JPOS Marketplace

Sign in

Your first published app

  1. Sign in. The portal sends a magic link; click it, and you're in.
  2. Generate an ed25519 keypair locally: 
    openssl genpkey -algorithm Ed25519 -out priv.pem
openssl pkey -in priv.pem -pubout -outform DER | tail -c 32 | xxd -p -c 64
    The hex string is your public key — paste it into the dashboard's Signing key form. Keep priv.pem safe; the marketplace never sees it.
  3. Claim an app id on the Submit app page. Use reverse-DNS: com.example.todo.
  4. Build a bundle. A bundle is a .zip containing manifest.json at the root and any index.html/*.js/*.css your app needs. The manifest declares app_id, name, version (SemVer), publisher, and (optional) capabilities.
  5. Sign it. Compute SHA-256 of bundle.zip and sign the string app_id|version|sha256_hex with your private key. The signature is base64-encoded. 
    SHA=$(openssl dgst -sha256 -binary bundle.zip | xxd -p -c 64)
printf '%s|%s|%s' "$APP_ID" "$VER" "$SHA" \
  | openssl pkeyutl -sign -inkey priv.pem -rawin \
  | base64 -w0
  6. Upload the bundle, manifest, and signature on the app's detail page. The gateway re-hashes the bundle, re-builds the canonical message, and verifies the signature against your registered key — only then is the version published.

Manifest schema

{
  "app_id": "com.example.todo",
  "name": "Todo",
  "version": "1.2.0",
  "description": "A simple todo list",
  "category": "productivity",
  "publisher": "Example Inc.",
  "entry": "index.html",
  "permissions": [],
  "capabilities": ["filesystem.read", "notifications"],
  "jpos_min_version": "0.1.0",
  "icon": "icon.png",
  "homepage": "https://example.com"
}

API surface

Everything the portal does, you can do from a script. Auth via session cookie or — for CI / publishing pipelines — the bootstrap bearer token + X-Publisher-Id header.