BROWSER

browserbase-mcp

Cloud-hosted browser automation. Like playwright-mcp but the browser runs on Browserbase's infrastructure, with persistent sessions, captcha solving, and stealth features.

Alive Recommended REVIEWED 2026-05-07
VERDICT

Worth it when local browser automation hits scaling or detection walls. For most workflows, playwright-mcp local is enough — Browserbase wins for production scrapers and high-volume agentic browsing.

What it does

Wraps Browserbase’s cloud browser API as MCP tools. The agent gets create_session, navigate, click, fill, screenshot, extract_text, solve_captcha (paid tier). Each session runs a real browser on Browserbase’s infrastructure, optionally persisting state across calls.

When you actually need it

If playwright-mcp running locally has hit a wall:

  1. Scaling. Spinning up 10 browsers locally eats RAM. Spinning up 10 browsers on Browserbase eats your wallet, but doesn’t crash your laptop.
  2. Bot-detection. Sites that block obvious automation (Playwright’s default user-agent / fingerprint) sometimes accept Browserbase. Not always, but more often.
  3. Captcha-heavy workflows. Browserbase’s captcha-solving (paid) is the only realistic option short of human-in-the-loop.
  4. Persistent authenticated sessions. Log in once on Browserbase, reuse the session across multiple agent calls without re-authing.
  5. Production agents on small infra. Your Lambda or Cloud Run instance doesn’t need to host Chromium.

Setup

"browserbase": {
  "command": "npx",
  "args": ["-y", "@browserbasehq/mcp"],
  "env": {
    "BROWSERBASE_API_KEY":  "bb_…",
    "BROWSERBASE_PROJECT_ID": "…"
  }
}

You’ll burn free-tier session-minutes quickly during development. Plan for the paid tier if this is going to production.

The catch

You’re outsourcing the browser. That’s the entire benefit and the entire catch.

  • Privacy posture changes. Browserbase sees every URL, every page, every form. For your own SaaS dashboards: usually fine (you’re already trusting Cloudflare, AWS, etc.). For competitor sites or PII-handling sites: read their docs.
  • Latency floor. Local browsing has a 50-100ms latency floor on click/navigate. Browserbase adds 100-300ms per call (network round-trip + server processing). For interactive workflows this matters.
  • Detection arms race. Sites that fingerprint browser sessions sometimes detect Browserbase IP ranges. Workarounds (residential proxies, paid tiers) help but aren’t guaranteed.
  • Vendor lock-in. Migrating from Browserbase to playwright-mcp local is a non-trivial code change because Browserbase exposes session-management primitives that local Playwright doesn’t have built in.

For most teams: start with playwright-mcp local. Move to Browserbase only when you’ve genuinely hit a wall the local version can’t overcome.

▸ MCP SECURITY SCORECARD Methodology v1.0 · Confidence HIGH · Reviewed 2026-05-07 · Next review due 2026-08-07
METHODOLOGY ↗
ADOPT WITH LIMITS

FOR: Cloud browser automation where local Playwright has hit scaling, detection, or persistence walls.

Worth it when local hits a wall. For most projects, playwright-mcp local is sufficient and avoids the third-party data flow. Read Browserbase's privacy and retention docs before pointing agents at PII-handling sites.

Maintainer corp

Browserbase team (Series A startup, well-funded).

Licence Apache-2.0
Code review yes

Browserbase team maintains; PRs go through Browserbase internal review.

Secrets handling scoped

API key + project ID via env. Browserbase's keys are per-project, scoped.

Sandbox container

Browser runs in Browserbase's sandbox infrastructure (real isolation between tenants).

Filesystem access scoped

Local server doesn't touch host fs; downloads happen on Browserbase side.

Shell access no
Network egress open

Agent navigates anywhere — that's the whole point. Lock down target URLs at the prompt level.

OAuth handling n/a

API-key auth, not OAuth.

Default permissions broad

Cloud browser drives anywhere agent points it. No 'read-only browse' mode.

Prompt-injection exposure high

Same as any browser-driving MCP. Pages can contain hostile DOM. Treat all extracted text as untrusted.

Supply chain surface low

MCP SDK + Browserbase official client + Playwright (for some local fallbacks).

Dep CVE surface clean
Rate-limit risk medium

Free tier: limited session minutes; paid tier: per-tier concurrency limits. Burst patterns hit rate limits faster than steady use.

Signed releases yes

npm package with provenance attestations.

Security policy yes
Telemetry forced

Browserbase logs every session for billing + debugging. Their server-side retention policy applies.

Data residency cloud

Browserbase's infrastructure (US primarily). Page contents visited flow through their servers.

Credential storage memory
DESTRUCTIVE TOOLS

5 present · human approval optional

  • click
  • fill
  • press_key
  • navigate
  • submit_form

NOT A FORMAL SECURITY AUDIT · Adoption posture based on public-source review · See methodology for what's measured and what isn't