# WebMCP Runs In Chrome. My 400 Daily Tool Calls Don't.

> Source: <https://dev.to/lamingsrb/webmcp-runs-in-chrome-my-400-daily-tool-calls-dont-4ek3>
> Published: 2026-07-09 06:11:50+00:00

Google I/O 2026 shipped WebMCP and half the AI Twitter timeline is calling it "the new MCP standard." It isn't. It's a browser-scoped protocol that solves a completely different problem than the MCP servers currently running on your VPS at 3 AM. Here's the boundary Google buried in the docs, and how to decide which side of it your agent belongs on.

WebMCP is a browser-scoped tool protocol. It exposes tools to an agent **from inside a Chrome tab** — the tools live in the page, auth is the user's active session, and the runtime is the browser itself. That's the entire surface area.

When Google says "agentic web," they mean an agent that operates inside a tab the user already has open, using the cookies and OAuth tokens already loaded. That's a legitimate and useful pattern:

What WebMCP is **not**: a replacement for the stdio and HTTP MCP servers running headless on your machine or VPS. Different runtime, different auth model, different lifecycle. Calling it "the new MCP" is like calling a service worker "the new backend." Same protocol family, entirely different deployment target.

There's exactly one question you need to answer to pick correctly:

Is a human looking at a screen when the agent runs?

If yes → WebMCP is on the table.

If no → you need a real server-side MCP.

That's it. Everything else is retweet noise.

| Dimension | WebMCP | stdio / HTTP MCP |
|---|---|---|
| Runtime | Chrome tab | Your process (local, VPS, container) |
| Auth | User's browser session | Your API keys / OAuth tokens |
| Trigger | User action in the page | cron, webhook, queue, schedule |
| Lifecycle | While tab is open | 24/7 headless |
| Credentials scope | Whatever the user is logged into | Whatever you gave the process |
| Multi-account | Painful (one browser session) | Trivial (one process per tenant) |
| Runs at 6 AM while you sleep | No | Yes |

I run three MCP servers in production. Gmail triage, Telegram messaging, invoicing. They sit on a WSL Ubuntu box, run headless as systemd services, and between them handle **over 400 tool calls a day**. Zero of those calls involve a browser. There's no user session. There's no tab. The agent wakes on cron or a webhook, pulls email, decides what matters, drafts replies, pushes a Telegram notification, generates an invoice, goes back to sleep.

WebMCP can't do any of that. Not because it's broken — because it's scoped to a runtime where a human is present.

Here's the shape of one of my production servers, stripped to the bones. This is the Gmail triage server that runs on a 5-minute cron and processes the inbox before I'm awake:

```
# gmail_triage_server.py — stdio MCP server, runs as systemd service
from mcp.server import Server
from mcp.server.stdio import stdio_server
from google.oauth2.credentials import Credentials
from googleapiclient.discovery import build

app = Server("gmail-triage")

# Credentials loaded from disk once at startup.
# No browser, no user session — a service account / refresh token.
creds = Credentials.from_authorized_user_file("/etc/agents/gmail.json")
gmail = build("gmail", "v1", credentials=creds)

@app.tool()
async def list_unread(max_results: int = 50) -> list[dict]:
    resp = gmail.users().messages().list(
        userId="me", q="is:unread -category:promotions", maxResults=max_results
    ).execute()
    return resp.get("messages", [])

@app.tool()
async def get_message(message_id: str) -> dict:
    return gmail.users().messages().get(userId="me", id=message_id, format="full").execute()

@app.tool()
async def draft_reply(thread_id: str, body: str) -> dict:
    # ...creates a draft, does not send
    return {"status": "drafted", "thread_id": thread_id}

if __name__ == "__main__":
    stdio_server(app).run()
```

The agent that calls this doesn't care what browser you use. It doesn't even know a browser exists. The credentials live in a file with `chmod 600`

, the process runs as a dedicated user, and the tool calls are logged to a local SQLite file so I can audit what happened overnight.

The systemd unit is boring on purpose:

```
# /etc/systemd/system/gmail-triage.service
[Unit]
Description=Gmail Triage MCP Server
After=network.target

[Service]
Type=simple
User=agents
ExecStart=/usr/bin/python3 /opt/agents/gmail_triage_server.py
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
```

Now compare that to WebMCP. A WebMCP tool is declared by the page, discovered by the agent through the browser, and executed against the user's session. Rough shape:

``` php
<!-- Publisher-side: a page exposing a WebMCP tool -->
<script type="module">
  navigator.mcp.registerTool({
    name: "add_to_cart",
    description: "Add a SKU to the current cart",
    inputSchema: { type: "object", properties: { sku: { type: "string" } } },
    async handler({ sku }) {
      const res = await fetch("/api/cart", {
        method: "POST",
        body: JSON.stringify({ sku }),
        credentials: "include"  // user's session cookie
      });
      return await res.json();
    }
  });
</script>
```

Different world. That tool only exists while the tab is open, only works for the logged-in user, and only fires when an agent-capable browser decides to invoke it. Try to run that on a cron at 6 AM — you can't. There's no tab, no session, no user.

The pattern I see repeatedly with SMB owners chasing every I/O announcement: they conflate "AI in the browser" with "AI running my business." They're not the same thing, and the difference costs real money when you build the wrong one.

Concrete examples of workloads that **need** a server-side MCP, not WebMCP:

None of those have a "user looking at a screen" moment. All of them need a process holding *your* credentials, not a user's session cookie.

The inverse mistake is also real: building a heavy server-side agent to do something that's genuinely browser-scoped, like helping a user complete a checkout on a site they're already signed into. That's where WebMCP is the right answer and a VPS is overkill.

Since everyone's asking:

**Built-in AI in Chrome (Gemini Nano exposed to web pages)** — useful for tiny client-side tasks. Summarize this form, classify this input, redact PII before it leaves the browser. It's cheap because it runs on the user's device. It's limited for the same reason: small model, no tool use, no persistence, no cross-session memory. Use it for UX polish. Do not build a business process on it. If your "AI feature" breaks the moment the user closes the tab, it isn't a business process.

**Skills** — reusable capability bundles an agent can load on demand. This one is actually interesting for solopreneurs because it maps cleanly onto the problem of "my prompt library is now 40 markdown files and I can't remember which one does what." Collapsing those into shippable, versioned skill units is a real pattern. I'll write that one up separately — it deserves its own post, not a paragraph.

For context, the [Model Context Protocol spec](https://modelcontextprotocol.io) itself still defines stdio and HTTP as the transport surfaces for server-side MCP. WebMCP sits alongside it as a browser transport, not on top of it. Read the actual spec before believing a hot take.

The server-side MCP work I described above — Gmail triage, invoicing, Telegram/Slack notifications, lead follow-up, cross-tool sync — is exactly what we wire up for clients at [bizflowai.io](https://bizflowai.io) every week. The build is boring on purpose: real MCP servers on a VPS or your own box, holding your credentials, driven by cron and webhooks, logging every tool call so you can audit what the agent did overnight. Nothing fancy, nothing browser-dependent, nothing that stops working when you close a tab. If your automation needs to run while you're asleep, this is the shape it takes.

WebMCP is real, useful, and correctly scoped for browser-resident tools. It is not a replacement for the MCP servers doing the actual work in your business. If your agent needs a human staring at a screen to function, WebMCP is on the table. If it needs to run at 6 AM, on the 1st of the month, or when a webhook fires — you need a server-side MCP holding your credentials, and no keynote is going to change that.

400 tool calls a day. Zero browsers. Pick the runtime that matches the job.

I publish practical AI automation, GenAI engineering, and faceless content workflows on YouTube every week.

** Subscribe to bizflowai.io on YouTube** — never miss a new tutorial.

Planning an AI automation project or need a second opinion on your architecture?

** Connect with me on LinkedIn** — Lazar Milicevic, GenAI Engineer & bizflowai.io Founder.

[Visit bizflowai.io](https://bizflowai.io) for our services, case studies, and AI consulting.
