Web Bluetooth API
The Web Bluetooth API lets selected web pages discover and communicate with nearby Bluetooth devices through GATT, creating a browser boundary for agents and local hardware.
Definition
The Web Bluetooth API is a Web Bluetooth Community Group specification for discovering and communicating with devices over Bluetooth 4 using the Generic Attribute Profile, or GATT. The specification identifies itself as a Draft Community Group Report, not a W3C Standard. In practical terms, it gives a web page a controlled route from navigator.bluetooth to a nearby device's GATT services, characteristics, and descriptors.
MDN marks Web Bluetooth as limited availability. The interface family includes Bluetooth, BluetoothDevice, BluetoothRemoteGATTServer, BluetoothRemoteGATTService, BluetoothRemoteGATTCharacteristic, and BluetoothRemoteGATTDescriptor. The governance record matters when a web page, and therefore a browser agent, can select a nearby device, read its characteristics, subscribe to notifications, or write values back to it.
Mechanism
The API is reached through navigator.bluetooth. A page asks for access with requestDevice(). Chrome's documentation says the call must be triggered by a user gesture and that the browser prompts the user with a device chooser. Filters can narrow the chooser by advertised GATT services, device name, name prefix, and manufacturer data. If a page uses name or manufacturer-data filters, Chrome's documentation notes that optionalServices is needed to access services not already included in a service filter.
After permission is granted, getDevices() can retrieve devices previously granted to the site. A page then connects to a remote GATT server, gets a primary service, gets a characteristic, and can read values, write values, or receive notifications. The specification says a site receives access to the GATT services named in the request and that the user agent must explain the capabilities those services give before asking which devices to entrust to the site.
Permissions Policy is part of the boundary. MDN says the bluetooth directive controls whether the current document may use Web Bluetooth, with default allowlist self. Cross-origin frames should receive Bluetooth access only through explicit policy and iframe delegation, especially when a page mixes device setup with embedded tools, support widgets, or model-generated interfaces.
Agent Context
For AI Browsers and Computer Use, Web Bluetooth is a nearby-device authority surface. A model could help a user pair with a sensor, inspect a peripheral, read a battery service, subscribe to measurements, or update a configuration characteristic. It could also select a look-alike device, over-trust a generic name, keep using a previously granted device, or write a value whose physical effect is not obvious from the label.
Bluetooth is different from USB and serial because proximity matters. The device may be on a desk, in a pocket, on a wrist, in a room, or across a thin wall. Advertising data, service UUIDs, names, manufacturer data, and GATT characteristics can become a local identity surface. The specification warns that GATT services can be used for fingerprinting, and that a custom GATT service can expose an identifier. Agentic automation around this channel should keep nearby-device selection visible.
Governance Use
A governance review should treat Web Bluetooth as nearby hardware authority. Record the top-level origin, frame origin, Permissions Policy, selected device, granted service UUIDs, optional services, manufacturer-data filters, device name or name prefix, GATT server connection, service, characteristic, descriptor, read/write/notify operation, user gesture, permission state, and revocation path. If a model is involved, record the prompt, generated GATT operation, tool calls, and human confirmation path.
Organizations should separate Bluetooth setup surfaces from untrusted content. A configuration page, classroom lab, or sensor dashboard should not share authority with unrelated scripts, third-party embeds, or unreviewed plugins. If the same browser profile is used by an agent, the review should ask whether earlier Bluetooth grants can be reused without renewed physical context.
Limits
The Web Bluetooth specification includes a GATT blocklist for vulnerable services, characteristics, and descriptors. That helps, but it is not device understanding. A characteristic can be syntactically valid and still represent a sensitive measurement, a persistent setting, an actuator command, or a device-specific mode.
The browser usually cannot know whether a write changes a harmless display setting, alters calibration, toggles a safety-relevant mode, or changes the behavior of nearby hardware. Device makers and deployers still need narrow service design, clear names, revocation, safe defaults, physical reset paths, and logs that distinguish device advertisements, web-page reads, and web-page writes.
Review Record
- Origin: record top-level origin, frame origin, secure-context state, and Permissions Policy for
bluetooth. - Chooser: record filters, name or name prefix, manufacturer data, service UUIDs, optional services, and user gesture.
- GATT: record server connection, services, characteristics, descriptors, read/write/notify operations, payload category, and persistence effects.
- Agents: record model instructions, generated operations, tool calls, approval state, physical-device context, and revocation path.
Source Discipline
Claims about API shape should cite the Web Bluetooth Community Group specification. Claims about support and developer behavior should cite current browser documentation, because MDN marks Web Bluetooth as limited availability and the Permissions Policy page marks the directive experimental. A permission prompt is evidence of user-mediated access, not evidence that a nearby device is safe for arbitrary GATT operations.
Spiralist Reading
Spiralism reads Web Bluetooth as a lesson in local aura becoming web state. The nearby object is no longer merely present; it advertises, appears in a chooser, becomes a granted device, and may send or receive values through a page. When an agent acts there, the record should preserve the chain from language to chooser to service to characteristic to physical behavior. The humane boundary is named device, narrow service, reversible action, visible proximity, and a user who still knows what is connected.
Related Pages
- WebUSB API
- WebHID API
- Web Serial API
- Permissions Policy
- Local Network Access
- Content Security Policy
- AI Browsers and Computer Use
- AI Agent Sandboxing
- AI Audit Trails
- AI in Operational Technology
- Capability-Based Security
Sources
- Web Bluetooth Community Group, Web Bluetooth, Draft Community Group Report.
- MDN Web Docs, Web Bluetooth API.
- MDN Web Docs, Permissions-Policy: bluetooth directive.
- Chrome for Developers, Communicating with Bluetooth devices over JavaScript.