Skip to main content
Webhooks let Bold Factory push data to your systems the moment something happens — a production order completes, a stock movement is recorded, a maintenance work order closes. Bold sends an HTTP POST request to a URL you control, and your system processes it in real time. There is no need to poll the API on a timer or wait for an overnight batch. This makes webhooks the right choice whenever you need your ERP, MES, or any downstream system to react immediately to shop-floor events.

How to register a webhook endpoint

1

Create a publicly accessible endpoint

Your webhook receiver must be reachable over HTTPS from the internet. Deploy a small HTTP handler in your infrastructure — any language or framework works. The endpoint should return HTTP 200 quickly (within a few seconds) to acknowledge receipt.
2

Open webhook settings in Bold

Log in to Bold Factory and go to Settings → Integrations → Webhooks. Click Add Webhook.
3

Configure the webhook

Enter your endpoint URL, select the event types you want to subscribe to, and optionally add a secret signing key (strongly recommended — see Verifying signatures below). Click Save.
4

Send a test event

Use the Send test event button in the webhook settings page to fire a sample payload to your endpoint and confirm it is reachable and responding correctly.

Available event types

Bold Factory emits webhooks across all major operational areas — production, stock, purchasing, maintenance, and quality. The table below shows representative examples of the kinds of events you can subscribe to. Event names follow a domain.action pattern.
Example event typeTriggered when…
production.order.completedA production order is marked as finished and all quantities are confirmed.
production.order.createdA new production order is created in Bold.
stock.movement.createdA stock entry or exit is recorded (goods receipt, issue to production, adjustment).
purchasing.order.receivedA goods receipt is confirmed against a purchase order.
maintenance.work_order.closedA maintenance work order is closed and labor/parts are logged.
The examples above are illustrative. The full and up-to-date list of available event types is shown in Settings → Integrations → Webhooks when you create or edit a subscription.

Webhook payload structure

Every webhook Bold sends shares the same envelope structure. The data object varies by event type and contains the fields relevant to that event — refer to the Swagger docs for per-event schemas. The example below illustrates a production.order.completed delivery; actual field names may differ. 
{
  "id": "evt_01hxyz3kq8f2v9m4n7p6r5t0uw",
  "event": "production.order.completed",
  "timestamp": "2024-11-14T09:32:17Z",
  "version": "1",
  "data": {
    "id": "...",
    "reference": "PO-2024-00412",
    "status": "completed",
    "completed_at": "2024-11-14T09:31:55Z"
  }
}
The data field contents above are illustrative. The exact fields for each event type are defined in the Swagger reference.
Envelope fieldTypeDescription
idstringUnique identifier for this webhook delivery. Use it for idempotency checks.
eventstringThe event type that triggered this delivery.
timestampstring (ISO 8601)UTC timestamp of when the event occurred in Bold.
versionstringPayload schema version.
dataobjectEvent-specific payload. Schema varies by event type.

Verifying webhook signatures

Bold signs every outgoing webhook request so you can confirm the payload came from Bold and was not tampered with in transit. When you register a webhook, you provide a secret signing key. Bold uses this key to compute an HMAC-SHA256 signature of the raw request body and includes it in the X-Bold-Signature header. To verify the signature:
1

Read the raw request body

Compute the HMAC over the raw bytes before any JSON parsing. Parsing first can alter whitespace and break the signature.
2

Compute your own HMAC-SHA256

Use your stored signing secret as the HMAC key and the raw body as the message.
3

Compare signatures

Compare the hex digest you computed with the value in X-Bold-Signature. Use a constant-time comparison function to prevent timing attacks.
4

Reject mismatches

If the signatures do not match, return HTTP 401 and do not process the payload.
Never process a webhook payload without verifying its signature in production. An attacker who knows your endpoint URL could otherwise send forged events.

Handling failures and retries

Bold expects your endpoint to return an HTTP 2xx status code within a few seconds of receiving the request. If your endpoint returns a non-2xx response or times out, Bold treats the delivery as failed and retries automatically using an exponential back-off schedule. After a configurable number of failed attempts, Bold stops retrying and marks the delivery as permanently failed. You can inspect failed deliveries and trigger a manual re-delivery from Settings → Integrations → Webhooks → Delivery Log.
Acknowledge the webhook immediately by returning 200, then process the payload asynchronously using a queue or background worker. This keeps your response time short even when downstream processing is slow.
Design for idempotency. Network issues can cause duplicate deliveries even for successful events. Use the id field in the payload envelope to detect and discard duplicates before processing.

Testing webhooks during development

Your local development server is not publicly reachable, so Bold cannot deliver webhooks to localhost. Use one of these approaches while building:
Run a tunnel tool such as ngrok or Cloudflare Tunnel to expose your local port over a temporary public HTTPS URL. Register that URL in Bold’s webhook settings. Tunneling tools also show you the raw request/response, which is useful for debugging.
In Settings → Integrations → Webhooks, select your webhook and click Send test event. Bold fires a real POST to your registered URL with a sample payload so you can confirm connectivity and signature verification without waiting for a real event.
Every webhook delivery — successful or failed — is logged in Settings → Integrations → Webhooks → Delivery Log. You can view the exact headers and body Bold sent and the response your endpoint returned, making it easy to diagnose issues.