API & SDK Reference
WebMCP API &
SDK Reference
Programmatic access to scan, test, secure, and monitor your WebMCP tools. 50+ endpoints, TypeScript and Python SDKs, sub-100ms P95 latency.
$npx webmcp-cli ci --min-score 75
webmcp-cli
v2.4.1
ENDPOINTS50+
P95 LATENCY<100ms
UPTIME99.9%
SDKsTS · PY · CLI · REST
WebMCP lets websites expose tools to AI agents via navigator.modelContext. The API gives you programmatic control over the full stack — scanning, testing, security, analytics, and discovery — so you automate readiness at the speed you ship code.
Your Website
navigator.modelContext
WebMCP API
Scan · Test · Secure · Monitor
you are here
AI Agents
Gemini · GPT · Claude
What You Control
| Workflow | Description | Key Endpoints | For |
|---|---|---|---|
| Pipeline Gates | Block deploys that break agent readiness. Fail builds when score drops below threshold. | POST /v1/scanPOST /v1/test/promptsGET /v1/score | CTODevOps |
| Production Monitoring | Track agent interactions in real time. Alert on error spikes, schema mismatches, conversion drops. | GET /v1/analytics/trafficGET /v1/analytics/errorsPOST /v1/webhooks | DevOpsSRE |
| Multi-Client Scanning | Scan 25 client sites in parallel. Generate per-client readiness reports across portfolios. | POST /v1/scan (batch)GET /v1/scoreGET /v1/score/components | Agencies |
| Security Automation | Scan for injection vulnerabilities, over-parameterization, and intent-vs-behavior misrepresentation. | POST /v1/security/scanGET /v1/security/compliancePOST /v1/security/monitor | EnterpriseSecurity |
| Analytics & Reporting | Query agent funnels, revenue attribution, per-tool metrics, and competitive benchmarks. | GET /v1/analytics/*GET /v1/score/*GET /v1/discover/* | EnterpriseBuilders |
| Tool Discovery | Register in the Discovery Hub. Manage listings, monitor ranking, track agent adoption. | POST /v1/discover/registerGET /v1/discover/rankingGET /v1/discover/analytics | All |
Zero to First Score in 60 Seconds
1
Install & Initialize
~10stypescript
1npm install @webmcp/sdk23import { WebMCP } from '@webmcp/sdk';45const ar = new WebMCP({6 apiKey: process.env.WEBMCP_API_KEY // Free tier — get yours at web-mcp.net/keys7});2
Scan a Live Website
~20stypescript
1// Scans the URL for WebMCP tools — both imperative (registerTool) and2// declarative (HTML toolname attributes) — plus forms that SHOULD be tools3const scan = await ar.scan('https://your-site.com');45console.log(scan.score); // 82 — Agent Readiness Score (0-100)6console.log(scan.tools.detected); // 8 WebMCP tools found7console.log(scan.tools.suggested); // 3 forms that should become tools8console.log(scan.security.status); // "PASSED" — no injection vulnerabilities9console.log(scan.lint.warnings); // 2 — description quality issues3
See What Agents See
~5stypescript
1// Get the exact tool definitions that AI agents receive via navigator.modelContext2const tools = await ar.tools.list({ scanId: scan.id });34for (const tool of tools) {5 console.log(`${tool.name}: ${tool.description}`);6 console.log(` Parameters: ${Object.keys(tool.inputSchema.properties).join(', ')}`);7 console.log(` Type: ${tool.registrationType}`); // "imperative" or "declarative"8 console.log(` Annotations: readOnly=${tool.annotations?.readOnlyHint}`);9}4
Test Agent Accuracy
~25stypescript
1// Run 100 natural language prompts against your tools across 3 models2const coverage = await ar.test.promptCoverage({3 tools: tools,4 promptCount: 100,5 models: ['gemini-2.0', 'gpt-4o', 'claude-3.5'],6 categories: ['formal', 'casual', 'multilingual', 'ambiguous']7});89console.log(coverage.overallAccuracy); // 0.91 — 91% of prompts routed correctly10console.log(coverage.byModel.gemini); // 0.94 — Gemini is best for your tools11console.log(coverage.byModel.gpt4o); // 0.8912console.log(coverage.byModel.claude); // 0.9013console.log(coverage.failures[0]);14// { prompt: "cheap flights NYC", expected: "search_flights",15// got: "search_hotels", suggestion: "Add 'flights' to description" }Result: 8 tools discovered, security passed, 91% prompt coverage across 3 models — in 4 lines of code.
Production Examples
Block Deploys That Break Agent Readiness
Add to your GitHub Actions workflow. Runs on every PR. Takes <90 seconds.
Startup CTOsDevOps
yaml
1# .github/workflows/agent-readiness.yml2name: Agent Readiness Gate3on: [pull_request]4 5jobs:6 agent-readiness:7 runs-on: ubuntu-latest8 steps:9 - uses: actions/checkout@v410 - uses: webmcp/ci-action@v111 with:12 api-key: ${{ secrets.WEBMCP_API_KEY }}13 url: ${{ env.PREVIEW_URL }}14 min-score: 7515 require-security-pass: true16 prompt-coverage-min: 0.8517 models: gemini-2.0,gpt-4o,claude-3.518 fail-on-lint-errors: trueResult: If the Agent Readiness Score drops below 75, prompt coverage falls below 85%, or a security vulnerability is detected — the PR is blocked.
API Surface
49 endpoints · 8 domains
Scanning & Discovery6
POST
/v1/scanPOST
/v1/scan/batchGET
/v1/scan/{id}GET
/v1/scan/{id}/toolsGET
/v1/scan/{id}/suggestionsDELETE
/v1/scan/{id}Tool Management8
GET
/v1/toolsPOST
/v1/toolsGET
/v1/tools/{id}PUT
/v1/tools/{id}DELETE
/v1/tools/{id}POST
/v1/tools/validatePOST
/v1/tools/generatePOST
/v1/tools/importTesting & Simulation8
POST
/v1/test/promptsPOST
/v1/test/prompts/customPOST
/v1/test/playgroundPOST
/v1/test/workflowPOST
/v1/test/adversarialPOST
/v1/test/lintGET
/v1/test/{id}GET
/v1/test/{id}/failuresSecurity & Compliance6
POST
/v1/security/scanGET
/v1/security/scan/{id}POST
/v1/security/monitorGET
/v1/security/monitor/statusPOST
/v1/security/complianceGET
/v1/security/compliance/{id}Analytics & Production7
GET
/v1/analytics/trafficGET
/v1/analytics/toolsGET
/v1/analytics/errorsGET
/v1/analytics/journeysGET
/v1/analytics/revenuePOST
/v1/analytics/exportPOST
/v1/analytics/alertsScoring & Benchmarks4
GET
/v1/scoreGET
/v1/score/componentsGET
/v1/score/historyGET
/v1/score/benchmarkDiscovery Hub5
POST
/v1/discover/registerGET
/v1/discover/rankingGET
/v1/discover/analyticsPUT
/v1/discover/listingGET
/v1/discover/searchWebhooks5
POST
/v1/webhooksGET
/v1/webhooksPUT
/v1/webhooks/{id}DELETE
/v1/webhooks/{id}POST
/v1/webhooks/{id}/testSDKs & Developer Experience
TypeScript / JavaScriptprimary
npm install @webmcp/sdk
1import { WebMCP } from '@webmcp/sdk';2import type { ScanResult } from '@webmcp/sdk';34const ar = new WebMCP({5 apiKey: process.env.WEBMCP_API_KEY6});78const scan: ScanResult = await ar.scan('https://your-site.com');9console.log(scan.score); // 8210console.log(scan.tools.detected); // 8 tools foundNode.js 18+ · Deno · Bun · Edge runtimesdocs →
Python
ar = WebMCP(api_key=os.environ["WEBMCP_API_KEY"])Async/sync · Pydantic models · Python 3.9+
docs →CLI
$ npx webmcp-cli audit https://your-site.comZero-config · JSON output · GitHub Action available
docs →REST
POST /v1/scan with Authorization: Bearer $KEYOpenAPI 3.1 · Swagger UI · Postman collection
docs →Developer Experience
Error Types
Typed codes + fix suggestions
Idempotency
Safe to retry with keys
Pagination
Cursor-based on all lists
Versioning
12-month deprecation window
Rate Limits
Auto 429 handling in SDKs
Uptime
99.9% SLA
Latency
<100ms p95 global
Changelog
Every change documented
Authentication & Security
API KeysAll plans
Prefix-scoped keys (ar_live_, ar_test_). Fine-grained permissions. 2-key rotation without downtime.
curl -H "Authorization: Bearer ar_live_abc123..." api.web-mcp.net/v1/scanPrefix-scoped permissionsKey rotation without downtimeConfigurable TTL expiration
OAuth 2.0Team & Enterprise
Authorization Code + PKCE for SPAs. Client Credentials for server-to-server. Automatic token refresh in all SDKs.
new WebMCP({ clientId, redirectUri, scopes: ['scan:read', 'tools:write'] })Auth Code + PKCEClient Credentials flowAuto token refresh
Enterprise SSOEnterprise
SAML 2.0 and OIDC. SCIM 2.0 provisioning. IP allowlisting, audit logs, session management via your IdP.
new WebMCP({ sso: { provider: 'okta', tenantId: '...' } })SAML 2.0 / OIDCSCIM provisioningIP allowlisting + audit logs
Webhook SigningAll plans
HMAC-SHA256 on every delivery. 5-minute replay window. SDK verification helpers for Node.js and Python.
verifyWebhookSignature({ payload, signature, secret, tolerance: 300 })HMAC-SHA256 signaturesReplay protectionSDK verification helpers
Security Practices
· Never expose keys in client-side code· Use minimum scope per key· Rotate keys quarterly (2-key system = zero downtime)· Enable IP allowlisting in production· Always verify webhook signatures· Store keys in env vars / secrets managers
Webhooks & Events
| Category | Event |
|---|---|
| Scan | scan.completed |
| Scan | scan.failed |
| Score | score.changed |
| Score | score.dropped |
| Tool | tool.created |
| Tool | tool.updated |
| Tool | tool.deleted |
| Tool | tool.validation.failed |
| Security | security.vulnerability.found |
| Security | security.vulnerability.resolved |
| Security | security.monitor.alert |
| Security | security.compliance.ready |
| Analytics | analytics.traffic.spike |
| Analytics | analytics.error.spike |
| Analytics | analytics.revenue.milestone |
| Discovery | discover.listing.verified |
| Discovery | discover.ranking.changed |
| Discovery | discover.agent.connected |
webhook setup
const webhook = await ar.webhooks.create({
url: 'https://your-app.com/webhooks/webmcp',
events: ['scan.completed', 'score.dropped', 'security.vulnerability.found'],
secret: 'whsec_your_signing_secret'
});Guarantees· At-least-once delivery· Ordered per-resource· 5 retries (30s → 6h backoff)· 72h event retention· HMAC-SHA256 signed· Full delivery logs
Enterprise
DevOps Lead
Added CI/CD gate to 40 deploys/day pipeline. Blocked 3 agent-breaking deploys in week one. Gate runs in 12 seconds — faster than Lighthouse.
POST /v1/scanPOST /v1/test/promptsGET /v1/scoreCISO
Board-ready security dashboard via API. Zero critical vulnerabilities, 94/100 security score. GDPR and PCI-DSS compliance PDFs generated on demand.
POST /v1/security/scanPOST /v1/security/monitorPOST /v1/security/complianceCFO
23% of booking revenue now comes through AI agents — up from 0% six months ago. Revenue attribution broken down by agent and tool. ROI case irrefutable.
GET /v1/analytics/revenueGET /v1/analytics/trafficPOST /v1/analytics/exportEnterprise Capabilities
SSO (SAML/OIDC)IT
Okta, Azure AD, Google WorkspaceSCIM ProvisioningIT/HR
Auto user lifecycle from your IdPIP AllowlistingSecurity
Restrict to approved CIDR rangesAudit LogsCompliance
Full API history, SIEM-exportableCustom SLAsLegal
99.99% uptime with financial creditsDedicated InfraCTO
Isolated compute, data residencyPriority SupportEng
Slack Connect, 1-hour responseData ExportData
BigQuery, Snowflake, S3SSO (SAML/OIDC)Okta, Azure AD, Google Workspace
ITSCIM ProvisioningAuto user lifecycle from your IdP
IT/HRIP AllowlistingRestrict to approved CIDR ranges
SecurityAudit LogsFull API history, SIEM-exportable
ComplianceCustom SLAs99.99% uptime with financial credits
LegalDedicated InfraIsolated compute, data residency
CTOPriority SupportSlack Connect, 1-hour response
EngData ExportBigQuery, Snowflake, S3
DataPlans & API Limits
| Plan | Price | Req/min | Scans/day | Tests/day | |
|---|---|---|---|---|---|
Free | $0 | 60 | 10 | 100 | Start Free → |
Starter | $29/mo | 300 | 100 | 1,000 | Get Started → |
Propopular | $79/mo | 600 | 500 | 5,000 | Go Pro → |
Team | $249/mo | 1,200 | 2,000 | 20,000 | Start Team → |
Enterprise | Custom | Custom | Unlimited | Unlimited | Contact Sales → |
Team$249/mo
Req/min
1,200
Scans/day
2,000
Tests/day
20,000
Batch scanning, OAuth 2.0, white-label
Start Team →EnterpriseCustom
Req/min
Custom
Scans/day
Unlimited
Tests/day
Unlimited
SSO, SCIM, dedicated infra, 99.99% SLA
Contact Sales →All SDKs auto-handle 429 rate limits with exponential backoff. No data loss. Full pricing details →
next step
Get your API key and start scanning.
Every endpoint available on the free tier. No credit card required. Install the SDK, authenticate, run your first scan in under 60 seconds.
· Free tier never expires· Full SDK access· 50+ endpoints· 99.9% uptime