registered, lets you call them manually, and surfaces schema validation errors before an agent ever sees your site.
If you want to ship incrementally: register one high-value tool first. Search and filter actions are ideal starting points — low risk, high frequency, no financial consequences. Get that working and instrumented before touching checkout or account management flows.
What is not solved yet
WebMCP does not handle authentication. An agent still needs to be logged into your site via normal browser session mechanisms before any of your tools are reachable. The standard has no opinion on how agents acquire credentials.
Cross-origin tool composition is also out of scope. If a user wants an agent to pull data from your site and push it to another, that still requires two separate tool calls with the agent as the intermediary. There is no cross-site pipe.
And the standard is not yet on the official W3C Standards Track — it lives in the Web Machine Learning Community Group. Edge and Chrome support is solid, but this is not a finished spec. Treat the origin trial as exactly that: a trial. Build with it, instrument it, but keep the feature-flagged so you can turn it off cleanly.
Why this matters more than it looks
REST APIs standardized how machines talk to backends. WebMCP is trying to do the same thing for the frontend layer — give agents a stable, versioned, schema-typed surface to interact with instead of fighting the visual interface.
If it reaches full W3C adoption, it changes the calculus for every frontend team. Accessibility already pushes engineers toward semantic HTML. WebMCP pushes in the same direction, toward intent-expressed interfaces instead of purely visual ones. A site with good WebMCP coverage is more accessible, more testable, and more agent-compatible simultaneously.
The engineers who implement this in 2026 will be the ones who understand it well enough to advise their org when it becomes the default expectation in 2027.