Skip to content
Registry stack docs v0 · draft
Search

Expose protected APIs

Expose protected APIs is how a registry serves scoped, read-only access to existing source data (a CSV, an XLSX, a Parquet file, or a PostgreSQL table) without giving callers database credentials or exposing storage internals. The primary implementation is Registry Relay, a config-driven HTTP gateway that maps those sources to public entity routes while keeping table identifiers, raw SQL, and source paths out of public contracts.

This is protected API exposure: caller authentication, route-level scopes, field projection, declared filters, aggregates, caller-scoped metadata, and tamper-evident audit records. Relay is not an open-data portal.

What it does

Section titled “What it does”

Registry Relay provides:

  • Authenticated, scoped entity lookup and aggregate routes over CSV, XLSX, Parquet, or PostgreSQL.
  • Field projection and declared filters so callers receive only the fields their scope allows.
  • Caller-scoped metadata routes derived from the published Manifest.
  • Tamper-evident audit records for every request.

Registry Platform supplies shared auth, OIDC, HTTP security, outbound HTTP, crypto, SD-JWT, and audit primitives that Relay builds on.

Primary project

Section titled “Primary project”

Registry Relay: source types, entity model, auth modes, metadata routes, and caveats.

How to use it

Section titled “How to use it”

Configure a source connector, define entity routes, and assign caller scopes. See Authorize callers for scope assignment and key provisioning. See the Relay API reference for the HTTP contract.

Example: a facility registry operated by a national health authority exposes GET /clinics/{id} to a regional licensing office, scoped to a caller token for that region, returning only the fields the policy allows.

Section titled “Related docs”