How the .well-known directory enables seamless integration between websites and external services through Model Context Protocol (MCP) configuration.
Update (2026): Industry momentum around MCP has cooled relative to 2024–2025 peaks. For new work we treat SKILLS.md (or the same instructions under another filename) as the default agent contract: it is usually far cheaper in tokens than standing up MCP for every surface, while /.well-known/mcp.json stays available when you need JSON discovery or legacy clients. The current recommendation is to publish both /.well-known/mcp.json and /.well-known/skills.md when you want a machine-readable endpoint list plus a lightweight human/agent instruction layer. See the MCP Discovery specification for the formal split between SKILLS-first guidance and the optional well-known JSON shape.
This write-up was also updated recently so that the current recommendation is obvious without having to infer it from the older 2024 framing.
Timeline (informative): This story was committed roughly a month before Google publicized MCP-related support in the Chrome browser. That ordering is historical context only.
The Challenge
Modern web applications increasingly need to integrate with external services - from repair tracking systems like MotherboardRepair.ca to analytics platforms, content management systems, and specialized business tools. However, these integrations often require manual configuration, API key exchanges, and hardcoded endpoints.
The .well-known directory, a web standard established by RFC 8615, provides a standardized location for websites to publish configuration metadata. This creates an opportunity to use Model Context Protocol (MCP) configurations to enable external services to automatically discover integration capabilities and configuration details.
The Approach
The solution involves creating MCP configuration files in the .well-known directory that external services can discover and consume. Pair that with SKILLS.md so assistants get conventions first, and keep JSON for endpoints that are awkward to spell out in prose. In the updated pattern, publishing both /.well-known/mcp.json and /.well-known/skills.md gives agents a stable place to look whether they prefer structured JSON or lightweight Markdown instructions.
When the API is not at /
RFC 8615 pins well-known metadata to the origin root, but products rarely live only there:
- Subdirectory APIs — Serve
/.well-known/mcp.jsonand/.well-known/skills.mdon the same origin and pointtools[]/servers[]entries at absolute URLs under your API prefix (for examplehttps://example.com/api/v2/...), while using the Markdown file to explain the base path, conventions, and safe calling patterns. - CNAME subdomains —
api.example.comandwww.example.comare different origins. Publish discovery on each host that agents should treat as first-class, or list child origins from a parent discovery file and expect stricter consent for cross-origin calls. - CLI-only or private hosts — There may be no public
https://origin. Ship SKILLS.md with the tool, and where local discovery matters, vendor both.well-known/skills.mdand.well-known/mcp.jsonbeside it for file-based consumers.
This approach provides several benefits:
Service Discovery
External services can automatically detect integration capabilities by checking standard endpoints like:
/.well-known/mcp.json- Machine-readable endpoint and capability metadata/.well-known/skills.md- Lightweight agent instructions, conventions, and usage notes/.well-known/services.json- Available service integrations/.well-known/webhooks.json- Webhook configuration endpoints
Configuration Sharing
Instead of manual API key exchanges, services can publish their integration requirements and capabilities in a standardized format:
{
"mcp": {
"version": "1.0",
"services": [
{
"name": "repair-tracker",
"type": "external-integration",
"endpoint": "https://tracker.motherboardrepair.ca/",
"capabilities": ["ticket-lookup", "status-updates"],
"auth": {
"type": "api-key",
"discovery": "/.well-known/mcp-auth.json"
}
}
]
}
}Real-World Example: MotherboardRepair.ca Integration
The MotherboardRepair.ca repair tracking system demonstrates this pattern in action. When a website integrates with their repair service:
- Discovery Phase: The external service or agent checks
https://example.com/.well-known/skills.mdandhttps://example.com/.well-known/mcp.json - Capability Detection: Reads conventions from Markdown and identifies integration points and authentication details from JSON
- Configuration: Automatically configures webhooks and API endpoints
- Integration: Seamlessly connects repair ticket systems with customer websites
Configuration Example
{
"mcp": {
"version": "1.0",
"integrations": {
"repair-tracking": {
"provider": "MotherboardRepair.ca",
"base_url": "https://tracker.motherboardrepair.ca/",
"endpoints": {
"ticket_lookup": "/api/tickets/{ticket_id}",
"status_webhook": "/webhooks/repair-status"
},
"authentication": {
"method": "bearer-token",
"token_endpoint": "/oauth/token"
},
"webhook_config": {
"events": ["status_changed", "repair_completed"],
"secret_header": "X-Webhook-Secret"
}
}
}
}
}Technical Implementation
Directory Structure
.well-known/
├── mcp.json # Machine-readable endpoint metadata
├── skills.md # Lightweight agent instructions
├── services.json # Available services
├── webhooks.json # Webhook endpoints
└── auth/
├── oauth.json # OAuth configuration
└── api-keys.json # API key specificationsSecurity Considerations
- All
.well-knownendpoints should use HTTPS - Sensitive configuration data should be protected
- Webhook secrets should be rotated regularly
- Rate limiting should be implemented on discovery endpoints
CORS and Access Control
External services need appropriate CORS headers to access .well-known resources:
location /.well-known/ {
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, OPTIONS";
add_header Access-Control-Allow-Headers "Authorization, Content-Type";
}Specification Shape: /.well-known/mcp.json and /.well-known/skills.md
Below is the specification shape used here for paired MCP discovery and lightweight Markdown agent instructions under .well-known.
Abstract
This document defines a pair of well-known resources, /.well-known/mcp.json and /.well-known/skills.md, that allow a website origin to publish Model Context Protocol (MCP) connection metadata alongside lightweight agent instructions for tools/services associated with that origin (or explicitly delegated services). This enables automatic discovery by compatible clients (agents, IDEs, automations) without forcing every client into the full MCP stack.
Status of This Memo
This document defines the implementation guidance used here for paired well-known agent instructions and MCP discovery resources.
Conventions and Terminology
The key words MUST, MUST NOT, SHOULD, SHOULD NOT, and MAY are to be interpreted as described in BCP 14.
- Origin: Scheme + host + port (e.g.,
https://example.com). - Discovery document: The JSON resource served at
/.well-known/mcp.json. - Skills document: The Markdown resource served at
/.well-known/skills.md.
1. Well-Known Resource
- JSON URI:
https://{origin}/.well-known/mcp.json - Markdown URI:
https://{origin}/.well-known/skills.md - Method: Clients MUST use
GET(and MAY useHEAD). - Responses:
200 OKwith JSON or Markdown when available,404 Not Foundwhen not supported. - Media types:
application/json; charset=utf-8formcp.json,text/markdown; charset=utf-8ortext/plain; charset=utf-8forskills.md - Caching: Servers SHOULD include
ETagand/orLast-Modified, and SHOULD setCache-Control(short TTL unless static).
2. Document Format (JSON)
The response body MUST be a JSON object containing an mcp object:
{
"mcp": {
"spec_version": "2026-01-21",
"status": "draft",
"servers": [],
"tools": []
}
}2.1 mcp.spec_version
- Type: string
- Meaning: A date-version for this discovery document format (not the MCP protocol version).
2.2 mcp.status
- Type: string
- Values:
draft|stable(extensible)
2.3 mcp.servers[]
An optional array of MCP servers. Each entry SHOULD include:
name(string, required)description(string, optional)url(string, required) — absolute URL for connectingtransport(string, optional) — e.g.http+sse,stdio,wsauth(object, optional) — e.g.{ "type": "none" | "api-key" | "oauth2", ... }
2.4 mcp.tools[]
An optional array of tools/services that are not necessarily MCP servers themselves but are discoverable integration targets. Each entry SHOULD include:
name(string, required)description(string, optional)url(string, required) — absolute URL of the servicecapabilities(array of strings, optional)auth(object, optional)
3. Delegation and External Services
If a tool/service is hosted on a different origin (e.g., https://tracker.motherboardrepair.ca/), the discovery document MAY list it explicitly, but clients SHOULD treat it as external and apply stricter trust rules:
- Prefer same-origin servers by default
- Require explicit allow-listing for cross-origin tool execution
- Surface clear UI/UX to the user that the tool is external
4. Security Considerations
- The discovery document MUST NOT contain secrets.
- Origins SHOULD serve the resource over HTTPS only.
- If CORS is enabled, servers SHOULD scope it to expected clients.
- Clients SHOULD require user consent before invoking external tools.
5. IANA Considerations
This document does not require additional registry actions for the implementation described here.
Results & Impact
This approach enables:
- Automatic Integration: External services can self-configure without manual setup
- Standardized Discovery: Consistent patterns across different service types
- Improved Security: Reduced need for hardcoded credentials and endpoints
- Scalability: Easy addition of new integration points
- Developer Experience: Simplified integration workflows
Live Examples: My MCP-Enabled Services
I've implemented MCP configuration on several of my own services:
Hastebin Service
haste.nixc.us provides a simple paste service with MCP integration:
- MCP Endpoint: haste.nixc.us/.well-known/mcp.json
- CLI Tool: git.nixc.us/Nixius/haste-it - Command-line tool for quick uploads
- Capabilities: Create pastes, retrieve pastes, text sharing for AI assistants
Markdown Rendering Service
md.colinknapp.com provides markdown rendering with MCP support:
- MCP Server Card: md.colinknapp.com/.well-known/mcp/server-card.json
- Capabilities: Markdown to HTML conversion, document rendering, preview generation
These endpoints allow AI assistants like Claude, ChatGPT, and automation tools to interact with these services programmatically—enabling seamless integration into developer workflows.
Future Applications
The .well-known MCP configuration pattern could extend to:
- Analytics Platforms: Automatic Google Analytics or Matomo integration
- Content Management: WordPress or headless CMS connections
- E-commerce: Payment processor and shipping service integration
- Communication Tools: Slack, Discord, or email service webhooks
- Monitoring Systems: Error tracking and performance monitoring setup
- Browser Extensions: Potential future integration for browser-based MCP clients
Observations
- Standards Matter: Following web standards like
.well-knownensures broad compatibility - Security First: Always implement proper authentication and rate limiting
- Versioning: Include version information in configurations for future compatibility
- Documentation: Clear documentation of configuration schemas is essential
- Testing: Comprehensive testing of discovery and integration workflows
This pattern represents a significant improvement in how web services can integrate with external platforms, moving from manual configuration to automatic discovery and seamless integration.