Deliver an inbound webhook event to a Zombie
Delivers an inbound event to the Zombie identified by zombie_id. The Zombie is looked up by primary key — no JSONB traversal, no source-name uniqueness required. The body MUST be HMAC-SHA256 signed with the workspace credential keyed by the Zombie’s trigger.source (e.g. vault row zombie:linear, field webhook_secret). The provider-specific signature header (x-hub-signature-256 for GitHub, x-slack-signature for Slack, etc.) is verified upstream by the webhook_sig middleware; this handler runs only after the HMAC is valid. There is no Bearer fallback — every inbound webhook MUST be signed. Duplicate events (same event_id within 24 h) return 200 {status: "duplicate"}. A new event is enqueued to the Zombie’s Redis stream and returns 202.
Documentation Index
Fetch the complete documentation index at: https://docs.usezombie.com/llms.txt
Use this file to discover all available pages before exploring further.
Path Parameters
UUIDv7 of the target Zombie. Obtained from POST /v1/workspaces/{workspace_id}/zombies or zombiectl install --from <path>.
Body
Response
Duplicate event — already processed within the 24-hour dedup window.
"duplicate"