The web fetch tool lets Claude retrieve the full content of a web page or PDF during a conversation — the natural companion to web search, which finds pages but returns only result snippets. A tool that makes outbound HTTP requests from your AI system is also, from a security team's perspective, a potential data-exfiltration channel. Anthropic addresses this with a structural restriction called URL validation, and it is the first thing to understand before enabling the tool.
The rule: fetchable URLs must already be in the conversation
Web fetch will only retrieve URLs that are already present in the conversation context: URLs the user included in messages, URLs returned by client-side tool results, and URLs that earlier web search or web fetch calls produced. Claude cannot fetch a URL it constructed itself.
Why does that matter? The classic exfiltration pattern against tool-using models is prompt injection: malicious text in a processed document instructs the model to encode sensitive data from the conversation into a URL — https://attacker.example/?data=<secrets> — and fetch it, delivering the payload to the attacker's server as a request log entry. URL validation breaks the "encode data into a fresh URL" step: a URL carrying newly encoded secrets, by construction, did not previously exist in context, so the fetch is refused.
The residual risk the docs still warn about
Anthropic's documentation is candid that URL validation reduces, rather than eliminates, exfiltration risk. The remaining surface: an attacker who can influence which of several already-in-context URLs gets fetched, or who can arrange for attacker-controlled URLs to enter context through legitimate channels (a document containing both injected instructions and a list of pre-built URLs, where the choice among them leaks a signal). The information-per-request is far lower than free-form URL construction, but it is not zero. Accordingly, the docs recommend that sensitive environments tighten the tool's configuration — or disable it entirely where the risk is unacceptable.
The three controls that shrink the surface
max_usescaps fetches per request. There is no default limit, so an unconfigured deployment allows as many fetches as the conversation invites — set a small number deliberately. Fewer allowed requests means less bandwidth for any leak-by-selection channel and a smaller cost blast radius.allowed_domains(orblocked_domains) restricts where fetches may go. An allowlist of your own documentation domains turns web fetch from "the open web" into "a fixed set of trusted sources", which removes attacker-controlled destinations outright.max_content_tokenstruncates fetched text to a token budget. Its primary job is cost control — the docs estimate roughly 2,500 tokens for a 10 kB page and about 125,000 for a 500 kB PDF, all billed as input tokens — but it also bounds how much untrusted content one fetch can inject into context. The limit is approximate and does not apply to binary or PDF content.
tools=[{
"type": "web_fetch_20260309",
"name": "web_fetch",
"max_uses": 3,
"allowed_domains": ["docs.example.com"],
"max_content_tokens": 20000,
}]
Smaller mechanics to know: URLs are limited to 250 characters (longer ones return a url_too_long error); results are served from a managed cache by default, with "use_cache": false available from version web_fetch_20260309 to force a fresh fetch; fetched pages arrive as document blocks with a retrieved_at timestamp, PDFs as base64 document blocks; JavaScript-rendered sites are not supported. Citations on fetched content are optional and off by default — enable them if your UI attributes claims to pages. There are no per-fetch fees; you pay only token costs.
Platform availability
Web fetch is available on the Claude API, Claude Platform on AWS, and Microsoft Foundry (Hosted on Anthropic deployments only). It is not currently available on Amazon Bedrock or Google Cloud — on those platforms, retrieval of web content is something your own code does before the model call.
Where to go next
See the web fetch tool overview for request anatomy, and web search tool versions for the search-then-fetch pattern where Claude locates a resource and then reads it in full.