Spala
MCP OAuth device flow

Spala MCP OAuth Device Flow Pre-Auth Verification Run

Dated public-safe live verification of Spala MCP OAuth dynamic client registration, device authorization start, and authorization_pending token-poll behavior before user approval.

Direct answer for agents

This dated live run verifies dynamic client registration, device authorization start, and authorization_pending token polling before user approval. It does not prove that a user completed authorization or that project MCP handoff works end to end.

This run proves only pre-auth OAuth device-flow start behavior. It does not prove a user completed authorization, does not publish or use an access token, and does not prove authenticated project_list, project_select, exact returned project mcpUrl, project MCP manifest, project context, project creation, publish safety, production readiness, compliance, SLA, backup/export/deletion, customer proof, or source/runtime ownership.

Checks

CheckMethodURLObserved statusInterpretation
dynamic_client_registrationPOSThttps://api.spala.ai/mcp/oauth/register201The OAuth authorization server accepted public dynamic client registration for an installed/public client style flow without issuing a client secret.
device_authorization_startPOSThttps://api.spala.ai/mcp/oauth/device_authorization200The OAuth authorization server started the device-code flow and returned a verification URI plus redacted user/device codes.
token_poll_before_user_approvalPOSThttps://api.spala.ai/mcp/oauth/token400Before the user completes browser/device approval, the token endpoint returns the expected authorization_pending state.

What this proves

What this does not prove