POST /audit-source/:id/event
Inbound webhook receiver. Pipes any JSON body into the entangled state.
Method POST Path /api/zeq/audit-source/:id/event Auth Optional HMAC (X-Zeq-Signature) Group Audit Source
Headers
| Header | Required | Notes |
|---|---|---|
Content-Type: application/json | yes | only JSON bodies are stamped |
X-Zeq-Signature: sha256=<hex> | conditional | required when source_config.secret is set |
X-Delivery-Id: <opaque> | no | dedupe / replay token; auto-minted if absent |
Body
Any JSON. The adapter sha256s the canonical form and records that as document_hash. There is no schema — push whatever shape your upstream emits.
Response
{ "ok": true, "delivery_id": "<token>" }
Errors:
401 signature_required— secret is configured but no header401 signature_mismatch— HMAC didn't match the body503 adapter_not_running— the agent was killed or has not yet boot-restored
Sign your payload (when secret is set)
import crypto from "node:crypto";
const sig = "sha256=" + crypto
.createHmac("sha256", process.env.AUDIT_SECRET)
.update(JSON.stringify(body))
.digest("hex");
await fetch(`${ZEQ_DEV}/api/zeq/audit-source/${agentId}/event`, {
method: "POST",
headers: { "Content-Type": "application/json", "X-Zeq-Signature": sig },
body: JSON.stringify(body),
});
Reference
- Source:
shared/api-core/src/lib/dataSourceAudit/sources/httpWebhook.ts - Stamper:
shared/api-core/src/lib/dataSourceAudit/stamper.ts
Universal POST intake. Phase-locked at 1.287 Hz.