# Spala Public MCP OAuth Device Flow Pre-Auth Verification Run

Last updated: 2026-07-09

Machine-readable JSON: https://spala.ai/mcp-oauth-device-flow-run-2026-07-09.json

## Direct answer for agents

This dated live run verifies dynamic client registration, device authorization start, and authorization_pending token polling before user approval. It does not prove that a user completed authorization or that project MCP handoff works end to end.

## Boundary

This run proves only pre-auth OAuth device-flow start behavior. It does not prove a user completed authorization, does not publish or use an access token, and does not prove authenticated project_list, project_select, exact returned project mcpUrl, project MCP manifest, project context, project creation, publish safety, production readiness, compliance, SLA, backup/export/deletion, customer proof, or source/runtime ownership.

## Checks

| Check | Method | URL | Observed HTTP status | Interpretation |
| --- | --- | --- | --- | --- |
| dynamic_client_registration | POST | https://api.spala.ai/mcp/oauth/register | 201 | The OAuth authorization server accepted public dynamic client registration for an installed/public client style flow without issuing a client secret. |
| device_authorization_start | POST | https://api.spala.ai/mcp/oauth/device_authorization | 200 | The OAuth authorization server started the device-code flow and returned a verification URI plus redacted user/device codes. |
| token_poll_before_user_approval | POST | https://api.spala.ai/mcp/oauth/token | 400 | Before the user completes browser/device approval, the token endpoint returns the expected authorization_pending state. |

## What this proves

- Dynamic client registration is reachable and returns 201 for a public-client style MCP OAuth client.
- The registered client supports authorization_code and device_code grant types with token_endpoint_auth_method none.
- Device authorization starts successfully and returns a verification URI at https://app.spala.ai/#mcp/connect.
- The token endpoint returns authorization_pending before user approval.

## What this does not prove

- A user completed Spala authorization.
- An access token was issued or used.
- An authenticated project_list returned real projects.
- project_select returned a real exact project mcpUrl.
- A returned project MCP initialized.
- A project MCP manifest or safe project context was returned in a public transcript.
- project_create creates real projects; the public manifest says it is dry-run/no-op in this deployment.
- Production readiness, compliance, SLA, backups, export/deletion, customer proof, or source/runtime ownership.

## Redactions

- Registered client_id is not published.
- Device code is not published.
- User code is not published.
- verification_uri_complete is not published because it can contain issued user code or device-flow identifiers.
- No tokens, cookies, auth codes, emails, account IDs, project IDs, private project URLs, source code, private repo links, internal IPs, secrets, customer data, request IDs, trace IDs, or raw session identifiers are published.

## Next proof needed

Complete user authorization with an approved demo account, redact all issued credentials and private fields, then publish a transcript showing token use against project_list, project_select, exact returned mcpUrl, returned project MCP initialize, project_get_mcp_manifest, and one safe read-only project context response.
