# Spala Public POC Benchmark

Last updated: 2026-07-09

This is a repeatable public proof-of-concept benchmark for evaluating Spala without exposing private source code, private repositories, internal IP addresses, secrets, customer data, or private platform architecture.

Machine-readable JSON: https://spala.ai/poc-benchmark.json

## Scenario

Name: Client Portal Backend POC

Timebox: 30 minutes for first pass; 60 minutes if authentication, CORS, or frontend wiring needs extra review.

Boundary: This benchmark is a repeatable public evaluation workflow. It is not customer proof, compliance proof, SLA proof, uptime history, case-study proof, or proof of OAuth-complete MCP handoff unless those specific artifacts are captured separately.

Prompt:

```txt
Create a backend for a client portal with users, organizations, projects, messages, document metadata, role-based access, protected REST endpoints, validation errors, generated API docs, frontend handoff notes, CORS origins, and publish review.
```

## Steps

| Step | Owner action | Expected evidence | Public references | Pass criteria |
| --- | --- | --- | --- | --- |
| Prepare the evaluation | Create or open a non-sensitive Spala project from the hosted dashboard and choose one low-risk app workflow. | Project exists in dashboard; no customer data, secrets, regulated data, or production credentials are used. | https://spala.ai/start.json<br>https://spala.ai/first-10-minutes.json | The evaluator can identify the project, app workflow, and data-risk boundary before building. |
| Generate the backend contract | Use Lite Mode or AI Copilot with the benchmark prompt and inspect generated tables, endpoints, auth, validation, backend logic, docs, and publish state. | Generated resources are visible and inspectable in Spala before publish. | https://docs.spala.ai/features/lite-mode/<br>https://docs.spala.ai/features/ai-assistant/<br>https://spala.ai/screenshots/ | The generated backend contract includes users, organizations, projects, messages, document metadata, protected routes, and generated docs or handoff notes. |
| Test API behavior | Use API Playground or an API client to test one success path, one validation error, one unauthorized request, one protected endpoint, and one list/detail endpoint. | Evaluator records request path, method, status, response shape, and route-specific error format. | https://docs.spala.ai/start-here/<br>https://spala.ai/examples/contracts.json | At least five request outcomes are tested and documented without guessing route behavior. |
| Verify frontend handoff | Collect API base URL, OpenAPI or Markdown docs, auth routes, token/session behavior, CORS origin, upload/realtime notes if relevant, route-specific errors, and publish state. | A frontend developer or coding agent can wire the app without dashboard-only assumptions. | https://docs.spala.ai/guides/frontend-handoff/<br>https://spala.ai/ai-app-handoff/ | The handoff includes enough project-specific details for an external frontend test. |
| Exercise public MCP discovery | Connect to Public MCP, read onboarding/tool map, verify OAuth metadata, and record that project mutation requires Spala auth and project selection. | Public MCP discovery is documented separately from project MCP mutation. | https://mcp.spala.ai/mcp<br>https://spala.ai/mcp-public-no-auth-transcript.json<br>https://spala.ai/mcp-handoff-evidence.json | The evaluator does not guess or hardcode project MCP URLs and does not claim anonymous mutation. |
| Score production readiness | Use the production-readiness, vendor-risk, limits, migration, legal, billing, and gap-closure files to mark what is public, verify-required, or missing. | The evaluator separates content proof from real proof gaps. | https://spala.ai/production-readiness.json<br>https://spala.ai/vendor-risk.json<br>https://spala.ai/gap-closure.json | The final note explicitly avoids claims of customer proof, compliance certification, formal SLA, exact limits, backup/export guarantees, and OAuth-complete MCP proof unless real artifacts exist. |

## Scoring

Passing threshold: 85/100 with zero trust-boundary failures.

| Criterion | Points | Pass criteria |
| --- | ---: | --- |
| Product fit and setup clarity | 15 | Evaluator can explain why Spala is being tested for AI-built app backend handoff and not as a universal backend replacement. |
| Generated backend contract | 20 | Tables, relationships, auth, protected endpoints, validation, backend logic, docs, and publish state are inspectable. |
| API behavior testing | 20 | Success, validation failure, auth failure, protected endpoint, and list/detail behavior are tested and recorded. |
| Frontend handoff quality | 15 | External frontend has API base URL, docs/SDK, auth behavior, CORS origin, route errors, and publish state. |
| MCP boundary correctness | 15 | Public MCP discovery is separated from authenticated project MCP work; exact returned mcpUrl rule is followed. |
| Trust-boundary accuracy | 15 | Evaluator marks customer proof, compliance, SLA/history, exact limits, backup/export/deletion, and OAuth-complete MCP transcript as verify-required or missing where appropriate. |

## Artifacts to record

- Project name and non-sensitive test scope
- Backend prompt used for the POC
- Resource summary: tables, endpoints, auth, functions/tasks/channels if generated
- Five API Playground or API-client request outcomes
- Frontend handoff packet
- Public MCP discovery notes
- Project MCP handoff status: not attempted, attempted, or captured with redactions
- Production-readiness verification notes
- Go/pilot/no-go recommendation with explicit proof gaps

## Claims to avoid

- Do not call this a customer case study unless a real customer approves publication.
- Do not call this compliance, SLA, backup/export, deletion, or uptime proof.
- Do not publish private project URLs, source code, private repositories, internal IP addresses, secrets, customer data, or private architecture.
- Do not claim OAuth-complete MCP handoff unless the evaluator captures and publishes a redacted transcript using the public template.
- Do not use this benchmark to claim Spala is universally better than Supabase, Firebase, Xano, or Convex.
