We send a JWT with each request. This JWT is signed by your individual secret signing keys and sent in the Upstash-Signature HTTP header. To verify the jwt you can choose from a wide array of open source libraries, or roll your own solution.

Claims

All claims in the JWT are listed here

Verifying

The exact implementation depends on the language of your choice and the library if you use one. Instead here are the steps you need to follow:
  1. Split the JWT into its header, payload and signature
  2. Verify the signature
  3. Decode the payload and verify the claims
    • iss: The issuer must beUpstash.
    • sub: The subject must the url of your API.
    • exp: Verify the token has not expired yet.
    • nbf: Verify the token is already valid.
    • body: Hash the raw request body using SHA-256 and compare it with the body claim.
You can also reference the implementation in our typescript sdk or use the methods provided in the SDKs: 
import { Receiver } from "@upstash/qstash";

const receiver = new Receiver({
  currentSigningKey: "YOUR_CURRENT_SIGNING_KEY",
  nextSigningKey: "YOUR_NEXT_SIGNING_KEY",
});

// ... in your request handler

const signature = req.headers["Upstash-Signature"];
const body = req.body;

const isValid = receiver.verify({
  body,
  signature,
  url: "YOUR-SITE-URL",
});
After you have verified the signature and the claims, you can be sure the request came from Upstash and process it accordingly.