Agents stopped reading your site. They started calling it. WebMCP is the browser-native standard that turns your pages into typed, callable tools an AI agent can invoke directly. This is the field guide: what it is, why now, how it works, how to build it, how to secure it, and how to roll it out.
Six chapters plus an executive summary and a forward view, written for the operator who has to make a build decision this quarter. Every exhibit states its takeaway in the title and cites its source. Where a number is reported by a vendor rather than independently audited, we say so on the chart, not in a footnote you will never read.
For two years we have told clients the same thing: stop optimizing for Google, start optimizing to become the answer. That is still true. But a new layer is forming underneath the answer, and most teams cannot see it yet. The agent has stopped reading your page to the user. It has started doing the task on the page itself.
Here is what most teams have not internalized. Being named in an AI answer gets you into the consideration set. That is the game we have spent two years helping clients win, and it still matters. But the moment the agent stops recommending and starts doing, booking the demo, pulling live pricing, starting the trial, completing the checkout, a citation is no longer enough. The agent has to be able to call your site. If it cannot, you are quietly routed around, no matter how good your content is.
That is what WebMCP is. Not developer trivia, not a standards-body footnote. It is the layer that turns your website into typed, callable tools an agent can invoke without screenshotting your pages and guessing at pixels. A site that exposes none of this is, to an agent in 2026, exactly what a business with no website was in the year 2000: technically real, functionally invisible.
So we now think about discoverability in three layers, and they stack. Visibility is whether the agent can find you. Citability is whether it trusts you enough to say your name. Callability is whether it can actually invoke you and finish the job. Most of the market is still fighting for visibility. A smaller group has figured out citability. Almost no one is building for callability yet. In the top 200,000 domains on the internet, the number we found shipping WebMCP in production was zero. That gap is the opportunity, and it is the reason we wrote this report.
One more thing, because it changes how you should read what follows. This is an early market. WebMCP is a W3C Community Group draft, not a finished standard. It runs behind a Chrome origin trial, not in a stable browser everyone has. Some of the most quoted performance numbers come from the same organizations building the protocol, and we flag every one of those rather than dressing them up as audited fact. We would rather you trust this report than be impressed by it. But the direction is not ambiguous, and the compounding dynamics that made early SEO moats so durable are already visible. The only real question is whether you move before your competitors do, or after.
WebMCP turns your website into typed, callable tools an agent can invoke directly. Five shifts decide whether your brand becomes something an agent can act on, or something it quietly routes around.
Visibility gets you found. Citability gets you named. Callability gets you bought. The third layer is forming right now, and in the top 200,000 domains we scanned, the number building for it was zero.
WebMCP moved from two independent prototypes to a W3C Community Group draft and a Chrome origin trial inside fifteen months. The specification exists. The browser support is shipping. What is missing is you, and almost everyone like you. That asymmetry, a real standard with near-zero production adoption, is the most actionable fact in this report.
Every durable moat we have seen in search started the same way: a standard nobody was using yet, and a small group who moved before it was obvious.
WebMCP in mid-2026 looks exactly like robots.txt in 2008 or schema markup in 2012. The standard is published, the early movers are invisible to the mainstream, and the cost of acting is a single afternoon of engineering. The cost of waiting is that an agent finishes a competitor's checkout instead of yours, and you never see the request that did not arrive.
The standard explained without the jargon. How WebMCP extends the Model Context Protocol from servers to the browser, and turns your site into tools an agent can call.
WebMCP lets a web page hand an AI agent a menu of typed functions, so the agent can do things on your site by calling them, instead of looking at a screenshot and guessing where to click.
The Model Context Protocol (MCP) gave AI agents a standard way to call tools on a server. WebMCP takes that same idea and moves it into the browser. A page running in the user's tab declares its tools through a single browser API, and any agent in that browser, an extension, an agentic browser, an assistant, can discover and invoke them.
Today, when an AI agent uses your website, it behaves like a person who cannot read your code: it takes a screenshot, reasons about what it sees, moves a virtual cursor, and clicks. WebMCP replaces that with something closer to a contract. Your page says, in effect, "here are the four things you can do here, here is exactly what each one needs, and here is what you get back." The agent calls the function. No pixels, no guessing.
The same task, "find a product and add it to the cart," done two ways. The difference is not cosmetic. It is the difference between an agent that works on your site and one that gives up on it.
The token, latency, and accuracy figures are reported by organizations that build or promote WebMCP tooling. They are directionally consistent and architecturally plausible, a typed function call genuinely is cheaper than vision over a screenshot, but they are not independently audited. We treat them as strong signal, not settled fact.
When an agent asks your page what it can do, it gets back a list of structured tool definitions. Each one is small, self-describing, and machine-checkable. Here is a single tool exactly as an agent receives it.
{ "name": "searchProducts", "description": "Search the product catalog by keyword and return matching items with price and stock.", "inputSchema": { "type": "object", "properties": { "query": { "type": "string", "description": "Search keywords, e.g. 'wireless headphones'" } }, "required": ["query"] }, "annotations": { "readOnlyHint": true } // safe to call without asking }
Notice what is not here: no CSS selectors, no pixel coordinates, no DOM paths. The tool is described by intent and data shape, not by layout. That is why a WebMCP tool keeps working when you redesign the page, and why the description text itself becomes a thing you optimize. The agent reads the description to decide whether to call your tool at all.
MCP and WebMCP are siblings, not competitors. The original protocol connects agents to back-end systems. WebMCP connects agents to the live page in front of the user. The distinction decides which one you reach for.
| Dimension | Server-side MCP | WebMCP (in the browser) |
|---|---|---|
| Where it runs | A dedicated MCP server you host | The user's own browser tab, inside your page |
| Transport | JSON-RPC over HTTP or stdio | postMessage, within the same document |
| Auth context | Service credentials, OAuth 2.1 machine-to-machine | The user's existing logged-in session |
| Session life | Long-lived, server-managed | Tied to the open tab, ends when it closes |
| Scope | Can span many systems | Same-origin only, HTTPS only by design |
| Best for | Systems of record, databases, internal APIs | Actions on a live website: search, filter, book, buy |
This is the mental model we use with every client. The layers stack, and they are won in order. WebMCP is the engine of the third layer, the one almost no one has reached.
The tool description is the new meta description. In ten years of SEO, the snippet that won the click was the one written for a human skimming a results page. The tool description is written for an agent deciding which function to call, and it follows the same logic: clarity, specificity, and trust win the invocation.
When two sites both expose a "book a demo" tool, the agent picks based on the description, the input schema, and how reliably the tool has behaved before. That is an optimization surface, and it is wide open. The teams that learn to write for the agent now will own callability the way early SEO teams owned the first page of Google.
Agentic browsers and assistants are already acting on the web. A readable site is no longer enough. This chapter is the case for moving in 2026, not 2027.
The agents are already here and the traffic is already concentrated. What is missing is the layer that lets them act cleanly. The standard for that layer shipped this year. The supply of it has not.
The agentic web is not a forecast. It is current traffic. AI bots now make up a large and concentrated slice of all automated requests, and the relationship is lopsided: they take far more than they return. That imbalance is exactly why a structured, efficient action layer matters now.
Concentration cuts both ways. The downside is that a handful of operators now mediate how agents experience your site. The upside is leverage: because the traffic is concentrated, a single clean integration, one WebMCP surface on your own origin, is reachable by most of the agents that matter. You are not building one integration per agent. You are publishing one contract they all can read.
There is a vast difference between a passive permission signal and an active capability. The first says "you are allowed to look." The second says "here is the function, call it." Sites have adopted the first almost universally and the second almost not at all. That is the cliff, and it is where the opportunity lives.
| Signal on the site | What it tells an agent | Type | Of sites |
|---|---|---|---|
| robots.txt | You may crawl these paths | Passive | 83% |
| AI bot rules | Rules aimed at GPTBot, ClaudeBot and peers | Passive | 79% |
| Sitemap.xml | Here is the map of my pages | Passive | 68% |
| OAuth discovery | Here is how to authenticate | Active | 5.2% |
| API catalog (.well-known) | Here are my callable endpoints | Active | 0.15% |
| MCP Server Card | Here is my MCP tool server | Active | 0.11% |
| A2A Agent Card | Here is an agent you can talk to | Active | 0.0081% |
| WebMCP tools | Here are the actions you can call on this page | Active | ~0% |
Roughly four in five sites have told agents what they are allowed to read. Fewer than two in a thousand have told agents what they can actually do. The capability layer is empty, and it is the layer where transactions happen.
WebMCP stopped being a research curiosity in the first half of 2026. Four milestones, inside four months, turned it into something you can build on today.
Agent-ready does not mean "an agent can read my site." Every site is readable. Agent-ready means an agent can act on your site, safely, and trust the result enough to repeat it.
The distinction is the whole game. A readable site is a brochure an agent skims and summarizes, often without sending anyone your way. A callable site is a tool the agent reaches for to get a job done, which puts you inside the transaction instead of beside it. The ecosystem milestones above are why the second option is now buildable. The empty capability layer is why it is still uncontested.
A page declares the actions it can perform. An agent reads that menu and calls one, with typed arguments, inside the user's own tab. This chapter walks the full path: register, discover, invoke, respond.
WebMCP turns a web page into a set of callable functions. The agent stops scraping the screen and starts calling your code, with the user's session, under rules you set.
There is no scraping in this model, and no guessing at the DOM. The page tells the agent exactly what it can do and what each action needs. The agent supplies intent and arguments. Your own code does the work. The whole exchange is four steps, and it runs in the tab the user already has open.
The tool handler is your code, running in the user's tab, with the session the user is already signed into. The agent provides the intent and the arguments. The page provides the capability and the trust boundary. That is why WebMCP needs no new backend, no separate API gateway, and no second login: it reuses what the browser already holds. The page never hands the agent a key to the database. It hands the agent a button it is allowed to press.
The specification offers two front doors to the same capability layer. The declarative path turns an existing form into a tool with a few HTML attributes. The imperative path registers a tool in JavaScript with a typed schema and a handler. Same result, different effort, different control. Toggle between them below.
<!-- An ordinary search form, marked up as a callable tool --> <form id="search" toolname="searchProducts" tooldescription="Search the catalog and return matching products"> <input name="query" type="text" required tooldescription="What to search for, e.g. running shoes"> <input name="maxPrice" type="number" tooldescription="Optional price ceiling in USD"> <button>Search</button> </form>
The browser reads the annotations, exposes a tool named searchProducts, fills the typed inputs from the agent, and reuses the form's own submit handler to do the work. You ship behavior you already wrote.
navigator.modelContext.registerTool({ name: "searchProducts", description: "Search the catalog and return matching products", inputSchema: { type: "object", properties: { query: { type: "string", description: "What to search for" }, maxPrice: { type: "number", description: "Price ceiling, USD" } }, required: ["query"] }, readOnlyHint: true, // declares this call changes nothing async execute({ query, maxPrice }) { const hits = await store.search(query, { maxPrice }); return { content: hits.map(r => ({ name: r.title, price: r.price })) }; } });
You define the inputs, the output shape, and the side effects explicitly. This is the path for single-page apps, dynamic state, and actions that do not map cleanly onto a single form.
| Dimension | Declarative API | Imperative API |
|---|---|---|
| Where it lives | HTML attributes on forms and controls | JavaScript, via navigator.modelContext |
| Best for | Existing forms, content sites, fast first wins | Apps, dynamic state, custom logic |
| Effort to ship | Add attributes to markup you already have | Write a schema and a handler function |
| Who controls the shape | The browser maps the form to a tool | You define inputs, outputs, side effects |
| Typical author | Anyone who can edit the page | Front-end engineers |
The tool description is the new meta description. It is the single line that decides whether an agent calls you or skips you, and almost no one is writing it yet.
Start declarative. Most sites already have the forms that matter, search, sign-up, add-to-cart, book-a-demo, and the fastest path to being callable is to annotate them. Reach for the imperative API when the action does not live in a form, or when you need to shape the result the agent gets back. Whichever path you take, spend real effort on the description string: it is read by a model deciding what to do, not by a person skimming a results page, and that changes how you write it.
When an agent acts through the screen, it spends most of its budget reading: capturing pixels or markup, reasoning about what is where, then hoping the click lands. A WebMCP call skips all of that. It sends arguments to a function and gets structured data back. The cost difference is not marginal. It is an order of magnitude.
The token count is the headline, but it is not the point. The point is that a typed call either succeeds against a schema or fails cleanly, while a screen reader degrades silently the moment a button moves or a label changes. Cheaper is nice. Predictable is what makes an agent willing to call you twice. The action that an agent can trust to work is the action it builds into a habit.
| Aspect | How WebMCP does it | Why it matters to you |
|---|---|---|
| Transport | In-browser messaging between the agent and the page | No network hop you have to host, secure, or rate-limit |
| Scope | Same-origin: a page exposes only its own tools | Your capability map cannot be hijacked by another site |
| Security floor | HTTPS required, no mixed content | The action layer inherits the web's transport security |
| Execution | Client-side, in the user's tab, with the user's session | The agent acts as the signed-in user, within their permissions |
| Discovery | navigator.modelContext.listTools() | One standard call, so every compliant agent reads you the same way |
You now have the mechanism: register, discover, invoke, respond, with two ways to declare a tool and a transport that reuses what the browser already secures. The next question is the practical one. What do you actually put on your site, in what order, to go from readable to callable. That is Chapter 04.
The mechanism is simple. The sequencing is where teams win or stall. This chapter is the practical build order: which tools to expose first, the five levels from readable to trusted, and the one detail that decides whether an agent calls you at all.
Do not boil the ocean. Expose one safe, high-intent action, write its description for a model, and ship it. The hardest step is the first callable tool. Everything after that is iteration.
You do not need a tool for everything. You need a tool for the handful of actions that already convert, and you should ship the read-only ones first. They carry no consent friction, so they go live fast and start earning agent trust while you build toward the transactional ones.
| If you are | First · read-only | Second · read-only | Third · write, with confirm |
|---|---|---|---|
| Ecommerce | searchProducts | checkOrderStatus | addToCart |
| SaaS | searchDocs | checkPlanLimits | bookDemo |
| Media or publisher | searchArchive | getRelatedStories | subscribe |
| Local or services | checkAvailability | getQuote | bookAppointment |
A read-only tool is a gift with no downside. It cannot change a user's data, so it needs no confirmation dialog, which means an agent will call it freely and often. Every one of those calls is a signal that your surface works, and that track record is exactly what earns the right to expose a write tool later. Start where the risk is zero and the learning is highest.
Agent-readiness is a ladder, not a switch. Each level is shippable on its own and earns value before you climb to the next. Click a level to see exactly what it takes. The gap that matters, the one almost no one has crossed, sits between level one and level two.
Roughly four in five sites have reached level zero or one. They are readable and, increasingly, describable. Almost none have a single callable tool. That is not a small gap to close, it is the entire opportunity, because the brands that cross to level two now define the default action an agent learns to take long before the crowd arrives.
When an agent decides whether to call your tool, it reads one thing: the description string. Not your brand, not your design, not your rank on a results page. That sentence is the entire pitch, and it is graded by a model choosing between options. Most teams write it like a label. The ones who write it like an instruction get called.
"Search our site"
"Search the product catalog by keyword. Returns up to 20 items with title, price in USD, and stock status. Use when the user wants to find or compare products."
The description string is the new battleground for intent. It is the shortest, highest-leverage piece of copy you will write this year, and it is the one almost no one is testing.
Treat it like ad copy, because that is what it is. Draft it, ship it, watch which calls succeed and which get skipped, then rewrite it. The teams that win callability will not be the ones with the most tools. They will be the ones who tuned the descriptions on their three most important tools until an agent reaches for them by reflex. This is optimization work, and it rewards the same discipline you already apply to a landing-page headline.
A callable site hands real power to software acting on a user's behalf. That is the point, and it is the risk. This chapter is the threat model, the consent design that contains it, and the argument that trust is not a tax on this work but the moat it builds.
Read freely. Confirm before you write. Never touch credentials or money on the user's behalf. Ship the safe surface first, earn the right to expand it, and make every risky action visible.
Every risk below shares one root cause: an agent cannot reliably tell an instruction from data, so the page has to enforce the boundary the model will not. Expand each to see the failure and the control that contains it. None of these is a reason to wait. They are the reasons to ship carefully.
Reviews, comments, embedded documents, even a product description can contain text that reads like a command. An agent that cannot separate content from instruction may follow it and call a tool the user never intended. This is the single most important risk in the agentic web, and it is structural, not a bug you patch once.
A general-purpose tool, run any query, change any setting, delete any record, is a footgun. If an agent is ever tricked into calling it, the blast radius is your whole system. Breadth of capability in a single tool is convenience for you and a gift to an attacker.
A write tool that fires without a visible confirmation can change a cart, move a booking, or alter an account with no human in the loop. The user discovers it after the fact, if at all. Even when nothing malicious happened, the surprise alone destroys trust in the surface.
Tools run with the user's existing session, which is what makes WebMCP elegant. It is also what makes a manipulated agent dangerous: it acts with the user's full permissions, and the system sees a legitimate logged-in request, not an attack.
Card numbers, passwords, and identity documents must never flow through a tool call. A tool that accepts them turns one tricked agent into a credential leak, and no efficiency gain is worth that exposure. This is the bright line of the trust-first model.
Read the controls together and one rule emerges: the page is the adult in the room. The agent supplies intent, which can be wrong or hijacked. The page supplies judgment, which must be designed. Safety in WebMCP is not a property of the agent you cannot control. It is a property of the tools you choose to expose and the confirmations you choose to require.
Consent is not one dialog box bolted onto everything. It is a gradient that should match the stakes of the action. Get it right and it is invisible where it should be and reassuring where it matters. Get it wrong and you either train users to click through warnings or you smother safe actions in friction.
For agentic surfaces, the confirmation experience is not a compliance afterthought. It is the moment the user decides whether to let an agent act on your site again. A clumsy prompt costs you the next ten interactions. A clear one earns them. Spend on this the way you would spend on a checkout flow, because for the agent era, it is one.
It is tempting to read this chapter as a list of costs: confirmations to design, tools to scope, logs to keep. That framing is backwards. In a market where almost no one is callable yet, the safety work is not overhead. It is how you become the default, and the default is the most durable position on the agentic web.
An agent has no brand loyalty and no patience. It keeps a running tally of what worked and routes around what did not. That makes reliability the only currency that matters, and it makes a single unsafe surprise expensive: it does not just lose one transaction, it removes you from the menu. The careful surface is not the slow one. It is the one still standing after the agent has pruned the rest.
Trust-first is not the cautious choice. It is the competitive one. The brands that treat safety as a feature will own the actions that brands treating it as a checkbox will lose.
We say ship trust-first because the alternative does not just risk a breach, it forfeits the flywheel. You cannot become an agent's default action if the agent has learned it cannot rely on you. Every confirmation you design well, every tool you scope tightly, every credential you refuse to touch is a deposit in the one account that compounds here. The next chapter turns all of this into a dated plan: what to do in the first thirty days, the first quarter, and the first year.
Everything so far points to one move: become callable before your category does. This chapter makes it concrete. A dated, phased plan with owners, a first-month checklist, and the metrics that tell you it is working.
The window is open and the capability layer is empty. The cost of moving now is one tool and a few descriptions. The cost of waiting is becoming the default no one switches away from, for someone else.
This is not a transformation program. It is a sequence of small, shippable bets, each one earning the right to the next. The plan is deliberately front-loaded toward proof, because the hardest and most valuable step is the first one: an agent calling your tool and getting a clean result.
Resist the urge to plan the whole catalog before you ship anything. The point of the first thirty days is a single undeniable example: an agent discovered your tool, called it with typed arguments, and got back a clean result. That one proof point changes the internal conversation from "should we" to "what next," and that shift is worth more than any roadmap slide.
Phase one fits in four weeks and on one page. It needs a front-end engineer, a marketer who can write, and someone who watches the numbers. No new infrastructure, no procurement cycle, no platform migration. Here is the week-by-week.
| When | Action | Owner | Done when |
|---|---|---|---|
| Week 1 | Audit your readiness level and pick three candidate tools | Eng and Marketing | You know your ladder level and your top three actions |
| Week 2 | Register one read-only tool, declaratively, on an existing form | Front-end | listTools() returns it and a test agent calls it |
| Week 3 | Write the description for a model and verify it gets chosen | Marketing and Eng | A test agent picks your tool over a generic alternative |
| Week 4 | Add logging, baseline the metrics, commit to tool number two | Eng and Analytics | You have a call baseline and a chosen next tool |
| Metric | What it tells you | Healthy signal |
|---|---|---|
| Time to first call | How fast agents discover a newly published tool | Hours to days |
| Call volume | Whether agents are actually using the surface | Rising weekly |
| Call success rate | Whether your tools are reliable enough to reuse | Above 95% |
| Description win-rate | Whether agents choose you over alternatives | Chosen first |
| Agent-attributed actions | Whether any of this drives real outcomes | Growing share |
You will not have a complete catalog, and you should not. What you will have is a working tool, a description you tuned until an agent reached for it, a number that shows how often it is being called, and a team that has seen the future arrive on their own site. That is a stronger position than ninety percent of the web, and you got there in a month.
Strip away the detail and the decision is simple. Moving now costs one tool and a few well-written descriptions, and the downside is small and reversible. Waiting costs nothing you can see, until a competitor becomes the action an agent takes by default and the slot is no longer yours to win. The two sides of this bet are not symmetric.
You are weighing a small, capped, recoverable cost against a loss that is unbounded and may be permanent. When the bet is shaped like that, the expensive mistake is not moving too early. It is waiting until the outcome is obvious, because by then the position you wanted will already belong to whoever moved while it was still uncertain.
Where this goes over the next twelve to twenty-four months, with our confidence stated plainly, followed by the single first move for whoever you are when you put this report down.
We will not pretend to certainty the evidence does not support. Each projection below carries an explicit confidence level, so you can weight it against your own risk appetite rather than ours.
Forecasting a young standard is an exercise in humility. The direction is clear; the timing is not. Below are the calls we are willing to make, each tagged with how sure we are. Treat the high-confidence rows as planning assumptions and the low-confidence ones as scenarios to watch, not bets to size.
| What we expect | By when | Confidence |
|---|---|---|
| Agent-readiness scoring becomes a routine audit, the way performance and SEO are today | 2026 to 2027 | High |
| Early movers in each category become the default action agents take for that job | 2026 to 2027 | High |
| Agent-driven activity becomes a tracked channel inside mainstream analytics suites | 2027 | Medium |
| WebMCP graduates from origin trial to broad availability in major browsers | 2027 | Medium |
| The competing standards consolidate into one clearer agent-capability stack | 2027 to 2028 | Low |
Notice that the two high-confidence calls are not about the technology, they are about behavior. Scoring will arrive, and defaults will form. You do not need to predict the exact month WebMCP hits stable to act on those two, because they are already underway. The browser timeline is a detail. The race for default status is the event.
A report earns its keep only if it changes what you do on Monday. So here is the single highest-leverage move for each person likely to be reading this, and the reason that move belongs to you specifically and not to the department down the hall.
| If you are the | Your first move | Why it is yours |
|---|---|---|
| Founder or CEO | Make callability a named objective for 2026 | This is a positioning bet about who owns the transaction, not an IT ticket to delegate |
| Head of Engineering | Ship one read-only tool this quarter | The first call is the hard part. Prove it works and the rest is iteration your team already knows how to do |
| CMO or Growth lead | Claim the tool-description layer as owned copy | That sentence decides whether an agent chooses you, and right now no one in marketing is writing it |
| SEO or GEO lead | Extend your remit from citability to callability | You already own being found and being cited. Being called is the same job, one layer further on |
| Product lead | Design the consent and confirmation experience | The confirmation flow is the new checkout, and its quality decides whether agents act on your site twice |
For thirty years the web optimized to be found, then to be read, then to be cited. The next decade is about being called. The brands that understand the difference will not just rank for intent. They will become the action it resolves to.
We wrote this report because the gap between what is possible and what is shipped has never been this wide or this brief. The standard is real, the agents are already here, and the capability layer is almost entirely empty. That combination does not last. It closes the moment the first wave of brands in each category becomes callable and agents learn where to go. Our argument is not that WebMCP is inevitable in its current form. Standards evolve and some of the details here will not survive. Our argument is that callability is inevitable, that trust is what makes it durable, and that the cheapest time to claim your place was the day this draft published. The second cheapest time is now.
How we gathered this, what we could not verify, where our interests lie, and the full ledger of external numbers so you can check our work rather than take it on faith.
A report that hides its limitations is selling something. We would rather you trust the parts that hold up because you can see where they came from, and discount the rest accordingly.
Three things you are owed before you act on anything in these pages: how the evidence was assembled, where it is thin, and what we stand to gain if you believe us. We have tried to be straight about all three.
The efficiency numbers, the token savings, the speed gains, the task-accuracy figures, are reported by parties with an interest in WebMCP's success. They are architecturally plausible and directionally consistent, a typed call genuinely is cheaper than reading a screen, but they have not been independently audited. We have labeled them as vendor-reported every time they appear, and we would treat them as strong signal rather than settled fact. Where a number is a hard count from a neutral source, such as Cloudflare Radar, we have said so.
One quote rule, one citation rule. Every exhibit in this report names its source on the exhibit itself, not buried in an endnote. Where a figure is our own analysis, we attributed it to MaximusLabs rather than dressing it up as external data. If a claim here is not sourced, treat it as opinion, because that is what it is.
This is the full accounting. Hard counts from neutral sources are marked as such. Vendor-reported figures are labeled so you can weight them. Anything attributed to MaximusLabs is our own analysis, not external data dressed up as fact.
| Figure or claim | Source | Type |
|---|---|---|
| Production WebMCP adoption near zero, from a scan of 111,076 of the top 200,000 domains | MaximusLabs domain scan | Analysis |
| Five operators account for 71% of AI-related bot traffic | Cloudflare Radar, May 17 to 23, 2026 | Hard count |
| Operator shares: Googlebot 26.2%, Meta 13.3%, Bytespider 11.4%, GPTBot 10.5%, ClaudeBot 9.3% | Cloudflare Radar AI Insights, May 2026 | Hard count |
| ClaudeBot crawl-to-referral ratio of 10,600 to 1 | Cloudflare Radar, 2026 | Hard count |
| 8.7% of AI bot requests met with a 403 Forbidden | Cloudflare Radar, 2026 | Hard count |
| WebMCP Community Group draft published | W3C Web Machine Learning CG, Feb 10, 2026 | Primary |
| Chrome 149 WebMCP origin trial opens | Google I/O announcement, May 19, 2026 | Primary |
| Lighthouse 13.3 adds an Agentic Browsing category | Google Lighthouse release, May 7, 2026 | Primary |
| Cloudflare Browser Run adds WebMCP support | Cloudflare, Apr 15, 2026 | Primary |
| Passive-signal adoption: robots.txt 83%, AI rules 79%, sitemap 68% | Cloudflare Radar and public crawl datasets, 2026 | Hard count |
| 89% fewer tokens, 98% task accuracy, roughly 40x faster per action | webmcp.link and Cloudflare | Vendor |
| WebMCP call cost of 20 to 100 tokens, 10 to 50 milliseconds | WebMCP draft guidance, 2026 | Vendor |
| Cost-per-action chart, three methods compared | Directional estimate, MaximusLabs | Analysis |
Every neutral figure here is published and can be confirmed at its source. The vendor figures can be found in the cited tooling documentation, and we encourage you to read them in context. If you reproduce a number from this report, carry its label with it, so the next reader knows whether they are looking at a measured fact or an interested estimate.
MaximusLabs is a research and advisory practice for the agentic web. Our work follows one thesis: a three-layer stack that decides who wins as AI agents take over discovery and action. This report is about the top of that stack, the layer almost no one has built yet.