# Spala Public MCP Smoke-Test Walkthrough

Last updated: 2026-07-09

This is a public, unauthenticated smoke-test transcript for reviewers and MCP registries. It proves public discovery and auth challenge behavior, not authenticated project mutation.

## Endpoint

```txt
https://mcp.spala.ai/mcp
```

## Required raw HTTP headers

```txt
Content-Type: application/json
Accept: application/json, text/event-stream
```

## Expected public behavior

- GET /mcp returns method guidance plus discovery links.
- tools/list exposes public discovery tools and authenticated project handoff tools.
- docs_search works without auth.
- project tools return HTTP 401 with WWW-Authenticate and OAuth metadata when called without a bearer token.
- Invalid JSON returns a JSON-RPC parse error.

## Public tool groups

- Discovery: spala_help, spala_get_onboarding, spala_get_tool_map, docs_search, template_list, addon_list.
- Project handoff: project_list, project_create, project_select, project_get_mcp_manifest, project_get_public_context.

## Project handoff rule

Agents must use the exact mcpUrl returned by project_select or project_get_mcp_manifest after auth. Do not derive project MCP URLs from project names, slugs, hosts, or API-domain patterns.

## Redacted handoff example

```json
{
  "projectId": "proj_xxx",
  "name": "Example Project",
  "mcpUrl": "https://returned-by-spala.example/mcp",
  "transport": "streamable-http"
}
```

## Limitation

This public smoke test cannot prove authenticated project handoff. That requires a real Spala account, platform OAuth, project selection, and the project MCP URL returned by Spala.
