At Google I/O 2026 on May 19, Google announced WebMCP — a proposed web standard that brings MCP-style tool exposure to the browser. The premise is simple: instead of requiring a backend MCP server to give an AI agent access to a website’s capabilities, WebMCP lets the website itself expose tools directly in client-side JavaScript (or via HTML annotations), where an in-browser AI agent can call them.
The Chrome 149 origin trial is open to registered developers now. The spec lives in the W3C Web Machine Learning Community Group, not yet on the W3C official Standards Track.
What Problem WebMCP Solves
Browser agents — AI systems that navigate and interact with websites — currently face a fundamental brittleness problem. They work by reading rendered HTML, parsing visual structure, and making guesses about where to click. A button labeled “Submit” in a modal, a dynamically injected form field, a JavaScript-rendered navigation menu: these are all routine challenges that cause browser agents to fail or require extensive per-site prompt engineering.
The alternative, server-side MCP, solves this cleanly — but requires a backend server implementing the MCP protocol. That works well for developer tools, data APIs, and internal systems. It does not work for the majority of the public web, where the publisher is a travel booking site or a small e-commerce store with no interest in running an MCP server.
WebMCP’s position is that the web page itself should be the interface. If Booking.com wants AI agents to be able to search for hotels, it can expose a searchHotels tool in the page. No backend MCP server. No screen-scraping. The agent gets a typed, schema-defined interface.
Two API Surfaces
WebMCP provides two ways for a site to register tools.
Declarative API — HTML Form Annotations
The Declarative API uses standard HTML <form> elements with additional attributes to define a tool:
<form tool-name="searchFlights"
tool-description="Search for available flights between two cities"
tool-response="json">
<input name="origin" type="text" tool-description="Origin city or airport code" required>
<input name="destination" type="text" tool-description="Destination city or airport code" required>
<input name="date" type="date" tool-description="Departure date" required>
</form>
The browser reads these annotations and builds a tool schema from them automatically. The result is a type-safe, schema-described tool the agent can call — derived from the same form HTML that renders in the UI. No JavaScript required. The agent submits the form programmatically and gets back the tool-response (JSON in this case, but other formats are supported).
This is the lowest-friction adoption path. A developer who already has a search form can add a handful of attributes and have a working WebMCP tool.
Imperative API — navigator.modelContext
The Imperative API targets more complex tool scenarios that do not map cleanly to form submission:
navigator.modelContext.registerTool({
name: "getProductInventory",
description: "Returns real-time inventory status for a product SKU",
parameters: {
type: "object",
properties: {
sku: { type: "string", description: "The product SKU" }
},
required: ["sku"]
},
handler: async ({ sku }) => {
const result = await fetch(`/api/inventory/${sku}`).then(r => r.json());
return result;
}
});
navigator.modelContext is the new browser API Google is adding in Chrome 149. The registerTool call takes a standard JSON Schema parameter definition plus a handler function. The browser mediates between the in-browser AI agent and the registered handler.
Security Model
WebMCP gates tool exposure behind a Permissions Policy named tools. The default value is self — a page can register tools for itself, but cross-origin iframes cannot register tools without the parent frame explicitly granting permission:
<!-- Allow the embedded checkout widget to register its own tools -->
<iframe src="https://pay.example.com/checkout"
allow="tools">
</iframe>
This prevents a malicious embedded third-party frame from silently registering tools in a parent page’s WebMCP context. It also means that multi-frame pages require deliberate permission grants, which adds integration work but prevents supply-chain-style attacks.
The tools policy is a reasonable starting point, though the security surface of letting arbitrary JavaScript register callable tools in the browser is non-trivial. The origin trial period is partly intended to surface these edge cases before the standard is finalized.
Who’s Behind It
Google authored and is championing WebMCP. The list of industry partners who publicly backed the standard at I/O 2026 is notable:
- Booking.com — hotel and travel inventory search
- Expedia — flight and accommodation search
- Instacart — grocery product search and cart operations
- Intuit — tax and financial tools (TurboTax, QuickBooks)
- Shopify — e-commerce product and checkout flows
- Redfin — real estate search
Six major consumer-facing platforms publicly committing to implement a new web standard before the standard is finalized is a credible signal. These are all sites with high-value tool exposure use cases — precisely the kind of adoption that makes a new standard worth learning.
The First Consumer: Gemini in Chrome
The only AI agent that currently consumes WebMCP tools is Gemini in Chrome — Google’s in-browser assistant, separate from the Gemini web app. When a user interacts with Gemini in Chrome on a WebMCP-enabled page, Gemini can see and call the registered tools.
This is both the standard’s greatest limitation and its clearest demonstration of intent. WebMCP is designed for browser-integrated agents, not programmatic API callers. The roadmap implies other browsers could implement WebMCP consumption — the navigator.modelContext API is written as an open standard — but there are no public commitments from Mozilla, Apple, or Microsoft as of the I/O announcement.
For developers, this means: if you implement WebMCP today, you are building for Gemini in Chrome users. That is not nothing — Chrome has significant market share — but it is far from universal.
How WebMCP Compares to Server-Side MCP
WebMCP and server-side MCP are complementary, not competing:
| Server-side MCP | WebMCP | |
|---|---|---|
| Where it runs | Backend server | Browser (client-side JS) |
| Who implements it | API developers, tool builders | Web publishers, front-end teams |
| Access to data | Database, file system, private APIs | Page context, public APIs, DOM state |
| Agent consumer | Any MCP-compatible agent | Browser-integrated agents (Gemini in Chrome today) |
| Setup complexity | Requires running a server | JS annotations or HTML attributes |
| Authentication | Full server-side auth | Browser session, same-origin policy |
The key difference is who can adopt it. Server-side MCP requires developers with backend infrastructure and the motivation to run an MCP server. WebMCP requires a front-end developer with edit access to a webpage. For the long tail of the web, that is a much lower bar.
The tradeoff is power. A server-side MCP tool can access a database, run computations, integrate with internal APIs. A WebMCP tool is limited to what the page’s JavaScript can do — which is substantial for a SaaS front-end but limited for a tool that needs backend data the page does not already have.
Limitations
Chrome 149+ only, via origin trial. The origin trial means registered developers get early access — it is not generally available. Developers need to sign up for the trial and add an origin trial token to their pages. This is intentional for a standard in active development, but it limits the immediate deployment surface.
Single agent consumer. Only Gemini in Chrome currently consumes WebMCP tools. The value of implementing the standard depends directly on how many of your users interact with Gemini in Chrome, which is currently a small minority of all browsing sessions.
Community Group draft, not a W3C Standard. The spec is in the W3C Web Machine Learning Community Group — a less formal track than the W3C Standards Track. This means the spec can change significantly before (if) it is standardized. Production implementations built on the origin trial API may need updates.
Adoption requires active publisher effort. Unlike server-side MCP, which a developer can deploy independently of the sites they interact with, WebMCP requires the site publisher to annotate their pages. Adoption is entirely opt-in by publishers. Without widespread publisher adoption, browser agents fall back to screen-scraping anyway.
Security surface is non-trivial. Letting JavaScript register callable tools in the browser creates new attack surface. The Permissions Policy gates it, but edge cases — particularly in complex multi-frame pages with third-party content — are likely to surface during the origin trial.
Rating: 3/5
WebMCP is a genuine step forward for browser agents, and the industry backing is more credible than a typical early-stage proposal. Booking.com, Shopify, Instacart, and Intuit committing to implement a standard before it ships to GA is a strong prior for adoption.
The 3/5 reflects where the standard is today, not where it could be. Chrome 149+ only, Gemini in Chrome as the sole consumer, Community Group draft status, and an opt-in adoption model that requires publisher effort are all real constraints. For most developers, WebMCP is a technology to track and implement when it reaches broader browser support — not something to build production workflows around in May 2026.
If Google delivers on the standard (cross-browser support, at least one additional browser agent consumer, W3C Standards Track adoption), WebMCP’s potential rating is 4–5/5. The core idea — structured, schema-defined tool exposure in the browser without a backend — is the right answer to the browser agent problem. Check back when Chrome 150+ ships and when adoption data from the origin trial partners becomes public.
ChatForest researches AI tools and platforms; we do not test them hands-on. Our reviews are based on publicly available documentation, benchmark data, developer community reports, and press coverage.