# spala-mcp-handoff

Use this skill when an agent needs to connect to Spala MCP.

Read first:

- https://spala.ai/mcp-handoff-evidence.json
- https://spala.ai/mcp-oauth-discovery-run-2026-07-09.json
- https://spala.ai/mcp-oauth-device-flow-run-2026-07-09.json
- https://spala.ai/mcp-public-no-auth-transcript.json
- https://spala.ai/mcp-handoff-transcript-template.json
- https://mcp.spala.ai/.well-known/project-mcp-test.json

## Public MCP

Endpoint:

```txt
https://mcp.spala.ai/mcp
```

Start with public tools: onboarding, tool map, docs search, template lookup, addon lookup.

## Project MCP

Project MCP is returned after Spala platform authentication and project selection.

Rules:

1. Do not guess project MCP URLs.
2. Do not derive project MCP URLs from slugs.
3. Authenticate through Spala platform OAuth when project tools are needed.
4. Call project_list and project_select.
5. Use the exact mcpUrl returned by Spala.
6. Inspect resources before changing them.
7. Validate before publish.

Public MCP discovers and routes. Project MCP builds and operates one selected project.

## Proof boundary

Public OAuth discovery, CORS preflight, install manifest, no-auth discovery, auth challenge, dynamic client registration, and device-code flow start are evidenced. Do not claim completed user auth or OAuth-complete project handoff is publicly proven until Spala publishes a redacted transcript showing token use, project_list, project_select, exact returned mcpUrl, project MCP manifest, and safe read-only project context.
