agentsready
API / Auth / MCP Hard

WebMCP: MCP over HTTP, no local install

What WebMCP (MCP over HTTP/SSE) is, why a remote MCP with no install matters, a minimal example, mistakes, and how to verify.

Updated:

What it is

WebMCP is an implementation of the Model Context Protocol over standard HTTP/SSE requests. Unlike local MCP (stdio transport), WebMCP lets Claude and other MCP clients connect to a remote server by URL — with no install on the user’s machine. The endpoint is usually published at /mcp or /.well-known/mcp.

Why it matters for AI agents

Local MCP must be installed on every machine. WebMCP delivers MCP functionality as SaaS: the user adds a URL to their client’s settings and gets the tools instantly. Benefits: a single update point (new tools reach everyone at once), standard OAuth 2.0 discovery for authorization, and scalability across all clients.

Minimal working example

MCP TypeScript SDK with the HTTP/SSE transport:

import { Server } from '@modelcontextprotocol/sdk/server/index.js';
import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js';

const server = new Server({ name: 'my-mcp', version: '1.0.0' },
  { capabilities: { tools: {} } });

// HTTP endpoint (e.g. /mcp)
const transport = new SSEServerTransport('/mcp', res);
await server.connect(transport);

For an authenticated WebMCP, add OAuth discovery (/.well-known/oauth-protected-resource) — see the OAuth Protected Resource guide.

Right vs wrong

RightWrong
A remote HTTPS endpoint (/mcp)stdio only — unreachable over the network
Advertised via an MCP Server CardAn endpoint that can’t be discovered
OAuth discovery for a protected serverProtected, but the agent can’t find where to log in
A correct SSE/HTTP transportA non-standard transport clients can’t use

Common mistakes

  • No MCP Server Card — the endpoint works but the agent can’t find it.
  • A protected server with no OAuth discovery — authorization can’t be done autonomously.
  • CORS not configured — browser MCP clients can’t connect.
  • stdio only — not WebMCP by definition.

How to verify

⚠️ The webmcp check in the scanner is currently coming soon: full verification needs a headless browser (to check navigator.modelContext) and is planned for v2. For now the check is informational (weight 0, doesn’t affect the score). Lean on the adjacent ones — MCP Server Card and OAuth Protected Resource — which are already verified.

Sources