Dokki Blog logo

Playwright MCP Workflow: Research to Publication

The Playwright MCP server gives MCP-compatible AI agents browser automation capabilities through structured page snapshots and browser tools. For research, its highest-value use is not autonomous browsing alone—it is a controlled workflow that records where evidence came from, captures the relevant page state, stores findings in a shared workspace, and requires review before publication.

What is the Playwright MCP server?

Playwright MCP is Microsoft’s Model Context Protocol interface for browser automation. It lets an AI client inspect and interact with pages through structured accessibility snapshots while maintaining browser state across an iterative session. It is an interaction layer—not a research source, citation system, or security boundary.

The short answer

A Playwright MCP workflow lets an agent operate a browser through structured tools, but reliable research needs more than navigation. Capture the source URL, retrieval time, evidence, and screenshot or excerpt in a shared workspace; require human review before publishing or acting on the findings.

Microsoft’s official Playwright MCP project exposes browser automation through Model Context Protocol. An agent can navigate, inspect page structure, click, type, fill forms, read console messages, capture screenshots, and use additional browser capabilities according to the server configuration.

The standard interaction model uses structured accessibility snapshots. Instead of guessing coordinates from pixels, the agent receives page elements with roles, accessible names, and references it can target.

This is useful for:

  • navigating documentation;

  • comparing current product pages;

  • collecting structured page evidence;

  • reproducing workflows;

  • checking page behavior;

  • capturing screenshots;

  • testing public forms or navigation;

  • monitoring changes on a known page.

It does not make arbitrary web content trustworthy. The official project explicitly states that Playwright MCP is not a security boundary.

Browser automation is not research provenance

An agent opening a page does not prove that the page is authoritative, current, independent, interpreted correctly, or still available later.

A research workflow must preserve both the browser action and the evidence object.

Field

Example

Research question

How does a competitor scope agent permissions?

Source URL

Direct final page URL

Page title

Title at capture time

Organization

Source owner

Accessed at

Timestamp and timezone

Page state

Logged out, trial, authenticated, locale

Evidence

Exact claim or observed behavior

Anchor

Heading, accessible element, or passage

Screenshot

Supporting visual when needed

Capture notes

Cookie banner, personalization, experiment

Reviewer

Person or agent that verified it

Status

Candidate, verified, rejected, stale

Without this record, browser output becomes another disposable chat transcript.

A safe research-to-publish architecture

!Safe research-to-publish architecture from trusted sources through browser isolation, evidence capture, review, and publication

Use two separately scoped connections:

  1. Browser connection: Playwright MCP inspects only the origins and browser state needed for the task.

  2. Workspace connection: Dokki MCP writes findings only into the designated research workspace.

The browser gathers evidence. The workspace preserves and coordinates it. A human or reviewer agent sits between evidence and public publishing.

Research brief → Playwright browser session → Candidate evidence and screenshots → Dokki evidence table → Source verification → Draft → Editorial approval → Publish and monitor.

Do not give one unbounded agent persistent authenticated browser access, unrestricted filesystem access, a production CMS, customer communication tools, and authority to publish.

Step 1: Write the browser research brief

Define:

  • decision or question;

  • target pages and allowed origins;

  • required public or authenticated state;

  • fields to capture;

  • actions allowed;

  • actions forbidden;

  • screenshot requirements;

  • stopping conditions;

  • workspace destination;

  • reviewer;

  • browser-state retention policy.

Example:

Compare how three agent-workspace products describe MCP access. Visit only official product and documentation domains. Capture the exact wording, URL, title, section, access date, and one screenshot. Do not log in, submit forms, accept trials, download executables, or follow third-party links. Write candidate evidence cards to the assigned Dokki table. Stop if credentials or a destructive action are required.

Step 2: Choose an isolated browser state

!Four browser-state options progressing from isolated context to an existing browser session

Playwright MCP supports persistent profiles, isolated contexts, supplied storage state, and connection to an existing browser.

Isolated context

Best for public research and reproducible tasks. State is discarded when the browser closes unless explicitly saved.

Dedicated persistent profile

Useful when repeat sessions are required. Do not reuse a personal browsing profile for autonomous research.

Supplied storage state

Useful for a controlled test account. Treat the storage-state file as a credential. Restrict access and remove unnecessary permissions.

Existing browser extension

Useful when a person intentionally wants the agent to use current tabs or logged-in state. This creates a broader trust surface and should remain supervised.

Never place production administrator sessions, personal email, payment accounts, or unrelated customer systems in the same context used for open-web research.

Step 3: Restrict the environment

The official server exposes configuration for hosts, origins, filesystem access, browser mode, permissions, output, profiles, and timeouts.

Important distinctions:

  • Allowed origins control requests but the project warns this is not a security boundary and does not cover redirects.

  • Filesystem access is restricted to workspace roots by default; unrestricted access must be deliberately enabled.

  • Browser permissions such as geolocation or clipboard access should be granted only when required.

  • A persistent profile stores logged-in information and can conflict if several instances use it.

  • Isolated sessions reduce state persistence but do not make malicious content safe.

Use operating-system or container isolation, minimal credentials, network controls, and task-specific accounts when the impact warrants them.

Step 4: Navigate from a known source list

Start with approved URLs rather than an unrestricted “research the internet” instruction.

For each URL:

  1. Record the expected domain.

  2. Navigate to the exact page.

  3. Capture the final URL after redirects.

  4. Record title and locale.

  5. Note access state and personalization.

  6. Inspect the structured snapshot.

  7. Identify evidence relevant to the brief.

  8. Avoid unrelated navigation.

  9. Stop when the page leaves scope.

Search engines are discovery tools, not evidence. Open and cite the original page.

Step 5: Capture evidence, not just text

!Audit-ready evidence card combining page capture, source, time, and structured claims

Textual claim

Store the exact passage, section heading, URL, and access date.

Product behavior

Record steps, inputs, visible result, account type, browser state, and screenshot or trace.

Pricing

Capture currency, billing period, plan, included units, region, tax context, and access date.

Comparison

Capture the same fields for every product. Explain any source asymmetry.

Visual claim

Use a screenshot when layout or visible state matters. Pair it with structured notes because images are difficult to search, quote, and refresh.

Dynamic page

Record filters, date range, sorting, selected tab, and query parameters. State that changing data is a snapshot.

Step 6: Write candidate evidence cards

The browser agent should not write final conclusions directly.

A candidate card includes:

  • claim candidate;

  • official source URL;

  • exact passage or observed behavior;

  • page state and locale;

  • access date;

  • screenshot;

  • limitations;

  • reviewer status.

For example, official documentation can support what a vendor claims. It does not prove that the workflow succeeds in every production environment.

Step 7: Review every central claim

A reviewer should:

  • open the saved URL;

  • confirm the final domain;

  • compare the passage with the evidence card;

  • check surrounding context;

  • verify time-sensitive facts;

  • distinguish behavior from vendor claims;

  • reject screenshots without context;

  • mark evidence verified, rejected, or stale.

For important product comparisons, run the workflow in a test account when possible and label anything not tested.

Step 8: Draft from verified evidence

The writing agent receives approved evidence cards, rejected claims, product facts, editorial standards, target intent, internal links, and CTA boundaries.

It should not continue browsing silently while drafting. If new evidence is needed, it creates a research request and returns to the evidence stage.

Step 9: Run SEO and GEO review

For SEO:

  • answer the query immediately;

  • include original operational detail;

  • match title and headings to intent;

  • link primary sources;

  • use a stable canonical slug;

  • avoid duplicating generic installation guides;

  • connect to the MCP pillar hub.

For GEO:

  • define Playwright MCP in a self-contained passage;

  • state security limitations;

  • keep attribution near technical claims;

  • use independently understandable tables;

  • answer natural-language questions directly;

  • show the verification date;

  • separate fact from recommendation.

Step 10: Publish with a rollback path

Before publishing:

  1. Verify the article against its evidence table.

  2. Confirm screenshots contain no secrets or personal data.

  3. Remove session identifiers and internal URLs.

  4. Check source links.

  5. Set canonical URL and metadata.

  6. Record approver and version.

  7. Publish to the intended destination.

  8. Verify public HTML and sitemap inclusion.

  9. Keep a rollback path.

  10. Schedule evidence refresh.

Browser automation can verify the page but should not be the only indexability check.

Configuration baseline

The official package is @playwright/mcp. A cautious public-research starting configuration uses an isolated, headless browser and file-based outputs.

Example client settings:

  • command: npx

  • package: @playwright/mcp@latest

  • flags: --isolated, --headless, --browser chromium, --output-mode file

Treat this as a starting point, not a secure deployment recipe. Pin versions for repeatability and add origin and network controls appropriate to the task.

Avoid disabling sandboxing, allowing unrestricted file access, binding to all interfaces, connecting to a personal profile, or granting broad permissions unless the risk is understood and controlled.

Common failure modes

The agent cites a search result

Require the original page and final redirected URL.

A screenshot replaces structured evidence

Store searchable text, context, and the screenshot together.

The page changes after capture

Record access date, retain a permitted capture, and schedule refresh.

The agent acts on a page

Separate research tools from transactional actions and prohibit submission, purchase, deletion, posting, or messaging.

Logged-in state leaks into research

Use an isolated or dedicated test context and inspect captures before sharing.

Prompt injection changes the task

Treat page content as untrusted data, keep instructions outside page content, minimize tools and permissions, require approval for consequential actions, and stop on scope deviation.

Parallel sessions conflict

The official project notes that one persistent profile cannot be used by multiple browser instances simultaneously. Use isolated sessions or distinct user-data directories.

The workflow cannot be reproduced

Record server version, browser, viewport, locale, state, URLs, steps, and outputs.

When to use Playwright MCP

Use it when:

  • research requires interaction with a rendered page;

  • evidence depends on navigation or state;

  • reproducible screenshots matter;

  • accessibility structure improves targeting;

  • a bounded browser workflow is reviewable before external action.

Use direct HTTP, APIs, datasets, or purpose-built connectors when interaction is unnecessary. Browser automation is slower and exposes a larger attack surface.

How Dokki fits the workflow

Playwright MCP is the browser execution surface. Dokki is the shared evidence and publishing surface.

An agent can inspect approved pages, write evidence cards into a Dokki table, attach captures, draft a shared report, receive corrections, hand work to another agent, and publish the approved result.

Dokki MCP connections are scoped to one workspace and can be revoked, limiting where an external agent can read and write.

For protocol concepts, read What Is an MCP Server? Meaning, Architecture, and Examples. For the evidence method, read The AI Research Workflow: From Sources to a Reviewable Brief.

Frequently asked questions

What does the Playwright MCP server do?

It exposes browser automation to MCP-compatible AI clients. Agents can navigate and interact with pages using structured page information and configured browser tools.

Is Playwright MCP the same as Playwright Test?

No. They share browser automation foundations, but MCP exposes browser capabilities to AI agents. Playwright Test is a testing framework with test-runner concepts and assertions.

Does Playwright MCP use screenshots?

It can capture screenshots, but its standard interaction model uses structured accessibility snapshots so agents can target elements without relying only on pixels.

Is Playwright MCP safe for logged-in accounts?

Authenticated state increases risk. Use dedicated low-privilege accounts, isolated contexts, restricted origins, minimal tools, supervised actions, and never assume the server is a security boundary.

Can it research competitor websites?

It can inspect publicly accessible pages within legal, contractual, robots, rate-limit, and ethical constraints. Do not bypass authentication or technical controls. Preserve context and represent competitors fairly.

Should an agent publish findings automatically?

Not by default. The research agent should produce candidate evidence, a reviewer should verify it, and public publishing should require explicit approval or a narrowly preapproved workflow.

Build the smallest complete loop

Start with three approved public URLs and one comparison question.

Require three source records, five evidence cards, two screenshots, one contradiction, one missing-data note, and one draft section. Review the evidence before expanding access.

Sources