## WebMCP on this site WebBotAuth.net exposes structured tools to AI agents via WebMCP. Neutral checker for Web Bot Auth deployments - grades a domain's JWKS directory and RFC 9421 signatures A-F. ### Available tools - `check_web_bot_auth`: Check a domain's Web Bot Auth deployment. Returns a graded report (verdict valid/invalid/not_found, grade A-F, score, check results). - `verify_signature`: Verify an HTTP message signature against the Web Bot Auth profile. Accepts Signature and Signature-Input headers from a signed request. Full tool schema: [https://webbotauth.net/.well-known/webmcp](https://webbotauth.net/.well-known/webmcp) ### How agents connect - **Browser-native agents** (Chrome with WebMCP flag enabled, Cloudflare Browser Run lab sessions): tools auto-register via `navigator.modelContext` when the page loads. No setup. - **Desktop MCP clients** (Claude Desktop, Cursor, Claude Code, Windsurf): pair at [https://webbotauth.net/mcp](https://webbotauth.net/mcp). The pairing page hosts the localhost-bridge widget. ### Operational notes - Tool calls go to `POST /_webmcp/exec/` with a JSON body. - Responses use a stable envelope: `{ ok: true, data }` or `{ ok: false, error: { code, message, retriable } }`. - Rate-limited responses include a `Retry-After` header; honour it. - Operational health: [https://webbotauth.net/_webmcp/health](https://webbotauth.net/_webmcp/health). ### What to avoid - Do not call `/_webmcp/exec/*` from cross-origin JS unless the publisher has configured `[cors].allowed_origins`. - Do not retry on `rate_limited` errors faster than `Retry-After` indicates. - The fallback widget only initialises on the pairing page above.