> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zenzap.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Get topic details

> Get details of a specific topic including its name, description, and member IDs.

**Authorization:** Your API key bot must be a member of the topic to access its details.

**Note:** For security reasons, a 404 response is returned both when the topic does not exist
and when your bot is not a member of the topic.




## OpenAPI

````yaml /openapi.yaml get /v2/topics/{topicId}
openapi: 3.0.3
info:
  title: Zenzap External Integration API
  description: >
    API for external applications to integrate with Zenzap.

    ## Getting Started

    Welcome to the Zenzap External Integration API documentation. This API is
    used to integrate with Zenzap.

    As a context we would like to familiarize you with the Zenzap platform and
    how it works.

    Zenzap is a platform for creating and managing topics and messages.

    Topics (Zenzap term for group chats/channels/conversations) are used to
    create and manage conversations with your team. Topics are used to group
    messages and tasks together.

    Messages are used to send and receive messages with your team.

    Tasks are used to create and manage tasks with your team.

    Members are used to manage your team members.

    API keys are used to authenticate your requests to the Zenzap API.

    API keys are created and managed by the Zenzap admin user.


    When you create a new API key, it would create a new bot user in Zenzap, on
    which behalf you can send messages, create topics, create tasks and manage
    members.

    All actions you perform with the API key will be performed on behalf of the
    bot user.

    The bot can be used within the scope of your organization. You can create
    topics, send messages, create tasks and manage members on behalf of the bot.

    1. On a Zenzap admin user, go to https://app.zenzap.co/console

    2. Create a new API key with the needed permissions

    3. Copy the API key and secret from the API key settings

    4. For each request:
       - Add the Authorization header with your API key
       - Generate a Unix timestamp in milliseconds
       - Calculate the HMAC-SHA256 signature:
         - For POST/PUT/PATCH/DELETE: Sign `{timestamp}.{body}`
         - For GET: Sign `{timestamp}.{uri}` (e.g., `/v2/members?limit=10`)
       - Add the X-Signature header with the hex-encoded signature
       - Add the X-Timestamp header with the timestamp used in the payload

    ## Authentication

    All API endpoints require two forms of authentication:


    1. **Bearer Token**: Include your API key in the Authorization header:

    ```

    Authorization: Bearer YOUR_API_KEY

    ```


    2. **Request Signing**: Include an HMAC signature and timestamp in headers:

    ```

    X-Signature: <HMAC-SHA256 hex-encoded signature>

    X-Timestamp: <Unix timestamp in milliseconds>

    ```

    The signature includes a timestamp for replay protection. Requests older
    than 5 minutes are rejected.


    The signature payload differs by HTTP method:

    - **POST/PUT/PATCH/DELETE requests**: Sign `{timestamp}.{body}`

    - **GET requests**: Sign `{timestamp}.{uri}`


    The signature is calculated using HMAC-SHA256 with your API secret.

      **How to calculate:**
      1. Get the current Unix timestamp in milliseconds
      2. Determine the payload:
          - **POST/PUT/PATCH/DELETE**: Use `{timestamp}.{body}` (e.g., `1699564800000.{"topicId":"123"}`)
          - **GET**: Use `{timestamp}.{uri}` (e.g., `1699564800000./v2/members?limit=10`)
      3. Calculate HMAC-SHA256 of the payload using your API secret
      4. Hex-encode the result (64 character lowercase string)
      5. Include timestamp in X-Timestamp header

      **Example (Python):**
      ```python
      import json
      import hmac
      import hashlib
      import time
      import requests

      def create_topic(name: str, members: list[str], description: str = None, external_id: str = None) -> dict:
          """Create a topic in Zenzap with HMAC signature and replay protection."""

          # Build request body
          body = {
              "name": name,
              "members": members,
          }
          if description:
              body["description"] = description
          if external_id:
              body["externalId"] = external_id

          # Serialize body (no spaces for consistent signing)
          body_json = json.dumps(body, separators=(",", ":"))

          # Get timestamp for replay protection
          timestamp = int(time.time() * 1000)  # Unix milliseconds

          # Create HMAC-SHA256 signature with timestamp
          signature_payload = f"{timestamp}.{body_json}"
          signature = hmac.new(
              API_SECRET.encode(),
              signature_payload.encode(),
              hashlib.sha256
          ).hexdigest()

          # Make request
          headers = {
              "Authorization": f"Bearer {API_KEY}",
              "Content-Type": "application/json",
              "X-Signature": signature,
              "X-Timestamp": str(timestamp),
          }

          response = requests.post(f"{BASE_URL}/v2/topics", headers=headers, data=body_json)
          response.raise_for_status()
          return response.json()
      ```

      **Note:** Our API documentation tools cannot automatically generate HMAC signatures. You will need to calculate this manually or use a tool like Postman with pre-request scripts.


    ## Rate Limits

    API requests are rate limited per organization. Contact support for specific
    limits.
  version: 2.0.0
  contact:
    name: Zenzap Support
    url: https://zenzap.co/support
servers:
  - url: https://api.zenzap.co
    description: Production server
security:
  - bearerAuth: []
    hmacSignature: []
  - oauth2ClientCredentials: []
tags:
  - name: OAuth
    description: >
      OAuth 2.0 `client_credentials` grant. Used by API-key bots that were
      created with `credentialType: oauth` to mint short-lived bearer access
      tokens.


      **In a nutshell:**

      1. Get a `clientId` and `clientSecret` from your bot in the Zenzap admin
      console. The `clientSecret` is shown once at creation; if lost, rotate it
      from the same screen.

      2. `POST /oauth/token` with `grant_type=client_credentials` to receive a
      JWT access token (1-hour TTL).

      3. Call any `/v2/*` endpoint with `Authorization: Bearer <access_token>`.
      No `X-Signature` / `X-Timestamp` headers are needed on the OAuth path.

      4. Re-mint when the token expires. There is **no refresh token**.


      Scopes are granular per endpoint — see the [Authentication
      page](/api-reference/authentication#oauth-scopes) for the full scope
      catalog and the endpoint → scope mapping.
  - name: Polls
    description: >
      Operations for creating polls, recording votes, and retracting votes.


      Polls are posted as messages in a topic. When you create a poll, each
      option is assigned a server-generated 6-character ID — use those IDs as
      `optionId` when submitting votes.


      **Voting constraints:**

      - The bot must be a member of the topic the poll was posted in

      - Anonymous polls (`anonymous: true`) do not support voting via the API

      - Votes cannot be cast on closed or expired polls

      - Each `{pollId, optionId, voter}` combination is idempotent

      - Votes can be retracted with `DELETE /v2/polls/{pollId}/votes/{voteId}`
      using the `id` returned when the vote was cast
  - name: Agentic
    description: >
      Endpoints for AI agents to programmatically set up Zenzap organizations.


      Use `POST /v2/agentic/organization/create` to create an organization,
      install a bot, and invite a human user in a single request — no
      authentication required.
  - name: Messages
    description: Operations for sending messages
  - name: Topics (group chats/channels/conversations)
    description: Operations for managing topics (group chats/channels/conversations)
  - name: Tasks
    description: Operations for managing tasks
  - name: Members
    description: Operations for retrieving organization members
  - name: Long Polling
    description: >
      Long polling allows your integration to fetch outbound events instead of
      receiving webhooks.


      Use `GET /v2/updates` with:

      - `offset`: value returned as `nextOffset` from the previous response

      - `limit`: max updates per request (default 50, max 100)

      - `timeout`: wait time in seconds when no updates are available (default
      0, max 30)


      Event payloads in polling responses match webhook `data` payloads for the
      same event type.

      This includes `data.message.attachments[]` with signed URLs for
      file/image/video/audio messages.
  - name: Webhooks
    description: >
      Webhooks allow your application to receive real-time notifications when
      events occur in Zenzap.

      Configure your webhook URL in the Zenzap console for your API key.


      ## Webhook Headers


      Each webhook delivery includes the following headers:

      - `X-Zenzap-Event`: The event type (e.g., `message.created`)

      - `X-Zenzap-Signature`: HMAC-SHA256 signature for verification

      - `X-Zenzap-Timestamp`: Unix timestamp (milliseconds) when the webhook was
      sent

      - `X-Zenzap-Delivery-Id`: Unique ID for this delivery (for deduplication)


      ## Signature Verification


      Webhooks are signed using the same API secret (`BOT_SECRET`) used for
      request signing.

      Verify webhooks by calculating:

      ```

      expected = HMAC-SHA256(BOT_SECRET, "{timestamp}.{body}")

      ```


      Where `{timestamp}` is from `X-Zenzap-Timestamp` and `{body}` is the raw
      request body.

      If the request includes `Content-Encoding: gzip`, decompress before
      verifying.


      ## Webhook Payload Format


      All webhook events follow the same envelope structure (see `WebhookEvent`
      schema):


      ```json

      {
        "id": "evt_550e8400-e29b-41d4-a716-446655440099",
        "type": "message.created",
        "eventVersion": 1,
        "timestamp": 1699564800000,
        "data": { ... }
      }

      ```


      The `data` field contents vary by event type. See the schemas section for
      detailed payload structures.


      ## Event Types


      ### Message Events


      | Event | Trigger | Data Schema |

      |-------|---------|-------------|

      | `message.created` | New message sent | `WebhookMessageCreatedEvent` |

      | `message.updated` | Message edited or transcription completed |
      `WebhookMessageUpdatedEvent` |

      | `message.deleted` | Message deleted | `WebhookMessageDeletedEvent` |


      ### Reaction Events


      | Event | Trigger | Data Schema |

      |-------|---------|-------------|

      | `reaction.added` | Emoji reaction added | `WebhookReactionAddedEvent` |

      | `reaction.removed` | Emoji reaction removed |
      `WebhookReactionRemovedEvent` |


      ### Member Events


      | Event | Trigger | Data Schema |

      |-------|---------|-------------|

      | `member.added` | User added to topic | `WebhookMemberAddedEvent` |

      | `member.removed` | User removed from topic | `WebhookMemberRemovedEvent`
      |


      ### Topic Events


      | Event | Trigger | Data Schema |

      |-------|---------|-------------|

      | `topic.updated` | Topic name/description changed |
      `WebhookTopicUpdatedEvent` |


      ## Message Types


      Messages can have different types based on their content:


      | Type | Description | Additional Fields |

      |------|-------------|-------------------|

      | `text` | Regular text message | `text` |

      | `image`, `file`, `video`, `audio` | Message with attachment |
      `attachments[]` |

      | `location` | Shared location | `location` |

      | `task` | Task snapshot | `task` |

      | `contact` | Shared contact | `contact` |


      ## Attachments & File Access


      Attachment URLs in webhook payloads are signed and **expire after 60
      minutes**.

      Download files promptly after receiving the webhook.


      ```json

      {
        "id": "att_...",
        "type": "image",
        "name": "screenshot.png",
        "url": "https://storage.zenzap.co/attachments/...?token=...&expires=..."
      }

      ```


      ## Voice Message Transcription


      Voice messages (audio attachments) are automatically transcribed:


      1. **`message.created`** - Initial message with `transcription.status:
      "Pending"`

      2. **`message.updated`** - Fired when transcription completes with
      `status: "Done"`


      ```json

      {
        "attachments": [{
          "type": "audio",
          "name": "voice-note.mp3",
          "url": "https://...",
          "transcription": {
            "status": "Done",
            "text": "Hey team, just a quick update..."
          }
        }]
      }

      ```


      ## Reply Messages


      Messages that reply to other messages include:

      - `parentId`: UUID of the message being replied to
paths:
  /v2/topics/{topicId}:
    get:
      tags:
        - Topics (group chats/channels/conversations)
      summary: Get topic details
      description: >
        Get details of a specific topic including its name, description, and
        member IDs.


        **Authorization:** Your API key bot must be a member of the topic to
        access its details.


        **Note:** For security reasons, a 404 response is returned both when the
        topic does not exist

        and when your bot is not a member of the topic.
      operationId: getTopic
      parameters:
        - $ref: '#/components/parameters/XSignature'
        - $ref: '#/components/parameters/XTimestamp'
        - name: topicId
          in: path
          required: true
          description: The ID of the topic to retrieve
          schema:
            type: string
            format: uuid
          example: 550e8400-e29b-41d4-a716-446655440000
      responses:
        '200':
          description: Topic details retrieved successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TopicGetResponse'
              example:
                id: 550e8400-e29b-41d4-a716-446655440000
                name: Project Updates
                description: Discussion for project milestones
                memberIds:
                  - 550e8400-e29b-41d4-a716-446655440001
                  - 550e8400-e29b-41d4-a716-446655440002
                  - b@660e8400-e29b-41d4-a716-446655440003
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
        '500':
          $ref: '#/components/responses/InternalServerError'
      security:
        - bearerAuth: []
          hmacSignature: []
        - oauth2ClientCredentials:
            - channel:read
components:
  parameters:
    XSignature:
      name: X-Signature
      in: header
      required: false
      description: >
        HMAC signature of the request for authentication and replay protection.


        **Required only when authenticating with a static API key.** If you are
        using an OAuth access token (issued by `POST /oauth/token`), omit this
        header — the JWT carries all the authentication and integrity
        guarantees.


        **Replay Protection:** The signature includes a timestamp to prevent
        replay attacks.

        Requests with timestamps older than 5 minutes are rejected.


        The signature payload differs by HTTP method:

        - **POST/PUT/PATCH/DELETE**: HMAC-SHA256 of `{timestamp}.{body}`

        - **GET**: HMAC-SHA256 of `{timestamp}.{uri}`


        The signature is calculated as:

        1. Get the current Unix timestamp in milliseconds

        2. Determine the payload:
           - For POST/PUT/PATCH/DELETE: Use `{timestamp}.{body}` where body is the request body
           - For GET: Use `{timestamp}.{uri}` where uri is the full request URI (e.g., `/v2/members?limit=10`)
        3. Calculate HMAC-SHA256 of the combined payload using your API secret

        4. Hex-encode the output

        5. Include the timestamp in the `X-Timestamp` header


        Example for GET request to `/v2/members?limit=10`:

        ```

        timestamp = 1699564800000

        payload = "1699564800000./v2/members?limit=10"

        signature = HMAC-SHA256(secret, payload)

        X-Signature: hex(signature)

        X-Timestamp: 1699564800000

        ```


        Example for POST request with body `{"topicId":"123","text":"Hello"}`:

        ```

        timestamp = 1699564800000

        payload = '1699564800000.{"topicId":"123","text":"Hello"}'

        signature = HMAC-SHA256(secret, payload)

        X-Signature: hex(signature)

        X-Timestamp: 1699564800000

        ```


        For `multipart/form-data` requests, sign the exact raw request body
        bytes

        (including boundaries and file bytes) as transmitted.
      schema:
        type: string
        pattern: ^[a-f0-9]{64}$
        example: a3d5f8e7c2b1d4f6a8e9c7b5d3f1a2e4b6c8d0f2e4a6b8c0d2e4f6a8b0c2d4e6
    XTimestamp:
      name: X-Timestamp
      in: header
      required: false
      description: >
        Unix timestamp in milliseconds when the request was created.

        Used for replay protection — requests older than 5 minutes are rejected.


        **Required only when authenticating with a static API key.** Omit when
        using an OAuth access token.
      schema:
        type: integer
        format: int64
        example: 1699564800000
  schemas:
    TopicGetResponse:
      type: object
      properties:
        id:
          type: string
          format: uuid
          description: The topic ID
          example: 550e8400-e29b-41d4-a716-446655440000
        name:
          type: string
          description: The topic name
          example: Project Updates
        description:
          type: string
          description: The topic description
          example: Discussion for project milestones
        memberIds:
          type: array
          items:
            type: string
          description: Array of member IDs in the topic
          example:
            - 550e8400-e29b-41d4-a716-446655440001
            - 550e8400-e29b-41d4-a716-446655440002
  responses:
    BadRequest:
      description: Bad request - invalid input
      content:
        text/plain:
          schema:
            type: string
          example: text is required
    Unauthorized:
      description: Unauthorized - invalid or missing API token
      content:
        text/plain:
          schema:
            type: string
          example: unauthorized
    NotFound:
      description: Resource not found
      content:
        text/plain:
          schema:
            type: string
          example: Topic not found
    InternalServerError:
      description: Internal server error
      content:
        text/plain:
          schema:
            type: string
          example: internal server error
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: >
        Bearer token for the request. Two flavors:


        - **Static API key** — pass your API key (the value returned as `apiKey`
        when the bot was created). Must be paired with `X-Signature` +
        `X-Timestamp` (the `hmacSignature` scheme).

        - **OAuth access token** — pass the JWT returned by `POST /oauth/token`.
        No signature headers are required.
    hmacSignature:
      type: apiKey
      in: header
      name: X-Signature
      description: >
        HMAC-SHA256 signature for request verification. Required **only** when
        authenticating with a static API key. Omit when using an OAuth access
        token.
    oauth2ClientCredentials:
      type: oauth2
      description: >
        OAuth 2.0 `client_credentials` grant for API-key bots. Use the
        `clientId` and `clientSecret` returned when the bot was created (or
        rotated) to mint short-lived access tokens. See
        [Authentication](/api-reference/authentication) for details.


        Access tokens are bearer JWTs and expire after 1 hour. There is no
        refresh token — re-mint with the client credentials when the token
        expires.
      flows:
        clientCredentials:
          tokenUrl: https://api.zenzap.co/oauth/token
          scopes:
            channel:list: List topics the bot belongs to
            channel:read: Read topic metadata
            channel:write: Create/update topics and manage members
            message:read: Read messages
            message:send: Send messages
            message:write: Edit / delete / mark-delivered / mark-read messages
            reaction:write: Add and remove reactions on messages
            task:read: Read tasks
            task:write: Create / update / delete tasks
            poll:write: Create polls and cast / retract votes
            member:read: List organization members
            updates:read: Long-poll for outbound events

````