Destinations
Destinations in Native App mode are the same connector catalog as cloud Zeotap — Salesforce, HubSpot, Meta, Google Ads, S3, Slack, Mailchimp, Klaviyo, Braze, and the rest. The difference is where the egress happens: instead of leaving Zeotap’s cloud, the request leaves your Snowflake account through an External Access Integration (EAI) you’ve explicitly approved for the destination’s host.
Per-destination EAI mapping
Every destination family has a corresponding EAI reference declared in the application manifest and bound by post-install-eais.sql. Here is the catalog the post-install template ships with:
| Reference | Destination family | Hosts allow-listed |
|---|---|---|
signalsmith_sf_api_access | Zeotap control plane (REQUIRED) | composable.zeotap.com, events.zeotap.com |
claude_api_access | Anthropic / Agent service | api.anthropic.com |
google_api_access | Google Sheets, GA4, Ads, Ad Manager, DV360, Campaign Manager, Search Ads 360, Tag Manager, Analytics Hub, Retail, BigQuery, GCS | OAuth + per-product *.googleapis.com hosts |
salesforce_api_access | Salesforce CRM, Marketing Cloud, Data Cloud | login.salesforce.com, test.salesforce.com, your instance host |
hubspot_api_access | HubSpot | api.hubapi.com, app.hubspot.com |
meta_api_access | Meta Ads + CAPI | graph.facebook.com, business.facebook.com |
linkedin_api_access | LinkedIn Ads | api.linkedin.com |
tiktok_api_access | TikTok Business / Marketing API | business-api.tiktok.com, open-api.tiktok.com |
snapchat_api_access | Snapchat Ads + CAPI | adsapi.snapchat.com, tr.snapchat.com |
pinterest_api_access | Pinterest Business | api.pinterest.com |
slack_api_access | Slack | slack.com, hooks.slack.com, api.slack.com |
mailchimp_api_access | Mailchimp | us1.api.mailchimp.com through us22.api.mailchimp.com |
klaviyo_api_access | Klaviyo | a.klaviyo.com |
customer_io_api_access | Customer.io | api.customer.io, track.customer.io |
intercom_api_access | Intercom | api.intercom.io |
braze_api_access | Braze | rest.iad-01.braze.com through iad-08, rest.fra-01.braze.eu, fra-02 |
amplitude_api_access | Amplitude | api.amplitude.com, api.eu.amplitude.com |
mixpanel_api_access | Mixpanel | api.mixpanel.com, api-eu.mixpanel.com, api-in.mixpanel.com |
s3_api_access | AWS S3 | Regional S3 hosts (s3.<region>.amazonaws.com) |
gcs_api_access | Google Cloud Storage | storage.googleapis.com |
azure_blob_api_access | Azure Blob Storage | Your storage account host (commented out by default) |
webhook_api_access | Generic webhooks | Operator-specified (commented out by default) |
You only need to bind the references for destination families you actually use. The post-install template lets you comment out any section you don’t need — see Installation for the walkthrough.
Adding a destination from the catalog
In the Zeotap UI, choose Destinations → Add destination and pick the destination type. The field set is identical to cloud Zeotap — for OAuth destinations, the UI walks you through the OAuth flow; for API-key destinations, it asks for credentials directly. Zeotap stores the credentials in the in-account Postgres metadata store (encrypted at rest).
When the destination runs, the connector running in the SPCS service (or in an ephemeral job service for sync runs) opens an outbound HTTPS request to the destination’s host. The request leaves through the EAI you bound in post-install-eais.sql. If the EAI isn’t bound — for instance, you commented out a section and now want to use that destination — the connector returns an External access integration not enabled error and the UI shows it on the destination’s status panel.
Bring-your-own EAI for destinations outside the catalog
For destinations the catalog doesn’t cover — internal APIs, niche SaaS vendors, new vendors before Zeotap’s next Marketplace upgrade — your account admin can author an EAI in your account and grant USAGE to the Zeotap application:
-- 1. Create a network rule for the destination's host.
CREATE NETWORK RULE signalsmith_infra.public.acme_rule
TYPE = HOST_PORT MODE = EGRESS
VALUE_LIST = ('api.acme.com:443');
-- 2. Wrap the rule in an EAI.
CREATE EXTERNAL ACCESS INTEGRATION acme_eai
ALLOWED_NETWORK_RULES = (signalsmith_infra.public.acme_rule)
ENABLED = TRUE;
-- 3. Grant USAGE to the Zeotap application.
GRANT USAGE ON INTEGRATION acme_eai TO APPLICATION zeotap;In the Zeotap UI, choose Add destination → Custom (BYO-EAI), enter acme_eai as the EAI name, and provide the destination’s credentials. Zeotap calls a procedure inside the application that validates the grant and runs ALTER SERVICE to attach the new EAI. The new integration takes effect on the next request without a service restart.
Restricted regions
Some Snowflake regions reject wildcard hostnames in EAI rules (e.g. *.salesforce.com). When that happens, replace the wildcard with a per-instance allow-list and re-run the relevant section of post-install-eais.sql. The list of regions known to require this workaround at each release is published on the Zeotap Marketplace listing page.