Google has recently introduced WebMCP, a browser-level version of the Model Context Protocol (MCP). The idea is simple: it is supposed to standardize how AI agents interact with websites. Today, most agents usually have to infer how to click buttons, read text, and interpret layouts when working with websites. They analyze the DOM and screenshot, simulate user behavior, and often fail when layouts change. WebMCP offers a different approach: websites themselves expose structured actions that agents can call directly.
Instead of parsing HTML and emulating clicks, agents interact with websites through structured calls, similar to API requests. Sites can define functions such as searchFlights or addToCart with clear input and output formats. AI agents use these definitions through a browser API (navigator.modelContext) to call the tools directly. This approach replaces fragile techniques like scraping HTML or guessing UI behavior. The goal is to make agents work faster and more stable, less dependent on page structure, thereby making websites "agent-ready".
Google highlights the following use cases for WebMCP: Customer support: the agent fills in the necessary technical details and helps the user create a detailed ticket. E-commerce: the agent finds the desired products, configures the purchase parameters, and smoothly guides the user through the shopping cart and checkout. Travel: the agent searches for and filters flights, then processes the booking, relying on structured data to improve accuracy.
The WebMCP architecture proposes two types of APIs: Declarative - for simple actions using HTML forms and standard elements. Imperative - for complex JavaScript scenarios that require logic and a sequence of steps.
WebMCP is currently available for prototyping by web developers through an early preview program. As the next step, Google plans to integrate WebMCP with Chrome and Gemini that will allow agents to perform actions directly in the browser with minimal user intervention. If the standard secures its place to stay, it could accelerate the shift toward "agentic web" - where websites are designed from the ground up to interact not only with people but also with AI agents that autonomously browse pages, conduct transactions, and interact with online services on behalf of users.
At the same time, this scenario also increases serious risks. As agents gain more autonomy, the attack surface expands, particularly through prompt injection attacks, where attackers insert malicious instructions into content. Protection against such prompt injections lies not on WebMCP API, but on the agents themselves - their design and robustness (e.g., input sanitization, privilege separation, human-in-the-loop for high-stakes actions).
With the increasing risk of exploitation, the industry is currently relying on tightly constrained, human-controlled agents rather than fully autonomous systems on the external network. Even OpenAI acknowledges that the problem of injection attacks will likely never be fully solved. The company reached this conclusion after testing its own agent-based tools, which identified new attack types.
It is hard not to mention the implications of the "agentic web" on businesses. If AI agents independently perform product searches, price comparisons, content consumption, and bookings, users will need to open the website less and less. As a result, operators risk losing advertising revenue, direct contact with their audience, and the ability to build relationships with customers on their website.
Nonetheless, the internet is increasingly moving to becoming a background infrastructure for AI agents. Google isn't the only company trying to redesign the internet for AI agents. In May 2025, Microsoft had already announced NLWeb, an open-source project that provides websites with a natural language interface. Each NLWeb instance is designed to act as an MCP server, making website content available to other agents in the MCP ecosystem. Microsoft views NLWeb as a potential standard for the agent-based web, similar to the role HTML plays for the "classic" internet.