Deliver an inbound webhook event to a Zombie

curl --request POST \
  --url https://api.usezombie.com/v1/webhooks/{zombie_id} \
  --header 'Content-Type: application/json' \
  --data '
{
  "event_id": "<string>",
  "type": "<string>",
  "data": {}
}
'

{
  "status": "<string>",
  "ignored": "<string>"
}

Webhooks

Deliver an inbound webhook event to a Zombie

Delivers an inbound event to the Zombie identified by zombie_id. The Zombie is looked up by primary key — no JSONB traversal, no source-name uniqueness required. The body MUST be HMAC-SHA256 signed with the workspace credential keyed by the Zombie’s trigger.source (e.g. vault row zombie:linear, field webhook_secret). The provider-specific signature header (x-hub-signature-256 for GitHub, x-slack-signature for Slack, etc.) is verified upstream by the webhook_sig middleware; this handler runs only after the HMAC is valid. There is no Bearer fallback — every inbound webhook MUST be signed. Duplicate events (same event_id within 24 h) return 200 {status: "duplicate"}. A webhook for a paused zombie returns 200 {ignored: "zombie_paused"} without consuming the dedup slot, so redelivery after resume processes normally. A new event is enqueued to the Zombie’s Redis stream and returns 202.

POST

webhooks

{zombie_id}

curl --request POST \
  --url https://api.usezombie.com/v1/webhooks/{zombie_id} \
  --header 'Content-Type: application/json' \
  --data '
{
  "event_id": "<string>",
  "type": "<string>",
  "data": {}
}
'

{
  "status": "<string>",
  "ignored": "<string>"
}

Path Parameters

zombie_id

string<uuid>

required

UUIDv7 of the target Zombie. Obtained from POST /v1/workspaces/{workspace_id}/zombies or zombiectl install --from <path>.

Body

application/json

event_id

string

required

Unique identifier for this event. Used for idempotency deduplication (24-hour window).

type

string

required

Event type label (e.g. email.received, push, payment.succeeded).

data

object

required

Event payload — any JSON object. Passed as-is into the Zombie event loop.

Response

Not enqueued, intentionally. Two shapes: duplicate event ({"status": "duplicate"} — already processed within the 24-hour dedup window) or event ignored ({"ignored": "zombie_paused"} — zombie is paused; the dedup slot is not consumed, so redelivery after resume processes normally).

status

string

Allowed value: "duplicate"

ignored

string

Reason the event was ignored (e.g. zombie_paused).

Receive a Svix-signed webhook (Clerk events)Resolve a zombie approval gate