WEBMCP EXPERIMENT
Public REST access for agents, plus an experimental browser integration. The ordinary verifier form continues to work without WebMCP.
Agents can invoke saspien.verify-url through the public REST API without a browser or open page. Supported browsers can also register the same read-only capability through WebMCP on TEST DRIVE SASPIEN.
How it works
Direct clients POST a JSON body to /api/v1/verify and receive the verifier report without a DOM. Separately, the Verify page feature-detects document.modelContext, loads the canonical contract, and registers the browser tool only while the page is open. That browser path keeps using the existing same-origin endpoint and renders the report in the page.
Verifiable with SASP
The exact JSON contract loaded by the browser is declared in Cabranet Digital SL's root SASP manifest with a SHA-256 content digest. Running TEST DRIVE SASPIEN against cabranetdigital.com or its manifest verifies the publisher domain, declaration, same-origin artifact, and contract bytes before an agent relies on the tool metadata.
Security boundaries
Both paths are read-only, HTTPS-only, rate-limited, and guarded against private or reserved network targets. The REST endpoint permits cross-origin calls and has a separate rate-limit bucket; the browser endpoint remains same-origin. Output is untrusted because target-controlled content can appear in reports.
Limitations
WebMCP is a W3C Community Group draft dated 11 June 2026, not a W3C Standard, and browser support is experimental. The WebMCP path requires the Verify page, but the REST API does not. This is not an MCP server, and SASP authenticates the published contract rather than remotely attesting the executing browser bundle. Verifier output remains evidence, not a certification or guarantee.
Canonical resources
Public REST APIPOST /api/v1/verify