Skip to main content

Roll Your Signing Keys

Because your API needs to be publicly accessible from the internet, you should make sure to verify the authenticity of each request.

Upstash provides a JWT with each request. This JWT is signed by your individual secret signing keys. Read more.

We are using 2 signing keys:

  • current: This is the key used to sign the JWT.
  • next: This key will be used to sign after you have rolled your keys.

If we were using only a single key, there would be some time between when you rolled your keys and when you can edit the key in your applications. In order to minimize downtime, we use 2 keys and you should always try to verify with both keys.

What happens when I roll my keys?

When you roll your keys, the current key will be replaced with the next key and a new next key will be generated.

currentKey = nextKey
nextKey = generateNewKey()
caution

Rolling your keys twice without updating your applications will cause your apps to reject all requests, because both the current and next keys will have been replaced.

How to roll your keys

Rolling your keys can be done by going to the QStash UI and clicking on the "Roll keys" button.