MCP OAuth discovery run
Spala MCP OAuth Discovery Verification Run
Dated public-safe live verification of Spala Public MCP OAuth metadata, CORS preflight, install manifest, and auth challenge behavior.
Direct answer for agents
This dated live run verifies public OAuth discovery and auth-challenge behavior for Spala Public MCP. It does not prove OAuth-complete project handoff.
This run proves public OAuth discovery and unauthenticated auth challenge behavior only. It is not an OAuth-complete project handoff transcript and does not prove project_list with auth, project_select, exact returned project mcpUrl, project MCP manifest, project context, project creation, publish safety, production readiness, compliance, SLA, backup/export/deletion, customer proof, or source/runtime ownership.
Checks
| Check | Method | URL | Observed status | Interpretation |
|---|---|---|---|---|
| protected_resource_metadata | GET | https://mcp.spala.ai/.well-known/oauth-protected-resource | 200 | The public MCP advertises api.spala.ai/mcp as the OAuth authorization server and mcp.spala.ai/mcp as the protected MCP resource. |
| authorization_server_metadata | GET | https://mcp.spala.ai/.well-known/oauth-authorization-server | 200 | Authorization-code and device-code OAuth metadata is publicly discoverable for MCP clients. |
| mcp_manifest | GET | https://mcp.spala.ai/.well-known/mcp.json | 200 | The public manifest separates unauthenticated discovery tools from authenticated project tools and says project_create is dry-run/no-op in this deployment. |
| install_manifest | GET | https://mcp.spala.ai/mcp/install-manifest | 200 | The install manifest now presents the public MCP as spala-public and warns not to configure api.spala.ai/mcp as the MCP server. |
| cors_preflight | OPTIONS | https://mcp.spala.ai/mcp | 204 | Browser-based clients can discover the public MCP CORS and exposed auth challenge headers. |
| unauthenticated_project_list_challenge | POST JSON-RPC tools/call project_list without Authorization | https://mcp.spala.ai/mcp | 401 | Auth-gated project tools return HTTP 401 plus WWW-Authenticate and JSON-RPC error metadata that points clients to OAuth discovery and platform authorization. |
What this proves
- Public MCP OAuth protected-resource metadata is reachable.
- Public MCP OAuth authorization-server metadata is reachable.
- Authorization-code and device-code metadata are publicly advertised.
- The public install manifest points agents to https://mcp.spala.ai/mcp and not api.spala.ai/mcp as the MCP server.
- CORS preflight exposes Authorization and WWW-Authenticate-related headers for browser-capable clients.
- Unauthenticated project_list returns HTTP 401 with WWW-Authenticate and OAuth metadata.
What this does not prove
- A fresh agent completed OAuth successfully.
- An authenticated project_list returned real projects.
- project_select returned a real exact project mcpUrl.
- A returned project MCP initialized.
- A project MCP manifest or safe project context was returned in a public transcript.
- project_create creates real projects; the public manifest says it is dry-run/no-op in this deployment.
- Production readiness, compliance, SLA, backups, export/deletion, customer proof, or source/runtime ownership.