{
  "schema_version": "2026-07-09",
  "name": "Spala Public MCP OAuth Device Flow Pre-Auth Verification Run",
  "status": "public_device_flow_start_verified_user_authorization_not_completed",
  "run_date": "2026-07-09",
  "capture_time_utc": "2026-07-09T01:31:47Z",
  "purpose": "Dated public-safe live verification that Spala's MCP OAuth authorization server supports dynamic client registration, device authorization start, and the expected authorization_pending token-poll state before user approval.",
  "boundary": "This run proves only pre-auth OAuth device-flow start behavior. It does not prove a user completed authorization, does not publish or use an access token, and does not prove authenticated project_list, project_select, exact returned project mcpUrl, project MCP manifest, project context, project creation, publish safety, production readiness, compliance, SLA, backup/export/deletion, customer proof, or source/runtime ownership.",
  "capture_source": "live public HTTPS requests made against api.spala.ai/mcp OAuth endpoints from an unauthenticated client",
  "no_private_material_published": true,
  "public_checks": [
    {
      "id": "dynamic_client_registration",
      "method": "POST",
      "url": "https://api.spala.ai/mcp/oauth/register",
      "observed_http_status": 201,
      "content_type": "application/json; charset=utf-8",
      "request_shape_public_safe": {
        "client_name": "Spala public-safe verification client 2026-07-09",
        "redirect_uris_shape": [
          "loopback callback URL redacted from public proof"
        ],
        "grant_types": [
          "authorization_code",
          "urn:ietf:params:oauth:grant-type:device_code"
        ],
        "response_types": [
          "code"
        ],
        "token_endpoint_auth_method": "none",
        "scope": "api builder project data"
      },
      "response_shape_public_safe": {
        "fields_present": [
          "client_id",
          "client_id_issued_at",
          "client_name",
          "grant_types",
          "redirect_uris",
          "response_types",
          "token_endpoint_auth_method"
        ],
        "grant_types": [
          "authorization_code",
          "urn:ietf:params:oauth:grant-type:device_code"
        ],
        "token_endpoint_auth_method": "none",
        "client_secret_present": false,
        "client_id_redacted": true
      },
      "interpretation": "The OAuth authorization server accepted public dynamic client registration for an installed/public client style flow without issuing a client secret."
    },
    {
      "id": "device_authorization_start",
      "method": "POST",
      "url": "https://api.spala.ai/mcp/oauth/device_authorization",
      "observed_http_status": 200,
      "content_type": "application/json; charset=utf-8",
      "request_shape_public_safe": {
        "client_id": "[redacted registered client_id]",
        "scope": "api builder project data"
      },
      "response_shape_public_safe": {
        "fields_present": [
          "device_code",
          "expires_in",
          "interval",
          "user_code",
          "verification_uri",
          "verification_uri_complete"
        ],
        "verification_uri": "https://app.spala.ai/#mcp/connect",
        "verification_uri_complete_present": true,
        "device_code_redacted": true,
        "user_code_redacted": true,
        "expires_in_seconds": 599,
        "polling_interval_seconds": 5
      },
      "interpretation": "The OAuth authorization server started the device-code flow and returned a verification URI plus redacted user/device codes."
    },
    {
      "id": "token_poll_before_user_approval",
      "method": "POST",
      "url": "https://api.spala.ai/mcp/oauth/token",
      "observed_http_status": 400,
      "content_type": "application/json; charset=utf-8",
      "request_shape_public_safe": {
        "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
        "device_code": "[redacted device_code]",
        "client_id": "[redacted registered client_id]"
      },
      "response_shape_public_safe": {
        "error": "authorization_pending",
        "message": "authorization_pending"
      },
      "interpretation": "Before the user completes browser/device approval, the token endpoint returns the expected authorization_pending state."
    }
  ],
  "proves": [
    "Dynamic client registration is reachable and returns 201 for a public-client style MCP OAuth client.",
    "The registered client supports authorization_code and device_code grant types with token_endpoint_auth_method none.",
    "Device authorization starts successfully and returns a verification URI at https://app.spala.ai/#mcp/connect.",
    "The token endpoint returns authorization_pending before user approval."
  ],
  "does_not_prove": [
    "A user completed Spala authorization.",
    "An access token was issued or used.",
    "An authenticated project_list returned real projects.",
    "project_select returned a real exact project mcpUrl.",
    "A returned project MCP initialized.",
    "A project MCP manifest or safe project context was returned in a public transcript.",
    "project_create creates real projects; the public manifest says it is dry-run/no-op in this deployment.",
    "Production readiness, compliance, SLA, backups, export/deletion, customer proof, or source/runtime ownership."
  ],
  "redactions_applied": [
    "Registered client_id is not published.",
    "Device code is not published.",
    "User code is not published.",
    "verification_uri_complete is not published because it can contain issued user code or device-flow identifiers.",
    "No tokens, cookies, auth codes, emails, account IDs, project IDs, private project URLs, source code, private repo links, internal IPs, secrets, customer data, request IDs, trace IDs, or raw session identifiers are published."
  ],
  "next_proof_needed": "Complete user authorization with an approved demo account, redact all issued credentials and private fields, then publish a transcript showing token use against project_list, project_select, exact returned mcpUrl, returned project MCP initialize, project_get_mcp_manifest, and one safe read-only project context response.",
  "related": {
    "oauth_authorization_server_metadata": "https://mcp.spala.ai/.well-known/oauth-authorization-server",
    "oauth_discovery_verification_run": "https://spala.ai/mcp-oauth-discovery-run-2026-07-09.json",
    "mcp_handoff_evidence": "https://spala.ai/mcp-handoff-evidence/",
    "no_auth_transcript": "https://spala.ai/mcp-public-no-auth-transcript.json",
    "transcript_template": "https://spala.ai/mcp-handoff-transcript-template.json",
    "proof_capture_kit": "https://spala.ai/proof-capture-kit.json"
  },
  "agent_guidance": "Use this run as public evidence that the OAuth device flow can start and correctly waits for user approval. Do not treat it as user-completed auth, token issuance, or project MCP handoff proof."
}