Skip to main content

Base URL

https://api.usezombie.com

Authentication

All API endpoints require a Bearer token in the Authorization header, except health checks and the initial auth session creation. 
curl https://api.usezombie.com/v1/workspaces/ws_abc/zombies \
  -H "Authorization: Bearer $ZOMBIE_TOKEN"
Two kinds of bearer token are accepted:
  • Tenant API key (zmb_t_…) — long-lived, for programmatic and service-to-service callers (CI, cron, integrations, scripts). Create one in the dashboard under Settings → API keys; the raw value is shown once. This is the right credential for calling the API directly.
  • User JWT — short-lived (~15 min), for an interactive human. Mint one with zombiectl login, a browser device flow with terminal-side verification. It can’t be obtained by a bare API client — the flow needs the dashboard’s browser leg — so for unattended access use a tenant API key.

Errors

All errors use RFC 7807 problem detail (Content-Type: application/problem+json): 
{
  "docs_uri": "https://docs.usezombie.com/api-reference/error-codes#UZ-WORKSPACE-001",
  "title": "Workspace not found",
  "detail": "No workspace with the given ID exists.",
  "error_code": "UZ-WORKSPACE-001",
  "request_id": "req_01JQ7K..."
}
Error codes follow the UZ-<DOMAIN>-NNN scheme in the error_code field. Every response includes a request_id for tracing. See Error codes for the full registry.

Conventions

  • IDs are UUIDv7.
  • Timestamps are Unix milliseconds.
  • State transitions are partial updates on the parent resource (e.g., PATCH /v1/workspaces/{workspace_id}/zombies/{zombie_id} with body {status: "stopped"}). Sub-resources (e.g., /messages, /events, /events/stream) handle data-flow operations.
  • Streaming endpoints (activity stream) return Server-Sent Events.

Rate limits

API rate limits are per-workspace. If you hit a rate limit, the response includes a Retry-After header.

OpenAPI Spec

View the full OpenAPI 3.1 specification