Skip to main content
POST
/
v2
/
topics
/
{topicId}
/
members
curl --request POST \ --url https://api.zenzap.co/v2/topics/{topicId}/members \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/json' \ --header 'X-Signature: <api-key>' \ --data ' { "memberIds": [ "550e8400-e29b-41d4-a716-446655440003" ] } '
{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "memberIds": [
    "550e8400-e29b-41d4-a716-446655440001",
    "550e8400-e29b-41d4-a716-446655440002",
    "550e8400-e29b-41d4-a716-446655440003",
    "b@660e8400-e29b-41d4-a716-446655440003"
  ],
  "updatedAt": 1699564800000
}

Authorizations

Authorization
string
header
required

Bearer token for the request. Two flavors:

  • Static API key — pass your API key (the value returned as apiKey when the bot was created). Must be paired with X-Signature + X-Timestamp (the hmacSignature scheme).
  • OAuth access token — pass the JWT returned by POST /oauth/token. No signature headers are required.
X-Signature
string
header
required

HMAC-SHA256 signature for request verification. Required only when authenticating with a static API key. Omit when using an OAuth access token.

Headers

X-Signature
string

HMAC signature of the request for authentication and replay protection.

Required only when authenticating with a static API key. If you are using an OAuth access token (issued by POST /oauth/token), omit this header — the JWT carries all the authentication and integrity guarantees.

Replay Protection: The signature includes a timestamp to prevent replay attacks. Requests with timestamps older than 5 minutes are rejected.

The signature payload differs by HTTP method:

  • POST/PUT/PATCH/DELETE: HMAC-SHA256 of {timestamp}.{body}
  • GET: HMAC-SHA256 of {timestamp}.{uri}

The signature is calculated as:

  1. Get the current Unix timestamp in milliseconds
  2. Determine the payload:
    • For POST/PUT/PATCH/DELETE: Use {timestamp}.{body} where body is the request body
    • For GET: Use {timestamp}.{uri} where uri is the full request URI (e.g., /v2/members?limit=10)
  3. Calculate HMAC-SHA256 of the combined payload using your API secret
  4. Hex-encode the output
  5. Include the timestamp in the X-Timestamp header

Example for GET request to /v2/members?limit=10:

timestamp = 1699564800000
payload = "1699564800000./v2/members?limit=10"
signature = HMAC-SHA256(secret, payload)
X-Signature: hex(signature)
X-Timestamp: 1699564800000

Example for POST request with body {"topicId":"123","text":"Hello"}:

timestamp = 1699564800000
payload = '1699564800000.{"topicId":"123","text":"Hello"}'
signature = HMAC-SHA256(secret, payload)
X-Signature: hex(signature)
X-Timestamp: 1699564800000

For multipart/form-data requests, sign the exact raw request body bytes (including boundaries and file bytes) as transmitted.

Pattern: ^[a-f0-9]{64}$
Example:

"a3d5f8e7c2b1d4f6a8e9c7b5d3f1a2e4b6c8d0f2e4a6b8c0d2e4f6a8b0c2d4e6"

X-Timestamp
integer<int64>

Unix timestamp in milliseconds when the request was created. Used for replay protection — requests older than 5 minutes are rejected.

Required only when authenticating with a static API key. Omit when using an OAuth access token.

Example:

1699564800000

Path Parameters

topicId
string<uuid>
required

The ID of the topic to add members to

Body

application/json
memberIds
string<uuid>[]
required

Array of member IDs to add to the topic (max 5). All members must be from the same organization as the bot and must not already be members of the topic. Duplicate IDs in the request are automatically removed.

Required array length: 1 - 5 elements
Example:
[
  "550e8400-e29b-41d4-a716-446655440003",
  "550e8400-e29b-41d4-a716-446655440004"
]

Response

Members added successfully

id
string<uuid>

The topic ID

Example:

"550e8400-e29b-41d4-a716-446655440000"

memberIds
string[]

Updated array of member IDs in the topic

Example:
[
  "550e8400-e29b-41d4-a716-446655440001",
  "550e8400-e29b-41d4-a716-446655440002"
]
updatedAt
integer<int64>

Unix timestamp in milliseconds when the topic was updated

Example:

1699564800000