Collecta
Book a demo
Tour the whole platform
One system for your entire operation.
Explore
All systems operational
System status
Live uptime & incident history
PlatformModulesAI AgentAutomationIntegrations & IoTSecurityMobile appPlansDocsStatusCompanyBook a demo
Webhooks

Wire Collecta into your systems, both ways.

Push signed, retried events out to your services the moment records change — and accept inbound payloads on a public endpoint that maps straight into your module fields.

Book a demoAPI reference
Outbound

Events out, signed and retried.

Collecta fires an HTTP POST to your endpoint whenever a record changes — with a signature you can verify and automatic retries if you miss it.

5 event types

Subscribe an endpoint to any of the events Collecta emits as your data changes.

record_createdA new record is added to a module.
record_updatedAn existing record's fields change.
record_deletedA record is removed from a module.
status_changeA status field transitions to a new state.
custom_data_updatedThe custom_data payload of a record changes.

HMAC-SHA256 signature

Every request carries an X-Webhook-Signature header — a timing-safe HMAC of the raw body keyed with your secret.

POST https://you.example.com/hooks
Content-Type: application/json
X-Webhook-Signature: sha256=3a7bd3e2…
{ "event": "record_created" }

Retries & backoff

Each delivery has a 30-second timeout. Failures retry with exponential backoff, up to retry_max attempts (default 5).

Retry 1after 60s
Retry 2after 120s
Retry 3after 240s
Retry 4after 480s
Retry 5after 960s

Delivery history

Every attempt — request, response status and timing — is stored in webhook_deliveries, so you can audit and replay what happened.

SSRF protection

Destination URLs are validated before delivery to block requests to internal and private network addresses.

Inbound

Receive data into your modules.

Expose a public endpoint per module, then map the incoming payload onto your fields — Collecta creates or updates the record for you.

Public endpoint

Post to a per-module URL secured by a token, rate limited to 60 requests/min, with optional timing-safe HMAC verification.

POST /api/webhooks/:moduleSlug/:token
X-Webhook-Signature: sha256=… (optional)
202 Accepted
{ "recordId": "rec_18f…" }

Field mapping

Translate keys from the inbound payload onto your module fields. Collecta writes the mapped values into a new or matched record.

$.payload.skuproduct_code
$.payload.qtyquantity
$.payload.stationwork_center
FAQ

Webhook questions.

Every outbound delivery includes an X-Webhook-Signature header containing an HMAC-SHA256 of the raw request body, keyed with your endpoint's secret. Recompute the HMAC on your side over the exact bytes you received and compare it using a timing-safe equality check. If it doesn't match, reject the request.
Collecta gives each delivery a 30-second timeout. If it fails, the delivery is retried with exponential backoff at 60, 120, 240, 480 and 960 seconds — up to retry_max attempts (default 5). Every attempt is recorded in the full delivery history (webhook_deliveries) so you can inspect status codes and payloads.
Post to the public endpoint /api/webhooks/:moduleSlug/:token (rate limited to 60 requests per minute, with optional timing-safe HMAC verification). Field mapping rules translate keys from the incoming payload into your module's fields, and Collecta creates or updates the matching record.

Connect Collecta to everything you run.

Tell us which systems need to talk to your modules and we'll map the webhooks with you.

Book a demo Talk to sales