Part of the Agent Readiness course. Measure any page with the Core Agent Vitals analyzer. This is the most emerging standard in the course — a look at where the agentic web is heading.
What it is
The Model Context Protocol (MCP) is a standard way for agents to discover and call tools: an agent connects to an MCP server, asks "what can you do?", gets back a typed list of tools, and invokes them uniformly. WebMCP brings that to the open web — you expose an MCP-style endpoint (commonly at /.well-known/webmcp or /webmcp.json) that advertises your site's actions as callable tools.
Why agents need it
Everything earlier in this course makes your site readable — an agent can find and understand your content. WebMCP makes it operable — the agent can act: book the appointment, run the search, place the order, query the data, through a defined interface instead of by driving your UI or scraping your DOM.
Scraping is brittle: it breaks when your markup changes, it can't handle multi-step flows reliably, and it can't authenticate cleanly. A WebMCP endpoint gives the agent a stable, typed contract — discover the tools at runtime, call them with validated arguments, get structured results. That's the difference between an agent that guesses how to use your site and one that operates it correctly.
This is early and moving fast. Don't build it before the foundations are in place — but understanding it now is how you stay ahead of the agentic web.
How to implement
Expose a discovery document that lists your tools; back each with an operation you already have (often an OpenAPI endpoint):
{
"webmcp": "0.1",
"name": "Acme",
"tools": [
{
"name": "search_products",
"description": "Search the catalog by keyword.",
"inputSchema": {
"type": "object",
"properties": { "query": { "type": "string" } },
"required": ["query"]
},
"endpoint": "https://api.acme.com/products/search"
}
]
}
Serve it at /.well-known/webmcp, keep the inputSchema strict (so agents send valid arguments), and enforce auth + rate limits on the underlying endpoints — you're now accepting agent-initiated actions.
Validate
curl -s https://your-site.com/.well-known/webmcp | head
Confirm valid JSON with a tools array and real input schemas. The Core Agent Vitals analyzer checks /.well-known/webmcp, /webmcp.json, and /.well-known/mcp, and marks the endpoint present — scored as emerging/optional.
Common mistakes
- Exposing actions without guardrails. A callable
delete_accounttool with weak auth is a liability, not a feature. Gate irreversible actions hard. - Loose input schemas.
"type": "object"with no properties invites malformed calls. Constrain inputs so the agent can only send valid arguments. - Building it first. WebMCP on a site with no llms.txt, no structured data, and a blocked robots.txt is a roof with no walls. Do the foundations first.
- No rate limiting. Agent traffic is programmatic and bursty. Protect the endpoints behind your tools.
That's the course. You now have the full agent-readiness stack — from "can an agent read this?" (robots, sitemap, JSON-LD, llms.txt) to "can an agent use this?" (OpenAPI, agents.json, WebMCP). Run your site through the Core Agent Vitals analyzer to see where you stand on every one.