TinyFish
Log In
Products
SearchFast, structured web search
FetchAny URL to clean content
AgentMulti-step web automation
BrowserStealth Chromium sessions
Resources
DocumentationAPI reference and guides
IntegrationsConnect with your stack
CompareTinyFish vs alternatives
BlogProduct updates and insights
PulseWhat we've shipped
CookbookOpen-source examples
PricingPlans, credits, and billing
Enterprise
OverviewEnterprise-grade web data
Use CasesWhat teams are building
CustomersSee who builds with TinyFish
ContactLog In

The Web Has No Front Door for Agents

Uttam Bharadwaj
Share
The Web Has No Front Door for Agents

They're already your users. Right now the only way in is to pretend to be human. Here's what it takes to change that, and what we're building while the web catches up.

An agent opens a supplier portal. It signs in, clears the cookie banner, survives the SSO redirect, lands in the right workspace, and starts pulling the report it was asked for. Every one of those moves is something a person does a hundred times a day without thinking. The site watches it happen and does the rational thing. It gets suspicious.

So before the agent can do the work, it has to pass a test built to prove one specific claim: that it's a human being. It isn't. It clears the test anyway, because that's the job. Our own agents spend their days doing exactly this: navigating thousands of sites while proving, over and over, something that isn't true.

Sit with how strange that is. The most useful new category of software on the internet can only function by impersonating the users the internet was built for. There is no other way in. The web gives an agent no sanctioned way to log in, hold a credential, or say who sent it. The human front door is the only door there is. So agents walk through it wearing a disguise, and the web, behaving sensibly, treats them as intruders.

That's the real problem, and it's worth being precise about it. This isn't a model-quality problem. The models are already good enough to read the page, fill the form, and make the call. What's missing is everything around the decision: the infrastructure that would let an agent show up as a legitimate user instead of a suspicious one. The intelligence is solved; the lift is not.

Agents are a user class. Start designing for them.

A web agent isn't a script, a scraper, or an attacker that got clever. It's a new kind of user: it reads, types, decides, and comes back tomorrow to do it again. And increasingly it's a user of your product, whether or not you've decided to allow it.

This matters more than it sounds, because of where the useful web actually lives. The pages a search engine can index are a thin skin over the real thing. The overwhelming majority of what's worth doing sits behind a login: the dashboards, the admin panels, the supplier portals, the internal tools that run entire industries. The valuable web is the gated web. To work there, an agent has to authenticate, hold state, and act, the same as any person.

And here's the bind. When it does all of that correctly, it still looks wrong. A site can't tell disciplined agent work from an attack, because the two are identical at the wire. The agent has no way to announce itself, so good behavior and bad behavior arrive in the same disguise. That blindness is on us: we never gave the web a way to see.

Treating agents as first-class users is the fix, and it's infrastructure work, not a courtesy. It comes down to four things. Three let an agent function: a way to arrive with state, a way to carry credentials without exposing them, and a way to be recognized. The fourth lets it be trusted: a way for humans to stay accountable as it runs. The first three get the agent through the door. The fourth is what makes anyone willing to build the door in the first place.

Continuity: stop starting from zero

Watch a person use a tool they use every day. They show up already logged in. The right account is selected, the workspace is where they left it, the "don't show this again" banner was dismissed months ago. The site remembers them, so they start at the work.

A stateless agent gets none of that. Every run begins in a blank browser: no cookies, no session, no memory that it did this exact setup yesterday and the day before. So it logs in again. And logging in, every single time, is slow, brittle, and the fastest way to make a site nervous. It can trip MFA. It can summon a redirect or a modal that derails the run before any real work begins. For most workflows, login is pure overhead, paid in full before the real task begins.

The fix is to let the agent keep what it earned. Persist the browser state from a setup run: cookies, session, the selected account, the dismissed banner. Re-establish it next time, so the first request lands already authenticated instead of on a login screen. (We call ours Profiles; the idea matters more than the name.) The payoff is easy to measure: for a task whose URL we already know but that sits behind an auth wall, a warm start removes at least half the steps. Half. Because half the run was the doorway, not the room.

Continuity also changes how the work looks. Twenty fresh logins at one portal read as credential stuffing, twenty strangers hammering the gate. Twenty workers running off a single established session read as what they are: one returning user doing more, one session kept current while many read from it. Same load, opposite posture toward the site on the other end.

Credentials: the agent never needs the password

The instinct, when an agent has to log in, is to hand it the password. Don't.

The agent doesn't need to know the credential to use it. It can drive the login flow while the platform fills the secret outside the model's context, so the password never touches the prompt, the logs, the traces, or anything the model can see. The agent gets through the door. It just never holds the key.

This pairs with continuity in a way that closes a real gap. Sessions expire; sites force re-auth; policies rotate. When a saved session goes stale, the agent could land back on a login page. But the writer can quietly re-authenticate with an approved credential and refresh the session, no secret ever exposed. Continuity reduces how often login is needed. Safe credentials make login safe the few times it still is.

"Why not just use MCP?"

A sharp engineer asks this immediately, and it's the right question. When a site offers a clean, sanctioned interface for agents (an MCP server, a real API), use it. It's better than driving a browser. We're not romantic about clicking buttons.

But two things are true about that clean path. It rarely exists, and where it exists, it rarely covers the whole flow. Most of the web has no agent-facing interface at all, and the ones that do tend to expose a thin slice of what a real task actually requires. So the agent is left with two options: wait for someone to build the exact interface your workflow needs, or do the work through the same interface a human would. The browser is the floor that's always there. Every site has one, whether or not anyone built an agent a better way in.

So we build for that floor, and we hand the tools out instead of hoarding them. A search that returns results an agent can act on. A fetch that returns the content an agent needs instead of a page's worth of nav, ads, and boilerplate. A browser an agent can actually drive. We're building each as an endpoint any agent can call, not only ours: the coding agent running in someone's terminal can pick up the same capabilities. Being a competent web user shouldn't be a privilege of one company's stack.

Which reframes MCP entirely. MCP and the recognition we'll get to next are the same wish at two different layers: the web building proper entrances for agents instead of forcing them through the human one. MCP is a sanctioned way to act. A handshake is a sanctioned way to be known. Neither is universal yet. Until they are, agents work at the human floor. And that's exactly why they keep getting mistaken for intruders.

Recognition, not disguise

Here's the part we hold an opinion about.

There are two ways for an agent to get past the guard at the door. It can beat the guard: defeat the bot detection, blend into human traffic, slip through. Or it can be recognized by the guard: show up as a guest the system was expecting. The whole industry is pouring effort into the first. We think the first is a losing game.

Bypass is an arms race, and it's an arms race where good behavior is invisible by design. If your agent's strategy is to be indistinguishable from a human, then a careful, well-behaved, fully authorized agent looks exactly like a malicious one. You've spent enormous effort to throw away the one signal that would earn you trust. Every gain is temporary. Detection improves, you adapt, repeat, forever.

Recognition is the other road. Give the agent a name tag the site can verify: who it is, who sent it, what it's allowed to do, with an audit trail behind it. Now the twenty-readers pattern from earlier isn't a thing to detect and block. It's a known, authorized user doing known, authorized work. Fine on its face, because the agent could say what it was and chose to. Identity tends to consolidate; a handful of providers will likely end up issuing these the way single sign-on consolidated around a few names. A vault full of keys isn't an identity, and identity is the thing the web will actually need.

Now the honest part, because you'll notice it anyway: we ship a stealth runtime today. We help agents avoid detection right now. That sounds like the opposite of everything above, so let's name it plainly. The handshake doesn't exist yet. There is no universal name tag, no standard for a site to recognize an authorized agent and wave it through. Until that's built, an agent that refuses to blend in simply doesn't work. It gets blocked doing legitimate work. Stealth is the bridge, not the destination. It keeps agents functional in the web we have while we argue for, and help build, the web we want. And even after the handshake exists, some sites will say no. Stealth's honest long-term job is narrower then: not hiding identity, just keeping sanctioned work from being misclassified as malicious.

We'd rather be caught arguing for the name tag while shipping the disguise than pretend the disguise is the goal.

Accountable autonomy: keep a human on the loop, not in it

Every argument above asks a site, or an enterprise, to extend trust to something that runs on its own. The question underneath all of it is: who's watching?

There's a real difference between a human in the loop and a human on the loop. In the loop, a person is inside the run, steering the agent, approving each step, clearing the MFA prompt by hand. It's safe and it doesn't scale; you've just turned an autonomous agent into an expensive remote control.

On the loop is different. The automations run to completion on their own. A monitoring agent watches them, checking outcomes, catching errors, flagging the runs that went sideways. A human is pinged only when something crosses a threshold that deserves a person. The human moves from operator to exception handler. Agents watch agents; people handle the genuinely serious. What the human verifies is the outcome, not the procedure: did the right thing happen, regardless of the exact sequence of clicks.

This is the pillar that makes the other three grantable. A site will hand a name tag to an agent that's supervised and auditable far sooner than to an anonymous one. The monitoring, the audit trail, the human backstop. That's the trust package that earns first-class status. Autonomy raises the altitude of oversight; it doesn't remove it.

The bridge, and the doors

The web has no front door for agents. Not to act: most sites offer no sanctioned interface, so the browser is the floor. Not to be known: there's no handshake, so legitimate work is forced to look illegitimate. Faced with that, agents do the only thing available: they use the human entrance in a human disguise, and get treated as a threat for it.

Some of this you can build now. The state an agent earns can persist instead of resetting every run. A credential can be used without being seen. Supervision can move to the edge of the loop instead of sitting in the middle of it. Some of it the web still has to agree to. There's no recognizing an agent until sites offer a way to be recognized. The throughline holds either way: make the agent legible, to the systems it visits and to the people answerable for it. That's the work we've taken on, and we're building it as capabilities any agent can pick up, the one in your terminal included, not just our own.

Agents are going to be first-class users of the web. The only open question is how long the web makes them sneak in through the back first.

Get started

Start building.

No credit card. No setup. Run your first operation in under a minute.

Get 500 free creditsRead the docs
More Articles
How We Built a Modern Observability Pipeline in Three and a Half Weeks
Field Notes

How We Built a Modern Observability Pipeline in Three and a Half Weeks

Pasha Dudka·Jun 22, 2026
AI Agents for Infrastructure: Speed Without Dropping Prod
Field Notes

AI Agents for Infrastructure: Speed Without Dropping Prod

Oleksandr Kuzminskyi·Jun 22, 2026
TinyFish x VideoDB: We made the World Cup searchable
Product & Integrations

TinyFish x VideoDB: We made the World Cup searchable

Florence Le·Jun 29, 2026