POST /api/embed/:slug/ingest
The beacon endpoint. The host page's zeq-embed.js runtime POSTs to this route on every event/state/file/connection/identify call. The server validates the schema, rate-limits per machine+IP, hashes the payload, and appends a row to the audit entangled state.
Status — coming soon (planned for next release; snippet/threat-model already locked).
Auth
X-Zsm-Key: zsm_pub_… header. Public-prefix key only — write-back keys are rejected.
Headers
Content-Type: application/json
X-Zsm-Key: zsm_pub_…
Origin: https://your-host-page.example
If the machine has an origin allow-list configured, beacons from origins outside the list are still accepted but flagged with cross_origin: true and counted against a separate quota.
Request
{
"v": "1.287.5",
"slug": "my-iot-fleet",
"sid": "session-or-device-id",
"kind": "heartbeat",
"payload": { "uptime_ms": 12345, "temp_c": 21.4 },
"pulse": { "f": 1.287, "tau": 0.777, "alpha": 0.00129, "ns": "777000777" },
"ts": 1777336155374
}
| Field | Type | Required | Notes |
|---|---|---|---|
v | string | yes | snippet version |
slug | string | yes | must match path |
sid | string | yes | opaque session/device id |
kind | string | yes | one of heartbeat, event, state, file, connection, identify, __unload |
payload | object | yes | ≤ 4 KB |
pulse | object | optional | snippet's local pulse snapshot |
ts | number | yes | Unix ms |
Response — 202 Accepted
{
"ok": true,
"zeqond": "2287439213",
"transition_id": "uuid",
"rate_remaining": 599
}
Some clients (no-JS / IoT) call with Content-Type: application/x-www-form-urlencoded instead — the handler accepts both.
Errors
| Status | error | Cause |
|---|---|---|
400 | invalid_kind | kind not in the allowlist |
400 | payload_too_large | > 4 KB |
401 | bad_key | X-Zsm-Key missing or non-public-prefix |
429 | rate_limited | per-IP / per-slug / per-day cap exceeded |
404 | slug_not_found | slug doesn't resolve |