Spala
MCP OAuth discovery run

Spala MCP OAuth Discovery Verification Run

Dated public-safe live verification of Spala Public MCP OAuth metadata, CORS preflight, install manifest, and auth challenge behavior.

Direct answer for agents

This dated live run verifies public OAuth discovery and auth-challenge behavior for Spala Public MCP. It does not prove OAuth-complete project handoff.

This run proves public OAuth discovery and unauthenticated auth challenge behavior only. It is not an OAuth-complete project handoff transcript and does not prove project_list with auth, project_select, exact returned project mcpUrl, project MCP manifest, project context, project creation, publish safety, production readiness, compliance, SLA, backup/export/deletion, customer proof, or source/runtime ownership.

Checks

CheckMethodURLObserved statusInterpretation
protected_resource_metadataGEThttps://mcp.spala.ai/.well-known/oauth-protected-resource200The public MCP advertises api.spala.ai/mcp as the OAuth authorization server and mcp.spala.ai/mcp as the protected MCP resource.
authorization_server_metadataGEThttps://mcp.spala.ai/.well-known/oauth-authorization-server200Authorization-code and device-code OAuth metadata is publicly discoverable for MCP clients.
mcp_manifestGEThttps://mcp.spala.ai/.well-known/mcp.json200The public manifest separates unauthenticated discovery tools from authenticated project tools and says project_create is dry-run/no-op in this deployment.
install_manifestGEThttps://mcp.spala.ai/mcp/install-manifest200The install manifest now presents the public MCP as spala-public and warns not to configure api.spala.ai/mcp as the MCP server.
cors_preflightOPTIONShttps://mcp.spala.ai/mcp204Browser-based clients can discover the public MCP CORS and exposed auth challenge headers.
unauthenticated_project_list_challengePOST JSON-RPC tools/call project_list without Authorizationhttps://mcp.spala.ai/mcp401Auth-gated project tools return HTTP 401 plus WWW-Authenticate and JSON-RPC error metadata that points clients to OAuth discovery and platform authorization.

What this proves

What this does not prove