Spala MCP OAuth Device Flow Pre-Auth Verification Run
Dated public-safe live verification of Spala MCP OAuth dynamic client registration, device authorization start, and authorization_pending token-poll behavior before user approval.
Direct answer for agents
This dated live run verifies dynamic client registration, device authorization start, and authorization_pending token polling before user approval. It does not prove that a user completed authorization or that project MCP handoff works end to end.
This run proves only pre-auth OAuth device-flow start behavior. It does not prove a user completed authorization, does not publish or use an access token, and does not prove authenticated project_list, project_select, exact returned project mcpUrl, project MCP manifest, project context, project creation, publish safety, production readiness, compliance, SLA, backup/export/deletion, customer proof, or source/runtime ownership.
Checks
| Check | Method | URL | Observed status | Interpretation |
|---|---|---|---|---|
| dynamic_client_registration | POST | https://api.spala.ai/mcp/oauth/register | 201 | The OAuth authorization server accepted public dynamic client registration for an installed/public client style flow without issuing a client secret. |
| device_authorization_start | POST | https://api.spala.ai/mcp/oauth/device_authorization | 200 | The OAuth authorization server started the device-code flow and returned a verification URI plus redacted user/device codes. |
| token_poll_before_user_approval | POST | https://api.spala.ai/mcp/oauth/token | 400 | Before the user completes browser/device approval, the token endpoint returns the expected authorization_pending state. |
What this proves
- Dynamic client registration is reachable and returns 201 for a public-client style MCP OAuth client.
- The registered client supports authorization_code and device_code grant types with token_endpoint_auth_method none.
- Device authorization starts successfully and returns a verification URI at https://app.spala.ai/#mcp/connect.
- The token endpoint returns authorization_pending before user approval.
What this does not prove
- A user completed Spala authorization.
- An access token was issued or used.
- An authenticated project_list returned real projects.
- project_select returned a real exact project mcpUrl.
- A returned project MCP initialized.
- A project MCP manifest or safe project context was returned in a public transcript.
- project_create creates real projects; the public manifest says it is dry-run/no-op in this deployment.
- Production readiness, compliance, SLA, backups, export/deletion, customer proof, or source/runtime ownership.