MCP Relay: Connecting Your Browser to Everything

The Model Context Protocol, or MCP, is rapidly becoming the standard way for AI systems to interact with tools and data sources. Think of it as a universal adapter: any AI model that speaks MCP can use any tool that speaks MCP, without custom integrations. Tensor's MCP Relay takes this a step further by turning your entire browser into an MCP server, exposing over 50 browser capabilities as standardized tools that any MCP-compatible AI agent can call.

What MCP Actually Is

Before diving into the relay, it helps to understand what MCP provides. At its core, MCP defines a JSON-RPC protocol for three things: tools (actions an AI can take), resources (data an AI can read), and prompts (reusable templates for common tasks). A tool might be "click a button on a web page." A resource might be "the text content of the current tab." A prompt might be "summarize the page and extract all links."

MCP uses a client-server model. An MCP client, typically an AI application like Claude Desktop or a coding assistant, connects to one or more MCP servers that provide tools. The server advertises what tools it has, and the client calls them as needed. The protocol handles capability discovery, request routing, error handling, and result formatting.

What makes MCP powerful is its composability. An AI agent can connect to a file system server, a database server, a calendar server, and a browser server simultaneously, using tools from all of them in a single workflow. The agent can read a CSV from the file system, query a database for related records, check the calendar for meeting context, and then navigate to a web dashboard to verify the numbers, all through the same protocol.

The Architecture of the Relay

Tensor's MCP Relay consists of three components that bridge the gap between Chrome's extension environment and the MCP protocol:

1. The Extension Core — runs inside Chrome and has access to all browser APIs: tabs, navigation, DOM manipulation, screenshots, cookies, storage, and more
2. The Native Messaging Host — a lightweight process that runs outside Chrome and communicates with the extension via Chrome's native messaging API
3. The WebSocket Bridge — a local server that translates between MCP's JSON-RPC messages and native messaging format, exposing a standard MCP endpoint on localhost

The data flow looks like this: an MCP client connects to the WebSocket bridge on ws://localhost:3945. It sends an MCP tool call, such as "navigate to URL." The bridge translates this into a native messaging payload and sends it to the native host. The native host forwards it to the Chrome extension via Chrome's messaging API. The extension executes the navigation and sends the result back through the same chain.

// MCP tool call flow
MCP Client (Claude, Cursor, etc.)
    |
    | JSON-RPC over WebSocket
    v
WebSocket Bridge (localhost:3945)
    |
    | Native Messaging (stdin/stdout)
    v
Native Messaging Host (tensor-bridge)
    |
    | chrome.runtime.sendNativeMessage
    v
Tensor Extension (Chrome)
    |
    | chrome.tabs, chrome.scripting, etc.
    v
Browser Action (navigate, click, read, etc.)

The Tool Catalog

The relay exposes over 50 tools organized into categories. Each tool has a defined schema for its inputs and outputs, complete documentation, and error handling. Here are the major categories:

• Navigation — navigate to URL, go back/forward, reload, open new tab, close tab, switch between tabs
• Page reading — get page text, get accessibility tree, extract structured data, take screenshot, read console logs
• Interaction — click element, type text, fill form, select dropdown, scroll, hover, drag and drop
• Element finding — find by CSS selector, find by text content, find by ARIA attributes, find by visual description
• Data extraction — extract table data, extract links, extract images, extract metadata, extract structured data (JSON-LD, microdata)
• State management — get/set cookies, read/write localStorage, manage session storage, check authentication state
• Monitoring — watch for element changes, monitor network requests, observe console output, track page performance
• Advanced — execute JavaScript, inject CSS, intercept requests, modify headers, emulate devices

Each tool is designed to be composable. An AI agent can chain navigate, find_element, click, and get_page_text to build complex workflows without any custom code.

Security: The Permission Layer

Exposing browser control to external agents raises obvious security concerns. The relay implements a multi-layered permission system to ensure that only authorized actions are executed.

First, the relay only accepts connections from localhost. No remote connections are possible. Second, the initial connection requires a one-time authentication token that the user generates from within the Tensor extension. Third, every tool call goes through a permission check based on the user's configured security level:

• Restrictive — only read-only tools are available, no clicking, no form filling, no navigation to new domains
• Standard — read and interact tools are available, but sensitive actions like cookie access and JavaScript execution require per-call approval
• Permissive — all tools available without per-call approval, but all actions are logged and can be audited
• Custom — granular per-tool permissions, allowing fine-grained control over what each connected client can do

Additionally, the relay supports domain allowlists. You can configure it so that an external agent can only interact with specific websites, preventing accidental or malicious navigation to sensitive domains like banking sites.

// Permission configuration
{
  "securityLevel": "standard",
  "allowedDomains": ["github.com", "*.google.com", "docs.example.com"],
  "blockedDomains": ["*.bank.com", "accounts.google.com"],
  "requireApproval": ["execute_javascript", "set_cookie", "modify_headers"],
  "maxConcurrentActions": 3,
  "actionTimeout": 30000
}

Real-World Use Cases

The relay unlocks several powerful workflows that were previously impossible or required complex custom tooling.

AI coding assistants with browser access. When you are working in a code editor with an AI assistant, the assistant can use the relay to open your development server, navigate through the UI, take screenshots to verify layout, fill out forms to test validation, and check the browser console for errors. The assistant never leaves your editor but has full visibility into the running application.

Multi-step research automation. An AI agent running in a terminal can use the relay to search for information across multiple websites, extracting and cross-referencing data, building comparison tables, and saving results to a local file. The browser is the research tool, and the agent orchestrates it programmatically.

Testing and quality assurance. Automated testing frameworks can connect via MCP to run end-to-end tests against any website, using the same browser instance that a real user would use, complete with extensions, cookies, and logged-in sessions. This eliminates the gap between test environments and production.

Accessibility auditing. An AI agent can use the accessibility tree tool to audit any website for accessibility issues, navigating through every page, checking color contrast, verifying ARIA labels, and generating a detailed compliance report.

Performance and Reliability

The relay is designed for production use. Tool calls complete in under 100 milliseconds for simple actions like reading page text, and under 500 milliseconds for complex actions like taking screenshots. The WebSocket connection includes automatic reconnection with exponential backoff, heartbeat monitoring, and request queuing to handle transient disconnections gracefully.

All tool calls are idempotent where possible. Navigating to a URL that is already loaded returns immediately. Clicking an element that has already been clicked is a no-op if the page state has not changed. This makes it safe for AI agents to retry failed actions without causing unintended side effects.

The relay also includes a recording mode that captures every tool call and its result as a replayable session. This is invaluable for debugging: when an AI agent produces an unexpected result, you can replay the exact sequence of actions to understand what went wrong.

The Bigger Picture

MCP Relay is not just a feature. It represents a philosophical commitment to openness. Tensor does not want to be the only AI that can control your browser. By implementing MCP, we make it possible for any AI system to leverage browser capabilities through a standard protocol. Your favorite coding assistant, your company's internal AI tools, or even a script you wrote yourself can all interact with the browser through the same clean interface.

The browser is the most universal application platform on earth. MCP Relay makes it programmable by AI. That is a capability whose applications we are only beginning to explore.