When interacting with the QStash API, you will need an authorization token. You can get your token from the Console.
Send this token along with every request made to
QStash inside the
Authorization header like this:
"Authorization": "Bearer <QSTASH_TOKEN>"
Request Signing (optional)
Because your endpoint needs to be publicly available, we recommend you verify the authenticity of each incoming request.
With each request we are sending a JWT inside the
You can learn more about them here.
An example token would be:
The JWT is signed using
HMAC SHA256 algorithm with your current signing key
and includes the following claims:
The issuer field is always
The url of your endpoint, where this request is sent to.
For example when you are using a nextjs app on vercel, this would look something
A unix timestamp in seconds after which you should no longer accept this request. Our JWTs have a lifetime of 5 minutes by default.
A unix timestamp in seconds when this JWT was created.
A unix timestamp in seconds before which you should not accept this request.
A unique id for this token.
The body field is a base64 encoded sha256 hash of the request body. We use url encoding as specified in RFC 4648.