The Interoperable Web: A Deep Dive into MCP and A2A Standards

The Interoperable Web: A Deep Dive into MCP and A2A Standards

Three protocols now govern how AI agents connect to tools, coordinate with each other, and act on web pages: MCP, A2A, and WebMCP. Two are production-ready open standards under Linux Foundation governance, adopted across AWS, Google, Microsoft, Salesforce, and SAP. The third is an early browser proposal that is often described as more settled than it is.

Together they determine whether a website is something an agent can only look at or something it can query and transact with. That distinction is becoming the practical difference between a site that participates in machine-to-machine demand and one that is invisible to it.

Key Takeaways

The interoperability layer consolidated faster than most infrastructure standards. The current state, in five points:

Why Interoperability Became the Bottleneck

An agent is useful only to the degree it can reach things beyond its own context window. Before standardization, every connection between a model and an external system was a bespoke integration, so the number of integrations grew as the product of models and tools rather than their sum.

That combinatorial problem is what MCP was built to collapse. It borrows its architectural logic from the Language Server Protocol, which solved an identical shape of problem: many editors, many languages, and an integration matrix that expanded until someone defined a common interface between them.

The Linux Foundation frames the second-order version of this plainly. As software systems operate more independently, coordination itself becomes the constraint on what they can accomplish, which is the gap A2A addresses at the level of whole agents rather than individual tools.

The same constraint now applies to websites. A site that renders only for human eyes forces any visiting agent into actuation, simulating clicks and keystrokes against an interface never designed to be read by a machine, and each inferred step is a place where the task can quietly fail.

💡 Expert note: Actuation fails silently and expensively; if your checkout depends on an agent correctly operating a custom date picker, assume a meaningful share of agent-initiated transactions never complete.

MCP: The Tool Access Layer and Its July 2026 Revision

MCP defines how an AI application connects to external systems. An agent discovers a server, the server exposes tools with typed inputs and outputs, and calls travel over JSON-RPC. The protocol operates on three primitives: resources for read-only data, tools for actions, and prompts for standardized templates.

Anthropic released it in November 2024 and donated it to the Agentic AI Foundation on December 9, 2025, a directed fund under the Linux Foundation co-founded with Block and OpenAI. The governance move mattered as much as any technical release.

Platinum members include AWS, Anthropic, Block, Bloomberg, Cloudflare, Google, Microsoft, and OpenAI. Direct competitors placed a shared connective layer under neutral stewardship, which is the condition that lets an operator build against it without betting on one vendor's roadmap.

Adoption figures as reported at the donation announcement:

Monthly SDK downloads
97 million+
Active public servers
10,000+
Governance
Agentic AI Foundation (Linux Foundation)
Client support
ChatGPT, Claude, Cursor, Gemini, Copilot
First released
November 2024

The protocol's next revision is its largest change since launch. The release candidate, locked in May 2026, publishes as final on July 28, 2026, and its headline change is that MCP becomes stateless at the protocol layer.

The initialize handshake and the Mcp-Session-Id header are both removed. Any request can now land on any server instance, so a remote server that previously required sticky sessions and a shared session store runs behind an ordinary round-robin load balancer.

Servers that still need continuity across calls do what HTTP APIs have always done: mint an explicit handle from a tool and have the model pass it back as an argument. State becomes visible to the model rather than hidden in transport metadata.

The revision also promotes extensions to first-class status, hardens authorization against a mix-up attack class specific to MCP's single-client, many-server pattern, and deprecates roots, sampling, and logging under a lifecycle policy guaranteeing at least twelve months before removal.

This release gives MCP the foundation we expect it to grow on for a long time.

For a site operator, the practical consequence is that exposing an MCP server is the standardized way to make a catalog, a booking system, or a pricing engine callable by an external agent without publishing a bespoke API for every counterparty.

A2A: The Agent Coordination Layer

Where MCP connects an agent downward to tools, A2A connects agents sideways to each other. Google announced it in April 2025 with more than 50 launch partners and donated it to the Linux Foundation two months later, establishing the Agent2Agent Protocol Project under neutral governance.

At its one-year mark the project reported more than 150 supporting organizations, including AWS, Cisco, Google, IBM, Microsoft, Salesforce, SAP, and ServiceNow. Microsoft embedded it in Azure AI Foundry and Copilot Studio; AWS added support through Bedrock AgentCore Runtime.

Version 1.0 was the release that met the enterprise production bar. It introduced multi-protocol support, enterprise multi-tenancy, Signed Agent Cards for cryptographic identity verification, and a web-aligned architecture supporting familiar security and load-balancing patterns.

The core repository has passed 22,000 GitHub stars, and the SDK ecosystem expanded from a single Python implementation to five production-ready languages. Agents built on different frameworks can now delegate sub-tasks and coordinate workflows without sharing internal memory.

The distinction from MCP is one of scope rather than capability, and both projects describe themselves as complementary:

Dimension MCP A2A
Governs Agent to tools and data Agent to agent
Boundary Within an organization Across organizations
Discovery Server capabilities Signed Agent Cards
Identity OAuth 2.0 / OIDC Cryptographic agent identity
Governance Agentic AI Foundation Linux Foundation
Scale signal 10,000+ public servers 150+ organizations

Practical adoption is narrower than supporter counts suggest, a caveat worth holding onto. Supporting a standard spans a wide range of commitment, and the announcement named production verticals without publishing deployment counts or usage metrics.

The Payments Layer and the Transaction Endpoint

Coordination alone does not close a sale. The Agent Payments Protocol extends A2A into economic exchange, with more than 60 organizations across payments and financial services backing it, capturing cryptographic evidence of a user's consent to purchase.

That consent artifact is the part that matters. An agent spending money on someone's behalf creates an authorization question that ordinary web checkout never had to answer, since a human clicking a button was itself the proof of intent.

This is where an agent-readable site stops being a discovery asset and becomes a transaction endpoint. A distributor exposing specifications, compatibility, and live stock through MCP, reachable by a buyer's agent over A2A, with settlement handled under AP2, can complete a machine-to-machine sale end to end.

The catalog stops functioning as a storefront and starts functioning as a node other systems transact against, which is a different asset with a different economic profile.

💡 Expert note: Sequence the layers rather than adopting all three at once; a structured MCP server with live inventory is worth more than an agent card pointing at a catalog nobody can query.

WebMCP and the Browser Layer

WebMCP is routinely listed as the settled third pillar of the agentic stack. That framing runs well ahead of its status. It is a proposal from the W3C Web Machine Learning Community Group, co-authored by Microsoft and Google engineers, available as an origin trial from Chrome 149.

The concept is direct. A page registers callable tools through navigator.modelContext, so a browsing agent invokes checkout or filter_results rather than inferring intent from the DOM. Tools carry JSON Schemas for inputs and outputs, and there are two authoring paths: an imperative JavaScript API and a declarative one that annotates standard HTML forms.

Its constraints are equally direct. Tool calls execute in page JavaScript, so a browser context must be open and headless invocation is impossible. Clients must visit a site directly to learn it has tools at all. No browser besides Chrome has shipped an implementation, and Firefox and Safari have not committed to timelines.

Security is gated but unfinished. The APIs require origin-isolated documents and sit behind a permissions policy defaulting to same-origin, while open questions around prompt injection and destructive actions remain acknowledged rather than resolved.

The reasonable operator position is that WebMCP complements a server-side MCP integration rather than replacing it. Server-side exposure serves autonomous agents acting without supervision; the browser layer assists agents working alongside a person who is actively on the page.

What a Site Must Expose to Participate

Participation in this stack is not a plugin. It requires that the underlying business data exist in queryable form, which is the step most sites have not taken, since a CMS optimized for rendering pages rarely exposes anything an external agent can call.

The minimum viable posture has three parts. Structured data an agent can read without parsing layout. An MCP server exposing the operations that matter commercially rather than a generic content endpoint. And live connection to the systems of record, so answers reflect current stock, pricing, and availability rather than a snapshot from last quarter.

That last requirement is where most implementations stall. A protocol layer over stale data produces confident wrong answers at machine speed, which is worse for a buyer's agent than no endpoint at all, because a wrong answer gets acted on.

An agentic web treats this as architecture rather than an add-on, which is what separates it from a conventional site with an assistant attached. The same reasoning underlies our analysis of why this constitutes a distinct software category rather than a feature of existing platforms.

Frequently Asked Questions

What is the difference between MCP and A2A?

MCP standardizes how a single agent connects to tools and data sources, typically inside one organization. A2A standardizes how independent agents discover and coordinate with each other across organizational boundaries. Both projects describe themselves as complementary layers rather than competitors.

Is MCP an open standard?

Yes. Anthropic donated MCP to the Agentic AI Foundation, a directed fund under the Linux Foundation, on December 9, 2025. Platinum members include AWS, Anthropic, Block, Bloomberg, Cloudflare, Google, Microsoft, and OpenAI.

Can AI agents buy things from my website?

Technically yes, if the site exposes callable operations. The Agent Payments Protocol, an A2A extension supported by more than 60 organizations, captures cryptographic evidence of a user's consent to purchase, which is what makes agent-initiated transactions auditable.

Is WebMCP ready for production use?

No. WebMCP is a W3C Community Group draft available in a Chrome origin trial from Chrome 149. No other browser has shipped an implementation, and security questions around tool calls remain open. Treat it as a progressive enhancement over a server-side integration.

What happens to MCP servers when the July 2026 specification lands?

The specification published on July 28, 2026 removes the initialize handshake and the session header, so implementations built against the previous version need migration. Deprecated features keep working for at least twelve months under the new lifecycle policy.