# Spala Public MCP No-Auth Transcript Summary

Last updated: 2026-07-09

This is a public-safe transcript summary for Spala Public MCP discovery, tool listing, OAuth challenge, and OAuth metadata checks.

## Boundary

This proves only public/no-auth discovery and auth-challenge behavior. It is not proof of OAuth-complete project handoff, project_list with auth, project_select, returned project mcpUrl, project MCP manifest, or project context.

## Capture steps

| # | Step | Method | URL | Observed HTTP status | Public status |
| --- | --- | --- | --- | --- | --- |
| 1 | Connect to public MCP | initialize | https://mcp.spala.ai/mcp | 200 | captured_public |
| 2 | List public tools | tools/list | https://mcp.spala.ai/mcp | 200 | captured_public |
| 3 | Trigger auth challenge | tools/call project_list without Authorization | https://mcp.spala.ai/mcp | 401 | captured_public |
| 4 | Fetch OAuth protected resource metadata | GET | https://mcp.spala.ai/.well-known/oauth-protected-resource | 200 | captured_public |
| 5 | Fetch OAuth authorization server metadata | GET | https://mcp.spala.ai/.well-known/oauth-authorization-server | 200 | captured_public |
| 6 | Authorized project handoff | project_list/project_select/project_get_mcp_manifest with Authorization | https://mcp.spala.ai/mcp | not captured | not_captured_missing_token |

## Public-safe auth challenge excerpt

The no-auth `project_list` call returned HTTP 401 with this public-safe challenge shape:

~~~json
{
  "response_header_shape": {
    "www-authenticate": "Bearer resource_metadata=\"https://mcp.spala.ai/.well-known/oauth-protected-resource\"",
    "access-control-expose-headers": "WWW-Authenticate,Mcp-Session-Id"
  },
  "json_rpc_error_shape": {
    "code": -32001,
    "message": "Authentication required",
    "data": {
      "error": "authentication_required",
      "protectedResourceMetadata": "https://mcp.spala.ai/.well-known/oauth-protected-resource",
      "authorizationServerMetadata": "https://mcp.spala.ai/.well-known/oauth-authorization-server",
      "authorizationServer": "https://api.spala.ai/mcp",
      "expectedAuthorization": "Authorization: Bearer <Spala platform access token>"
    }
  },
  "redaction_note": "This excerpt intentionally omits request IDs, trace IDs, cookies, session IDs, tokens, emails, account IDs, and project identifiers."
}
~~~

## Claims to avoid

- Do not claim this is an OAuth-complete handoff transcript.
- Do not claim public MCP anonymously returns private projects or creates projects.
- Do not claim project MCP URLs are guessable or pattern-derived.
- Do not claim production readiness, compliance, SLA, backups, export, or customer proof from this transcript.

## Next proof needed

Run an approved demo-account capture with authorization, redact all private fields, and publish only a reviewed OAuth-complete transcript showing project_list, project_select, exact returned mcpUrl, project_get_mcp_manifest, and read-only project context.

Machine-readable JSON: https://spala.ai/mcp-public-no-auth-transcript.json
