API / Auth / MCP
WebMCP
MCP over HTTP: access to MCP server via standard web requests without local installation.
What is WebMCP?
WebMCP (MCP over HTTP) is an implementation of the Model Context Protocol over standard HTTP/SSE requests. Unlike local MCP (stdio transport), WebMCP lets Claude and other MCP clients connect to remote MCP servers by URL without installing anything on the user’s machine.
MCP Client → HTTPS → Your MCP Server
↑
Standard HTTP/SSE transportThe endpoint is typically published at /mcp or /.well-known/mcp.
Why do you need WebMCP?
Local MCP requires installing a server on every user’s machine. WebMCP lets you offer MCP functionality as a SaaS service — the user adds a URL to Claude Desktop or another MCP client and gets the tool without any installation.
Key advantages:
- Single update point — the server is updated centrally; clients get new tools automatically.
- OAuth authorization — WebMCP servers support standard OAuth 2.0 discovery via RFC 9728.
- Scalability — the server is available to all clients simultaneously, rather than installed locally for each one.
How do you implement WebMCP?
Use the MCP TypeScript SDK with HTTP/SSE transport:
import { Server } from '@modelcontextprotocol/sdk/server/index.js';
import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js';
const server = new Server({ name: 'my-mcp', version: '1.0.0' }, {
capabilities: { tools: {} },
});
// Register tools
server.setRequestHandler(ListToolsRequestSchema, async () => ({
tools: [{ name: 'scan', description: 'Scan URL for agent readiness', inputSchema: { ... } }],
}));
// HTTP endpoint
const transport = new SSEServerTransport('/mcp', res);
await server.connect(transport);For an authorized WebMCP server, add OAuth discovery (/.well-known/oauth-protected-resource) as required by the MCP specification.
How do we check WebMCP?
The WebMCP check in the current scanner version is coming soon. A full check requires a headless browser to verify navigator.modelContext — this is planned for scanner v2.
For now, the webmcp check does not affect the total score (weight = 0) and returns an informational status. Related checks that already work: oauth_protected_resource, mcp_server_card.