> ## Documentation Index
> Fetch the complete documentation index at: https://upstash-vector.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Verify Signatures

We send a JWT with each request. This JWT is signed by your individual secret
signing keys and sent in the `Upstash-Signature` HTTP header.

To verify the jwt you can choose from a
[wide array of open source libraries](https://jwt.io/libraries), or roll your
own solution.

## Claims

All claims in the JWT are listed [here](/qstash/features/security#claims)

## Verifying

The exact implementation depends on the language of your choice and the library
if you use one.

Instead here are the steps you need to follow:

1. Split the JWT into its header, payload and signature
2. Verify the signature
3. Decode the payload and verify the claims
   * `iss`: The issuer must be`Upstash`.
   * `sub`: The subject must the url of your API.
   * `exp`: Verify the token has not expired yet.
   * `nbf`: Verify the token is already valid.
   * `body`: Hash the raw request body using `SHA-256` and compare it with the
     `body` claim.

You can also reference the implementation in our
[typescript sdk](https://github.com/upstash/sdk-qstash-ts/blob/main/src/receiver.ts#L82).

After you have verified the signature and the claims, you can be sure the
request came from Upstash and process it accordingly.
