What is the App Registry?

A centralized system for registering, discovering, and authenticating internal applications at JLS Trading Co.

The Problem#

As the number of internal tools grows, each team ends up managing credentials differently. One team shares API keys over Slack, another hard-codes secrets in config files, and nobody has a clear picture of which apps talk to which. When someone leaves or an app is retired, there's no single place to revoke access.

How the App Registry Solves This#

The App Registry is built into JLS Crewbook. It provides three things:

A catalog of apps

Every internal app is registered in one place with its name, description, base URL, and documentation links. Anyone at the company can browse the catalog to discover what tools exist.

Centralized credentials

Instead of apps exchanging API keys directly, EDS issues signed JWT tokens. You generate a token through the dashboard, and the receiving app verifies it using a public key. No shared secrets.

Zero-overhead verification

Tokens are verified locally using cryptography — the receiving app never needs to call EDS during a request. This means no extra latency and no dependency on EDS being available.

How It Works#

The process has four steps. The first three happen once during setup. The last one happens on every request.

1
Register your app
Go to Dashboard → Applications → Register App. Give your app a name, description, and URLs. You become the app's owner.
2
Create an access grant
On your app's detail page, create an outbound grant to the app you want to call. Grants are one-directional — granting your app access to App B does not let App B call you.
3
Generate a token
Click "Generate Token" on the grant. EDS signs a JWT with your app as the subject and the target app as the audience. Copy the token — it's shown only once.
4
Use the token in requests
Add the JWT to the Authorization: Bearer header when calling the target app. The target app verifies the signature using a public key from EDS — no network call needed.

Key Concepts#

Application

Any internal tool, service, or system registered in the catalog. Each app has a unique name, an owner (the employee who registered it), and a status (active, deprecated, or disabled). Apps can optionally include documentation URLs and an LLM-friendly documentation URL for AI assistants.

Access Grant

A permission record that says "App A is allowed to call App B." Grants are directional — if App A needs to call App B and App B also needs to call App A, two separate grants are needed. Grants can be revoked at any time.

Access Token (JWT)

A signed JSON Web Token that proves your app's identity to a target app. Tokens are long-lived (1 year by default), scoped to a specific target app, and verified locally using public-key cryptography. You can generate a new token anytime from an active grant.

JWKS Endpoint

A public URL (/.well-known/jwks.json) that serves the platform's public key. Any app can fetch this key to verify incoming tokens without needing credentials or making authenticated requests.

Who Can Do What#

The App Registry is fully self-serve. No admin approval is needed.

Action	Who
Browse all registered apps	Any employee
Register a new app	Any employee
Edit or disable an app	App owner or admin
Create an access grant	Source app owner
Revoke a grant	Grant creator or admin
Generate a token	Source app owner

Next Steps#

Registering Your App →

Step-by-step guide to registering your app, filling in the right details, and setting up access grants.

Access Tokens & Verification →

How to generate tokens, use them in requests, and verify incoming tokens in your app with code examples.

Already using EDS API keys?

The App Registry is separate from EDS API keys. API keys are used to read or write employee data in EDS. The App Registry is used for apps to authenticate with each other. If your app only needs employee data, you don't need the App Registry — just use an API key.