Skip to main content

Provider Template Packs

Provider Template Packs are reusable packages for common webhook sources that provide structured defaults for endpoint configuration, provider verification, event classification, and operational visibility.

Overview

Zen Mesh provides Provider Template Packs for popular webhook sources. Each pack includes:

  • Endpoint Setup — Pre-configured endpoint defaults
  • Provider Verification — Signature verification (HMAC) for authenticity
  • Event Classification — Structured event types and transformations
  • Flow Patterns — Recommended endpoint-to-target routing
  • Operations — Retry policy, dead-letter queue, and observability guidance

Available Packs

ProviderStatusSignature Verification
StripeProductionHMAC-SHA256 (Stripe-Signature header)
GitHubProductionHMAC-SHA256 (X-Hub-Signature-256 header)
ShopifyProductionHMAC-SHA256 (X-Shopify-Hmac-Sha256 header)
TwilioProductionHMAC-SHA1 (X-Twilio-Signature header)
Custom SignedSupportedConfigurable HMAC via base transform

Maturity Levels

Packs are tagged with maturity levels using the Provider Package Lifecycle classification:

  • GA — Fully validated, recommended for production use
  • Beta — Most quality gates passing, free grace period active
  • Preview — Functional with core quality gates passing, free/quota-exempt

All four core provider packs (Stripe, GitHub) are at GA maturity. Shopify and Twilio are at Preview maturity with a parity path to GA.

Architecture Mapping

Provider Template Packs map to Zen Mesh concepts:

Pack ComponentZen Mesh Concept
Endpoint configEndpoint CRD
Provider verificationAuthProfile / Transform rules
Event classificationTransform package rules
Flow patternsTarget / Routing
OperationsRetry / DLQ / Observability

Usage

Packs are optional. You can:

  1. Use a pack — Accelerates setup with sensible defaults
  2. Custom endpoint — Full control without any pack
  3. Mix and match — Pack for one provider, custom for another

Packs do not remove user control. All endpoints, targets, and flows remain configurable.

Security Model

All provider packs enforce the same security model:

  • Signature Verification — HMAC validation for provider authenticity
  • mTLS — Mutual TLS on data-plane path (ingester → egress)
  • SPIFFE/SPIRE — Workload identity for automated certificate rotation
  • Scoped Secrets — Provider secrets stored encrypted, never logged

Operations

Packs provide operational defaults:

  • Retry Policy — Exponential backoff with configurable attempts
  • Dead Letter Queue — Failed deliveries queued for manual inspection
  • Replay — Ability to replay events from evidence
  • Observability — Structured logs, metrics, and traces

Custom Signed Webhooks

For providers not in the standard set, Zen Mesh supports custom signed webhooks:

  1. Use the base transform package
  2. Configure custom HMAC header name
  3. Set your secret in the AuthProfile

Custom signed webhooks use the same security model as provider packs.

Non-Claims

  • Not every provider pack is complete — roadmap packs are not current guarantees
  • Packs provide defaults, not locked-in behavior
  • All configuration remains under user control
  • Production use requires applicable plan and approved operational controls