This integration is org-level. Connections are scoped to your organization and managed by an owner. If you don’t
see Add Connection, ask your org owner to set this up.
Before you start
You’ll need:- An owner role in your Zudo organization
- A Segment workspace with at least one source (e.g. JavaScript, Node.js, mobile SDK) sending Track events
- An idea of which event names matter to your customer-success team — login, feature usage, billing, etc. Zudo only rolls up events on an allowlist, so a tight list keeps cost and noise down.
How it works
- Zudo gives you a unique webhook URL and a shared secret.
- You add a Webhook destination in Segment that posts events to that URL, signed with the shared secret.
- Segment delivers each event in real time.
- Zudo verifies the HMAC signature, archives the raw event to S3, and inserts a row into the staging table.
- Every 10 minutes a job aggregates allowlisted events into per-account daily rollups and resolves which Zudo account each event belongs to.
Connect
Create the Connection in Zudo
Go to Settings → Connections, click Add Connection, and select Segment (product events). Click Create
Connection — Zudo generates the webhook URL and shared secret automatically.
Copy the webhook URL and shared secret
The next screen shows both values once. Copy them now — Zudo will not show the secret again. If you lose it, you
can delete the connection and recreate it.
Add the Webhook destination in Segment
In your Segment workspace:
- Open Connections → Destinations and click Add Destination.
- Search for Webhooks (the classic destination, not “Webhook (Actions)”).
- Choose the source you want events to flow from and click Next.
- Name the destination something memorable like
Zudo Product Events.
- Under Webhook URLs, paste the URL Zudo gave you.
- Under Shared Secret, paste the secret Zudo gave you. This tells Segment to sign each request as
X-Signature: HMAC-SHA1(body, secret). - Save.
Configure the allowlist back in Zudo
Go back to Settings → Connections and expand the new Segment connection. Under Event allowlist, list the event
names you want rolled up — one per line. Anything outside the allowlist is still archived to S3 (replayable later) but
won’t appear in rollups, indicators, or health scores.
Configure identity rules (optional)
Expand Identity rules to control how events resolve to Zudo accounts and contacts. The defaults work for most
setups — see Identity rules below if you need to customize.
What flows in
Zudo accepts every Segment call type but treats them differently:| Call type | Captured event name | Used for |
|---|---|---|
| Track | body.event (e.g. Item Viewed, Login) | Rollups + indicators (when the event is in your allowlist) |
| Group | $group | Identity resolution (binds users to accounts via groupId) |
| Identify | $identify | Identity resolution (binds users to email / external user id) |
| Page | $page | Same as Track if allowlisted |
| Screen | $screen | Same as Track if allowlisted |
Identity rules
When a Segment event arrives, Zudo runs an ordered chain of strategies to figure out which Zudo Account (and optionally Contact) the event belongs to. The first match wins. The default chain works for most orgs and looks like this:- Account chain:
- Match
groupIdagainstAccount.externalId(the canonical external identifier you’ve stamped on the account in Zudo) - Match
groupIdagainstAccount.psId(your existing internal account id) - Match
groupIdagainstAccount.vitallyId(if you’ve also got Vitally synced)
- Match
- Contact chain (used when no account match was found):
- Match
userIdagainstContact.productExternalUserId - Match
emailagainstContact.email
- Match
null accountId. Once you map the right ID onto the account, use Reconcile on the connection card to back-fill.
Customize
In the connection’s Identity rules section you can:- Reorder strategies with ↑ / ↓
- Remove unused strategies with ✕
- Add strategies for new sources (e.g.
from: payload:properties.account_uuidto match an arbitrary path inside the event payload) - Match against a custom trait value — useful when your customer’s account id is stored as a Vitally trait or a Zudo user-defined trait
Volume and cost controls
The rate limit field on the connection card caps the number of events per minute Zudo will accept from your org. Default is 600/min (~864K events/day). Events over the cap return429 to Segment, which retries them with backoff. Raise or lower this based on your contract.
The event allowlist is the biggest cost lever — only allowlisted events enter Postgres. Everything is archived to S3 regardless.
Troubleshooting
Events not arriving
Open your Segment destination’s Event Delivery tab. If you see 401 responses, the shared secret in Segment
doesn’t match what Zudo has on file. Recreate the connection in Zudo and update Segment’s Shared Secret.
Events arriving but no rollups
Check the connection’s Recent events debug list. If
inAllowlist is false for your test events, add them to
the allowlist. Rollups appear after the next aggregation run (every 10 minutes).Events showing on the wrong account or no account
Identity resolution didn’t match. Open the recent events list — the
externalGroupId and externalUserId fields
show exactly what Segment sent. Make sure the value matches one of the strategies in your Identity rules. Either
correct the data in Segment’s Group/Identify calls, or add a strategy that matches what’s already there (for example
a payload:properties.account_uuid strategy).