Provider Template Packs
Provider Template Packs are reusable packages for common webhook sources that provide structured defaults for endpoint configuration, provider verification, event classification, and operational visibility.
Overview
Zen Mesh provides Provider Template Packs for popular webhook sources. Each pack includes:
- Endpoint Setup — Pre-configured endpoint defaults
- Provider Verification — Signature verification (HMAC) for authenticity
- Event Classification — Structured event types and transformations
- Flow Patterns — Recommended endpoint-to-target routing
- Operations — Retry policy, dead-letter queue, and observability guidance
Available Packs
| Provider | Status | Signature Verification |
|---|---|---|
| Stripe | Production | HMAC-SHA256 (Stripe-Signature header) |
| GitHub | Production | HMAC-SHA256 (X-Hub-Signature-256 header) |
| Shopify | Production | HMAC-SHA256 (X-Shopify-Hmac-Sha256 header) |
| Twilio | Production | HMAC-SHA1 (X-Twilio-Signature header) |
| Custom Signed | Supported | Configurable HMAC via base transform |
Maturity Levels
Packs are tagged with maturity levels using the Provider Package Lifecycle classification:
- GA — Fully validated, recommended for production use
- Beta — Most quality gates passing, free grace period active
- Preview — Functional with core quality gates passing, free/quota-exempt
All four core provider packs (Stripe, GitHub) are at GA maturity. Shopify and Twilio are at Preview maturity with a parity path to GA.
Architecture Mapping
Provider Template Packs map to Zen Mesh concepts:
| Pack Component | Zen Mesh Concept |
|---|---|
| Endpoint config | Endpoint CRD |
| Provider verification | AuthProfile / Transform rules |
| Event classification | Transform package rules |
| Flow patterns | Target / Routing |
| Operations | Retry / DLQ / Observability |
Usage
Packs are optional. You can:
- Use a pack — Accelerates setup with sensible defaults
- Custom endpoint — Full control without any pack
- Mix and match — Pack for one provider, custom for another
Packs do not remove user control. All endpoints, targets, and flows remain configurable.
Security Model
All provider packs enforce the same security model:
- Signature Verification — HMAC validation for provider authenticity
- mTLS — Mutual TLS on data-plane path (ingester → egress)
- SPIFFE/SPIRE — Workload identity for automated certificate rotation
- Scoped Secrets — Provider secrets stored encrypted, never logged
Operations
Packs provide operational defaults:
- Retry Policy — Exponential backoff with configurable attempts
- Dead Letter Queue — Failed deliveries queued for manual inspection
- Replay — Ability to replay events from evidence
- Observability — Structured logs, metrics, and traces
Custom Signed Webhooks
For providers not in the standard set, Zen Mesh supports custom signed webhooks:
- Use the base transform package
- Configure custom HMAC header name
- Set your secret in the AuthProfile
Custom signed webhooks use the same security model as provider packs.
Non-Claims
- Not every provider pack is complete — roadmap packs are not current guarantees
- Packs provide defaults, not locked-in behavior
- All configuration remains under user control
- Production use requires applicable plan and approved operational controls