diff --git a/apps/jumpserver/settings.py b/apps/jumpserver/settings.py
index 13029b815..1a7b8b72e 100644
--- a/apps/jumpserver/settings.py
+++ b/apps/jumpserver/settings.py
@@ -54,7 +54,7 @@ INSTALLED_APPS = [
     'users.apps.UsersConfig',
     'assets.apps.AssetsConfig',
     'perms.apps.PermsConfig',
-    # 'terminal.apps.TerminalConfig',
+    'terminal.apps.TerminalConfig',
     'ops.apps.OpsConfig',
     'audits.apps.AuditsConfig',
     'common.apps.CommonConfig',
diff --git a/apps/terminal/__init__.py b/apps/terminal/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/apps/terminal/admin.py b/apps/terminal/admin.py
new file mode 100644
index 000000000..8c38f3f3d
--- /dev/null
+++ b/apps/terminal/admin.py
@@ -0,0 +1,3 @@
+from django.contrib import admin
+
+# Register your models here.
diff --git a/apps/terminal/apps.py b/apps/terminal/apps.py
new file mode 100644
index 000000000..c81fa232b
--- /dev/null
+++ b/apps/terminal/apps.py
@@ -0,0 +1,7 @@
+from __future__ import unicode_literals
+
+from django.apps import AppConfig
+
+
+class TerminalConfig(AppConfig):
+    name = 'terminal'
diff --git a/apps/terminal/models.py b/apps/terminal/models.py
new file mode 100644
index 000000000..bd4b2abe9
--- /dev/null
+++ b/apps/terminal/models.py
@@ -0,0 +1,5 @@
+from __future__ import unicode_literals
+
+from django.db import models
+
+# Create your models here.
diff --git a/apps/terminal/tests.py b/apps/terminal/tests.py
new file mode 100644
index 000000000..7ce503c2d
--- /dev/null
+++ b/apps/terminal/tests.py
@@ -0,0 +1,3 @@
+from django.test import TestCase
+
+# Create your tests here.
diff --git a/apps/terminal/views.py b/apps/terminal/views.py
new file mode 100644
index 000000000..91ea44a21
--- /dev/null
+++ b/apps/terminal/views.py
@@ -0,0 +1,3 @@
+from django.shortcuts import render
+
+# Create your views here.
diff --git a/apps/users/api.py b/apps/users/api.py
index 67ce7ae4f..3017bd40d 100644
--- a/apps/users/api.py
+++ b/apps/users/api.py
@@ -21,11 +21,13 @@ logger = get_logger(__name__)
 class UserDetailApi(generics.RetrieveUpdateDestroyAPIView):
     queryset = User.objects.all()
     serializer_class = UserDetailSerializer
+    permission_classes = (IsSuperUser,)
 
 
 class UserAndGroupEditApi(generics.RetrieveUpdateAPIView):
     queryset = User.objects.all()
     serializer_class = UserAndGroupSerializer
+    permission_classes = (IsSuperUser,)
 
 
 class UserResetPasswordApi(generics.UpdateAPIView):
@@ -109,3 +111,23 @@ class DeleteUserFromGroupApi(generics.DestroyAPIView):
         user_id = kwargs.get('uid')
         user = get_object_or_404(User, id=user_id)
         instance.users.remove(user)
+
+
+class AppUserRegisterApi(generics.CreateAPIView):
+    """App send a post request to register a app user
+
+    request params contains `username_signed`, You can unsign it,
+    username = unsign(username_signed), if you get the username,
+    It's present it's a valid request, or return (401, Invalid request),
+    then your should check if the user exist or not. If exist,
+    return (200, register success), If not, you should be save it, and
+    notice admin user, The user default is not active before admin user
+    unblock it.
+
+    Save fields:
+        username:
+        name: name + request.ip
+        email: username + '@app.org'
+        role: App
+    """
+    pass
diff --git a/apps/users/models.py b/apps/users/models.py
index c7464f4fb..c289bacca 100644
--- a/apps/users/models.py
+++ b/apps/users/models.py
@@ -69,7 +69,6 @@ class User(AbstractUser):
     ROLE_CHOICES = (
         ('Admin', _('Administrator')),
         ('User', _('User')),
-        ('App', _('Application')),
     )
 
     username = models.CharField(max_length=20, unique=True, verbose_name=_('Username'))
@@ -149,15 +148,6 @@ class User(AbstractUser):
         else:
             self.role = 'User'
 
-    is_admin = is_superuser
-
-    @property
-    def is_app_user(self):
-        if self.role == 'App':
-            return True
-        else:
-            return False
-
     @property
     def is_staff(self):
         if self.is_authenticated and self.is_valid:
@@ -188,7 +178,6 @@ class User(AbstractUser):
             token = Token.objects.get(user=self)
         except Token.DoesNotExist:
             token = Token.objects.create(user=self)
-
         return token.key
 
     def refresh_private_token(self):
diff --git a/apps/users/serializers.py b/apps/users/serializers.py
index cfce66ab7..fa1e57b79 100644
--- a/apps/users/serializers.py
+++ b/apps/users/serializers.py
@@ -5,23 +5,23 @@ from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 from rest_framework_bulk import BulkListSerializer, BulkSerializerMixin
 
+from common.utils import unsign
 from .models import User, UserGroup
 
 
 class UserDetailSerializer(serializers.ModelSerializer):
-
     class Meta:
         model = User
         fields = ['avatar', 'wechat', 'phone', 'enable_otp', 'comment', 'is_active', 'name']
 
 
 class UserPKUpdateSerializer(serializers.ModelSerializer):
-
     class Meta:
         model = User
         fields = ['id', '_public_key']
 
-    def validate__public_key(self, value):
+    @staticmethod
+    def validate__public_key(value):
         from sshpubkeys import SSHKey
         from sshpubkeys.exceptions import InvalidKeyException
         ssh = SSHKey(value)
@@ -45,7 +45,6 @@ class UserAndGroupSerializer(serializers.ModelSerializer):
 
 
 class GroupDetailSerializer(serializers.ModelSerializer):
-
     class Meta:
         model = UserGroup
         fields = ['id', 'name', 'comment', 'date_created', 'created_by', 'users']
@@ -63,16 +62,17 @@ class UserBulkUpdateSerializer(BulkSerializerMixin, serializers.ModelSerializer)
                   'enable_otp', 'comment', 'groups', 'get_role_display',
                   'group_display', 'active_display']
 
-    def get_group_display(self, obj):
+    @staticmethod
+    def get_group_display(obj):
         return " ".join([group.name for group in obj.groups.all()])
 
-    def get_active_display(self, obj):
-        # TODO: user ative state
+    @staticmethod
+    def get_active_display(obj):
+        # TODO: user active state
         return not (obj.is_expired and obj.is_active)
 
 
 class GroupBulkUpdateSerializer(BulkSerializerMixin, serializers.ModelSerializer):
-
     user_amount = serializers.SerializerMethodField()
 
     class Meta:
@@ -80,5 +80,18 @@ class GroupBulkUpdateSerializer(BulkSerializerMixin, serializers.ModelSerializer
         list_serializer_class = BulkListSerializer
         fields = ['id', 'name', 'comment', 'user_amount']
 
-    def get_user_amount(self, obj):
+    @staticmethod
+    def get_user_amount(obj):
         return obj.users.count()
+
+
+class AppUserRegisterSerializer(serializers.Serializer):
+    username = serializers.CharField(max_length=20)
+
+    def create(self, validated_data):
+        sign = validated_data('username', '')
+        username = unsign(sign)
+        pass
+
+    def update(self, instance, validated_data):
+        pass