When interacting with the QStash API, you will need an authorization token. You can get your token from the Console.
Send this token along with every request made to QStash
inside the
Authorization
header like this:
Because your endpoint needs to be publicly available, we recommend you verify the authenticity of each incoming request.
Upstash-Signature
headerWith each request we are sending a JWT inside the Upstash-Signature
header.
You can learn more about them here.
An example token would be:
Header
Payload
The JWT is signed using HMAC SHA256
algorithm with your current signing key
and includes the following claims:
iss
The issuer field is always Upstash
.
sub
The url of your endpoint, where this request is sent to.
For example when you are using a nextjs app on vercel, this would look something
like https://my-app.vercel.app/api/endpoint
exp
A unix timestamp in seconds after which you should no longer accept this request. Our JWTs have a lifetime of 5 minutes by default.
iat
A unix timestamp in seconds when this JWT was created.
nbf
A unix timestamp in seconds before which you should not accept this request.
jti
A unique id for this token.
body
The body field is a base64 encoded sha256 hash of the request body. We use url encoding as specified in RFC 4648.
See how to verify the signature.
When interacting with the QStash API, you will need an authorization token. You can get your token from the Console.
Send this token along with every request made to QStash
inside the
Authorization
header like this:
Because your endpoint needs to be publicly available, we recommend you verify the authenticity of each incoming request.
Upstash-Signature
headerWith each request we are sending a JWT inside the Upstash-Signature
header.
You can learn more about them here.
An example token would be:
Header
Payload
The JWT is signed using HMAC SHA256
algorithm with your current signing key
and includes the following claims:
iss
The issuer field is always Upstash
.
sub
The url of your endpoint, where this request is sent to.
For example when you are using a nextjs app on vercel, this would look something
like https://my-app.vercel.app/api/endpoint
exp
A unix timestamp in seconds after which you should no longer accept this request. Our JWTs have a lifetime of 5 minutes by default.
iat
A unix timestamp in seconds when this JWT was created.
nbf
A unix timestamp in seconds before which you should not accept this request.
jti
A unique id for this token.
body
The body field is a base64 encoded sha256 hash of the request body. We use url encoding as specified in RFC 4648.
See how to verify the signature.