WebMCP Security Model: Understanding Human-in-the-Loop and Domain Isolation
If agents can act on behalf of users, security becomes the product. WebMCP's threat model is designed around three ideas: domain isolation, explicit consent, and server-side traceability.
Handing an AI agent the ability to click "Buy" on your behalf only works if the trust model is airtight. WebMCP's security posture is built on three load-bearing primitives: domain isolation (one site cannot see another's tools), human-in-the-loop (the user confirms sensitive actions), and agent traceability (servers can tell an agent called the action).
Threat 1 — Cross-site tool snooping
If acme-bank.com registered a tool called transferFunds, nothing prevents a malicious site from reading it if the browser let tools leak across origins. WebMCP doesn't. Tools are registered per top-level frame and isolated per origin. An embedded iframe on evil.com cannot enumerate tools registered by acme-bank.com, even when both are loaded in the same tab.
Practical consequence
If you embed third-party widgets (chat, analytics, ads), their tools don't show up in your tool list — and yours don't leak to them. The browser enforces this; you don't have to opt in.
Threat 2 — Agents doing things users didn't authorize
The browser provides requestUserInteraction() as the consent choke-point. For anything irreversible — payments, deletes, data exports — gate the tool execution on it:
const ok = await navigator.modelContext.requestUserInteraction({
type: "confirm",
title: "Cancel subscription?",
description: "Your plan ends April 30. You will lose access to all premium features."
});
if (!ok) return { cancelled: true };
// Only now call the real cancel endpoint.Critically, the consent UI is rendered by the browser, not the page. An agent can't suppress, restyle, or auto-click it. The user physically clicks.
Threat 3 — Server-side confusion
Your backend often needs to know "did a human or an agent just submit this form?" The browser sets event.agentInvoked = true on the submit event. Agent-submitted calls include an HTTP header (Sec-WebMCP-Agent: 1) so server-side code can detect them even when the form is submitted normally.
Use this signal for:
- Audit logs — every sensitive write records whether it came from an agent.
- Rate limiting — an agent submitting 40 forms in a minute is normal; a human doing the same is a bot attack.
- UX tuning — skip the "are you sure?" double-confirm when the browser already showed one.
Do not use it for authorization. The user's session cookie is still the only authority. agentInvoked tells you who pressed the button; it doesn't authenticate anyone.
Hash verification for .well-known/webmcp
The manifest at /.well-known/webmcp is a public document. Nothing prevents a network attacker on a compromised coffee-shop Wi-Fi from swapping it for a malicious one. WebMCP mitigates this two ways:
- HTTPS required. The spec treats the manifest as non-existent on HTTP origins.
- Optional Subresource Integrity (SRI). Agents can fetch the manifest, compute its SHA-384, and compare against a publisher-signed value in DNS TXT or a well-known header. The SRI step is opt-in as of the March 2026 spec and will likely become required in 2027.
What the user sees
Chrome's first-run flow (when WebMCP is invoked on a site for the first time) shows:
- The site's name and favicon.
- A short list of the tools the site registered ("This site lets agents: search products, add to cart, check order status").
- A dismiss / remember-my-choice prompt.
Users can revoke a site's WebMCP access from chrome://settings/webmcp at any time.
What site owners can do to strengthen security
- Minimize tool surface. Don't register tools the agent doesn't need. If your site has 30 forms but only 5 are meaningful for agents, register 5. Our 14-point readiness checklist has a section on picking the right 3–5 to start with.
- Gate destructive actions. Anything that costs money, deletes data, or sends a message should call
requestUserInteraction(). - Validate server-side. Never trust
tool arguments; re-validate them in your backend exactly as you would for a direct user submission. - Log
agentInvoked. If an agent-invoked action later needs to be reversed, the audit trail is how you prove intent.
The model for 2027 and beyond
The March 2026 spec is conservative. Expect the next year to add: signed manifests by default, per-tool user consent (not just per-site), and possibly rate-limit negotiation between the browser and the agent. Build your implementation so the destructive-action gate is centralized — that's the abstraction that will keep paying off.
For the full API surface, see the navigator.modelContext reference. For practical gating patterns, the implementation guide has React and vanilla examples.
Frequently Asked Questions
Can an agent bypass requestUserInteraction()?
No. The consent UI is rendered by the browser in its trusted chrome, not by the page. The agent can ask the user to confirm but cannot click on the user's behalf.
Does WebMCP work with password managers and 2FA?
Yes — WebMCP actions run under the user's normal session, so whatever auth the user has (cookies, 2FA tokens, password-manager autofill) applies the same way.
Is agentInvoked spoofable?
Not from a page JavaScript. The flag is set by the browser. A malicious server could of course set its own internal flag — but that's not a WebMCP problem, that's a backend design problem.
What happens if a site registers a tool that asks for a credit card number?
The browser will show the confirmation UI, but the site is still expected to follow PCI-DSS and use tokenized payment flows. WebMCP doesn't relax any existing web security requirements.
Can users see what tools a site has registered?
Yes — Chrome exposes a per-site tool list in chrome://settings/webmcp and in the agent UI that invokes them. Users can revoke individual tools or the whole site.
Is your site ready for AI agents?
Run a free WebMCP readiness audit in 15 seconds — no signup.
Run Free Audit →