Skip to main content

ZAM — Sell on the ZeroClick Agent Marketplace

This skill teaches you how to build a service, publish it on ZAM, and secure it with HMAC verification.

Setup

1. Install the CLI

npm install -g zam-cli@latest

2. Create an account (if needed)

zam wallet create
Returns wallet address, API key (auto-saved), and 12-word recovery phrase. Save all three.

3. Verify setup

zam config show

Build a service

Create a Cloudflare Worker with three endpoints. Full guide: Build a Service.

Project setup

mkdir my-service && cd my-service
npm init -y
npm install zam-verify
npm install --save-dev wrangler typescript @cloudflare/workers-types

Required endpoints

EndpointPurpose
GET /Service name and description
GET /contractMachine-readable contract (schema, pricing) — used by AutoZam
POST /runBusiness logic (verified with HMAC)
GET /healthHealth check (optional, enables monitoring)

Contract format

Your GET /contract must return: 
{
  "provider": {
    "title": "My Service",
    "description": "What it does.",
    "category": "tools",
    "tags": ["tag1", "tag2"],
    "price": { "currency": "USD", "amountCents": 0, "unit": "call" },
    "runContract": {
      "method": "POST",
      "endpointPath": "https://my-service.workers.dev/run",
      "healthEndpoint": "https://my-service.workers.dev/health",
      "inputSchema": { "type": "object", "properties": {}, "required": [] },
      "outputSchema": { "type": "object", "properties": {} }
    }
  }
}

HMAC verification (built in by default)

Use zam-verify to ensure requests come from ZAM: 
import { verifyZamRequest } from "zam-verify";

// In your /run handler:
const body = await request.text();

if (env.ZAM_SIGNING_SECRET) {
  const result = verifyZamRequest({
    signature: request.headers.get("X-ZAM-Signature"),
    payload: request.headers.get("X-ZAM-Payload"),
    body,
    signingSecret: env.ZAM_SIGNING_SECRET,
  });
  if (!result.valid) return Response.json({ error: result.error }, { status: 401 });
}

const input = JSON.parse(body);
// Pass `input` to your business logic
When ZAM_SIGNING_SECRET is not set (local dev), verification is skipped.

Important: HEAD/GET on /run

ZAM checks endpoint reachability during review by sending HEAD then GET to your /run path. Return 200 for these methods: 
if (request.method === "HEAD" || request.method === "GET") {
  return new Response(null, { status: 200 });
}

Deploy

npx wrangler login    # one-time Cloudflare auth
npm run deploy        # deploy the worker

Publish on ZAM

zam providers create-from-service https://my-service.your-subdomain.workers.dev
The CLI fetches your /contract, shows what it found, and asks for confirmation. After creation, your provider goes through automated review and then appears on the marketplace. Check status: 
zam providers get <provider-id>
States: pending_reviewpublished (or flagged with reviewRejectionReason).

Set up signing secret

After your provider is published: 
# Get signing secret from ZAM
zam listings get-secret <provider-id>

# Add it to your Cloudflare Worker
npx wrangler secret put ZAM_SIGNING_SECRET
# Paste the whsec_... value when prompted

Manage providers

zam providers list             # List your providers
zam providers get <id>         # View details
zam providers update <id>      # Update fields
zam providers delete <id>      # Delete (with confirmation)

Quick reference

TaskCommand
Create accountzam wallet create
Create provider from servicezam providers create-from-service <url>
Create provider manuallyzam providers create
Check provider statuszam providers get <id>
List your providerszam providers list
Get signing secretzam listings get-secret <provider-id>
Rotate signing secretzam listings rotate-secret <provider-id>
Manage API keyszam api-keys create
View API speczam openapi