Google WebMCP points to a web where AI agents do less guessing and more direct interaction. Instead of forcing agents to interpret raw page code, the proposal gives websites a structured way to describe actions that agents can perform through the browser.
The idea is practical, but the consequences are larger than a developer interface. If agents become the main layer between users and online services, websites may increasingly serve machines first and human visitors second.
What WebMCP is trying to change
WebMCP is Google's web-focused version of the Model Context Protocol, or MCP. The goal is to bring MCP-style structured interaction to websites, so an AI agent can understand what actions are available and use them in a predictable way.
Today, agents often have to work around the web as it exists. They may inspect page structure, interpret interface elements, and attempt to move through flows that were designed for people. WebMCP would give websites a more direct channel for exposing tasks to agents.
According to Google developer Andre Cipriani Bandarra, WebMCP defines structured tools for specific website actions. The examples include booking flights, creating support tickets, and searching for products.
That matters because these are not just content lookups. They are multi-step tasks where accuracy, context, and user intent all matter. A support request needs the right technical details. A product search may involve configuration choices. A travel booking depends on search, filtering, and selection.
How the interface works
The source describes two ways WebMCP can support website actions. Simple actions can use a declarative API based on HTML forms. More complex processes can use an imperative API through JavaScript.
That split reflects a basic reality of the web. Some tasks are straightforward enough to describe as structured inputs and submissions. Others require richer logic, conditional steps, or deeper interaction with a site's existing application flow.
Google's pitch is that this structure can make agents faster and more reliable than they are when they must navigate page code directly. Bandarra describes the result as websites becoming "agent-ready," and frames the possibility this way: "Imagine an agent that can handle complex tasks for your users with confidence and speed."
The practical use cases in the source fall into three clear buckets:
- Customer support: Agents could help users create detailed support tickets and automatically include needed technical information.
- Ecommerce: Agents could search products, configure shopping options, and move through checkout flows with more precision.
- Travel: Agents could search, filter results, and handle bookings using structured data to improve accuracy.
For users, the promise is convenience. For developers, the promise is a cleaner contract between a website and the agent using it. For website operators, the trade-off is more complicated.
The security problem stays with the agent
WebMCP does not remove the hardest security issue facing agentic systems. Bandarra does not treat the API itself as the protection layer against prompt injection attacks. In the source, responsibility for defending against injected instructions sits with the individual agent.
That is a major caveat. Prompt injection is a problem where hostile instructions can be placed in content that an AI agent reads, potentially steering the agent away from the user's intent. If an agent is only summarizing text, the damage may be limited. If it can transact, book, buy, or submit requests, the stakes are higher.
The source also notes that OpenAI has acknowledged prompt injection may never be fully solved. That acknowledgement followed red teaming of its own agentic tools, which uncovered new prompt attack vectors.
Anthropic's Claude Opus 4.5 is also cited as still falling for targeted prompt attacks more than three times out of ten. The source frames that as an unacceptable failure rate for systems expected to handle transactions or make decisions independently.
This is the central tension of the agentic web. As agents gain more freedom to act, their exposure to manipulation grows. The practical answer described in the source is not fully autonomous agents on the open web, but constrained systems with close human oversight.
Why website operators face a dilemma
Google is not alone in trying to adapt the web for AI agents. In mid-2025, Microsoft introduced NLWeb, an open-source project that gives websites a natural language interface. Each NLWeb instance can act as an MCP server, making website content available to other agents in the MCP ecosystem.
Microsoft sees NLWeb as a possible standard for the agentic web, comparable in role to HTML for the classic web. WebMCP approaches the same broad shift from Google's direction: websites exposing structured capabilities that agents can use.
That shift creates a difficult choice for site owners. If websites do not expose agent-friendly interfaces, they may become harder for AI systems to use. If they do expose them, agents may complete more tasks without users ever spending meaningful time on the site itself.
The source names several possible consequences. Agents could take over product searches, price comparisons, content consumption, or bookings. If that happens, operators could lose ad revenue, direct customer contact, and chances to persuade users through their own offerings.
In that future, the website becomes less of a destination and more of a service layer. It still matters, but it may matter in the background, feeding structured information and actions to agents that hold the user's attention elsewhere.
The agentic web remains unfinished
WebMCP is currently available as an early preview for developers through Google's early preview program. The source also says Google could later integrate WebMCP into Chrome and AI services such as Gemini, allowing browser agents to interact directly with websites for tasks like automated purchases or travel bookings.
That would move WebMCP from a developer experiment toward a more visible role in everyday browsing. But the larger agentic web is still more vision than reality. The pieces are arriving: structured protocols, natural language interfaces, browser agents, and frontier models with agentic capabilities.
The unresolved question is whether the web can become machine-actionable without becoming too risky or too economically disruptive for the sites that make it useful. WebMCP offers one possible technical path. It does not, by itself, settle the security and business problems that come with putting AI agents between people and the open web.