Upstash Qstash

Tooling

Core

• qstash-sdk
• upstash-console

Frameworks

• nextjs
• cloudflare-workers
• vercel-functions
• aws-lambda
• netlify-functions

Patterns

• scheduled-jobs
• delayed-messages
• webhook-fanout
• callback-verification

Related

• upstash-redis
• upstash-kafka

Patterns

Basic Message Publishing

Sending messages to be delivered to endpoints

When to use: Need reliable async HTTP calls

import { Client } from '@upstash/qstash';

const qstash = new Client({ token: process.env.QSTASH_TOKEN!, });

// Simple message to endpoint await qstash.publishJSON({ url: 'https://myapp.com/api/process', body: { userId: '123', action: 'welcome-email', }, });

// With delay (process in 1 hour) await qstash.publishJSON({ url: 'https://myapp.com/api/reminder', body: { userId: '123' }, delay: 60 * 60, // seconds });

// With specific delivery time await qstash.publishJSON({ url: 'https://myapp.com/api/scheduled', body: { report: 'daily' }, notBefore: Math.floor(Date.now() / 1000) + 86400, // tomorrow });

Scheduled Cron Jobs

Setting up recurring scheduled tasks

When to use: Need periodic background jobs without infrastructure

import { Client } from '@upstash/qstash';

const qstash = new Client({ token: process.env.QSTASH_TOKEN!, });

// Create a scheduled job const schedule = await qstash.schedules.create({ destination: 'https://myapp.com/api/cron/daily-report', cron: '0 9 * * *', // Every day at 9 AM UTC body: JSON.stringify({ type: 'daily' }), headers: { 'Content-Type': 'application/json', }, });

console.log('Schedule created:', schedule.scheduleId);

// List all schedules const schedules = await qstash.schedules.list();

// Delete a schedule await qstash.schedules.delete(schedule.scheduleId);

Signature Verification

Verifying QStash message signatures in your endpoint

When to use: Any endpoint receiving QStash messages (always!)

// app/api/webhook/route.ts (Next.js App Router) import { Receiver } from '@upstash/qstash'; import { NextRequest, NextResponse } from 'next/server';

const receiver = new Receiver({ currentSigningKey: process.env.QSTASH_CURRENT_SIGNING_KEY!, nextSigningKey: process.env.QSTASH_NEXT_SIGNING_KEY!, });

export async function POST(req: NextRequest) { const signature = req.headers.get('upstash-signature'); const body = await req.text();

// ALWAYS verify signature const isValid = await receiver.verify({ signature: signature!, body, url: req.url, });

if (!isValid) { return NextResponse.json( { error: 'Invalid signature' }, { status: 401 } ); }

// Safe to process const data = JSON.parse(body); await processMessage(data);

return NextResponse.json({ success: true }); }

Callback for Delivery Status

Getting notified when messages are delivered or fail

When to use: Need to track delivery status for critical messages

import { Client } from '@upstash/qstash';

const qstash = new Client({ token: process.env.QSTASH_TOKEN!, });

// Publish with callback await qstash.publishJSON({ url: 'https://myapp.com/api/critical-task', body: { taskId: '456' }, callback: 'https://myapp.com/api/qstash-callback', failureCallback: 'https://myapp.com/api/qstash-failed', });

// Callback endpoint receives delivery status // app/api/qstash-callback/route.ts export async function POST(req: NextRequest) { // Verify signature first! const data = await req.json();

// data contains: // - sourceMessageId: original message ID // - url: destination URL // - status: HTTP status code // - body: response body

if (data.status >= 200 && data.status < 300) { await markTaskComplete(data.sourceMessageId); }

return NextResponse.json({ received: true }); }

URL Groups (Fan-out)

Sending messages to multiple endpoints at once

When to use: Need to notify multiple services about an event

import { Client } from '@upstash/qstash';

const qstash = new Client({ token: process.env.QSTASH_TOKEN!, });

// Create a URL group await qstash.urlGroups.addEndpoints({ name: 'order-processors', endpoints: [ { url: 'https://inventory.myapp.com/api/process' }, { url: 'https://shipping.myapp.com/api/process' }, { url: 'https://analytics.myapp.com/api/track' }, ], });

// Publish to the group - all endpoints receive the message await qstash.publishJSON({ urlGroup: 'order-processors', body: { orderId: '789', event: 'order.placed', }, });

Message Deduplication

Preventing duplicate message processing

When to use: Idempotency is critical (payments, notifications)

import { Client } from '@upstash/qstash';

const qstash = new Client({ token: process.env.QSTASH_TOKEN!, });

// Deduplicate by custom ID (within deduplication window) await qstash.publishJSON({ url: 'https://myapp.com/api/charge', body: { orderId: '123', amount: 5000 }, deduplicationId: 'charge-order-123', // Won't send again within window });

// Content-based deduplication await qstash.publishJSON({ url: 'https://myapp.com/api/notify', body: { userId: '456', message: 'Hello' }, contentBasedDeduplication: true, // Hash of body used as ID });

Sharp Edges

Not verifying QStash webhook signatures

Severity: CRITICAL

Situation: Endpoint accepts any POST request. Attacker discovers your callback URL. Fake messages flood your system. Malicious payloads processed as trusted.

Symptoms:

• No Receiver import in webhook handler
• Missing upstash-signature header check
• Processing request before verification

Why this breaks: QStash endpoints are public URLs. Without signature verification, anyone can send requests. This is a direct path to unauthorized message processing and potential data manipulation.

Recommended fix:

Always verify signatures with both keys:

import { Receiver } from '@upstash/qstash';

const receiver = new Receiver({
  currentSigningKey: process.env.QSTASH_CURRENT_SIGNING_KEY!,
  nextSigningKey: process.env.QSTASH_NEXT_SIGNING_KEY!,
});

export async function POST(req: NextRequest) {
  const signature = req.headers.get('upstash-signature');
  const body = await req.text();  // Raw body required

  const isValid = await receiver.verify({
    signature: signature!,
    body,
    url: req.url,
  });

  if (!isValid) {
    return NextResponse.json({ error: 'Invalid signature' }, { status: 401 });
  }

  // Safe to process
}

Why two keys?

• QStash rotates signing keys
• nextSigningKey becomes current during rotation
• Both must be checked for seamless key rotation

Callback endpoint taking too long to respond

Severity: HIGH

Situation: Webhook handler does heavy processing. Takes 30+ seconds. QStash times out. Marks message as failed. Retries. Double processing begins.

Symptoms:

• Webhook timeouts in QStash dashboard
• Messages marked failed then retried
• Duplicate processing of same message

Why this breaks: QStash has a 30-second timeout for callbacks. If your endpoint doesn't respond in time, QStash considers it failed and retries. Long-running handlers create duplicate message processing and wasted retries.

Recommended fix:

Design for fast acknowledgment:

export async function POST(req: NextRequest) {
  // 1. Verify signature first (fast)
  // 2. Parse and validate message (fast)
  // 3. Queue for async processing (fast)

  const message = await parseMessage(req);

  // Don't do this:
  // await processHeavyWork(message);  // Could timeout!

  // Do this instead:
  await db.jobs.create({ data: message, status: 'pending' });
  // Or use another QStash message for the heavy work

  return NextResponse.json({ queued: true });  // Respond fast
}

Alternative: Use QStash for the heavy work

// Webhook receives trigger
await qstash.publishJSON({
  url: 'https://myapp.com/api/heavy-process',
  body: { jobId: message.id },
});
return NextResponse.json({ delegated: true });

For Vercel: Consider using Edge runtime for faster cold starts

Hitting QStash rate limits unexpectedly

Severity: HIGH

Situation: Burst of events triggers mass message publishing. QStash rate limit hit. Messages rejected. Users don't get notifications. Critical tasks delayed.

Symptoms:

• 429 errors from QStash
• Messages not being delivered
• Sudden drop in processing during peak times

Why this breaks: QStash has plan-based rate limits. Free tier: 500 messages/day. Pro: higher but still limited. Bursts can exhaust limits quickly. Without monitoring, you won't know until users complain.

Recommended fix:

Check your plan limits:

• Free: 500 messages/day
• Pay as you go: Check dashboard
• Pro: Higher limits, check dashboard

Implement rate limit handling:

try {
  await qstash.publishJSON({ url, body });
} catch (error) {
  if (error.message?.includes('rate limit')) {
    // Queue locally and retry later
    await localQueue.add('qstash-retry', { url, body });
  }
  throw error;
}

Batch messages when possible:

// Instead of 100 individual publishes
await qstash.batchJSON({
  messages: items.map(item => ({
    url: 'https://myapp.com/api/process',
    body: { itemId: item.id },
  })),
});

Monitor in dashboard:

Upstash Console shows usage and limits

Not using deduplication for critical operations

Severity: HIGH

Situation: Network hiccup during publish. SDK retries. Same message sent twice. Customer charged twice. Email sent twice. Data corrupted.

Symptoms:

• Duplicate charges or emails
• Double processing of same event
• User complaints about duplicates

Why this breaks: Network failures and retries happen. Without deduplication, the same logical message can be sent multiple times. QStash provides deduplication, but you must use it for critical operations.

Recommended fix:

Use deduplication for critical messages:

// Custom ID (best for business operations)
await qstash.publishJSON({
  url: 'https://myapp.com/api/charge',
  body: { orderId: '123', amount: 5000 },
  deduplicationId: `charge-${orderId}`,  // Same ID = same message
});

// Content-based (good for notifications)
await qstash.publishJSON({
  url: 'https://myapp.com/api/notify',
  body: { userId: '456', type: 'welcome' },
  contentBasedDeduplication: true,  // Hash of body
});

Deduplication window:

• Default: 60 seconds
• Messages with same ID in window are deduplicated
• Plan for this in your retry logic

Also make endpoints idempotent:

Check if operation already completed before processing

Expecting QStash to reach private/localhost endpoints

Severity: CRITICAL

Situation: Development works with local server. Deploy to production with internal URL. QStash can't reach it. All messages fail silently. No processing happens.

Symptoms:

• Messages show "failed" in QStash dashboard
• Works locally but fails in "production"
• Using http:// instead of https://

Why this breaks: QStash runs in Upstash's cloud. It can only reach public, internet-accessible URLs. localhost, internal IPs, and private networks are unreachable. This is a fundamental architecture requirement, not a configuration issue.

Recommended fix:

Production requirements:

• URL must be publicly accessible
• HTTPS required (HTTP will fail)
• No localhost, 127.0.0.1, or private IPs

Local development options:

Option 1: ngrok/localtunnel

ngrok http 3000
# Use the ngrok URL for QStash testing

Option 2: QStash local development mode

// In development, skip QStash and call directly
if (process.env.NODE_ENV === 'development') {
  await fetch('http://localhost:3000/api/process', {
    method: 'POST',
    body: JSON.stringify(data),
  });
} else {
  await qstash.publishJSON({ url, body: data });
}

Option 3: Use Vercel preview URLs

Preview deploys give you public URLs for testing

Using default retry behavior for all message types

Severity: MEDIUM

Situation: Critical payment webhook uses defaults. 3 retries over minutes. Payment processor is temporarily down for 15 minutes. Message marked as failed. Payment reconciliation manual work required.

Symptoms:

• Critical messages marked failed
• Manual intervention needed for retries
• Temporary outages causing permanent failures

Why this breaks: Default retry behavior (3 attempts, short backoff) works for many cases but not all. Some endpoints need more attempts, longer backoff, or different strategies. One size doesn't fit all.

Recommended fix:

Configure retries per message:

// Critical operations: more retries, longer backoff
await qstash.publishJSON({
  url: 'https://myapp.com/api/payment-webhook',
  body: { paymentId: '123' },
  retries: 5,
  // Backoff: 10s, 30s, 1m, 5m, 30m
});

// Non-critical notifications: fewer retries
await qstash.publishJSON({
  url: 'https://myapp.com/api/analytics',
  body: { event: 'pageview' },
  retries: 1,  // Fail fast, not critical
});

Consider your endpoint's recovery time:

• Database down: May need 5+ minutes
• Third-party API: May need hours
• Internal service: Usually quick

Use failure callbacks for dead letter handling:

await qstash.publishJSON({
  url: 'https://myapp.com/api/critical',
  body: data,
  failureCallback: 'https://myapp.com/api/dead-letter',
});

Sending large payloads instead of references

Severity: MEDIUM

Situation: Message contains entire document (5MB). QStash rejects - body too large. Even if accepted, slow to transmit. Expensive. Wastes bandwidth.

Symptoms:

• Message publish failures
• Slow message delivery
• High bandwidth costs

Why this breaks: QStash has message size limits (around 500KB body). Large payloads slow delivery, increase costs, and can fail entirely. Messages should be lightweight triggers, not data carriers.

Recommended fix:

Send references, not data:

// BAD: Large payload
await qstash.publishJSON({
  url: 'https://myapp.com/api/process',
  body: { document: largeDocumentContent },  // 5MB!
});

// GOOD: Reference only
await qstash.publishJSON({
  url: 'https://myapp.com/api/process',
  body: { documentId: 'doc_123' },  // Fetch in handler
});

In your handler:

export async function POST(req: NextRequest) {
  const { documentId } = await req.json();
  const document = await storage.get(documentId);  // Fetch actual data
  await processDocument(document);
}

Large data storage options:

• S3/R2/Blob storage for files
• Database for structured data
• Redis for temporary data (Upstash Redis pairs well)

Not using callback/failureCallback for critical flows

Severity: MEDIUM

Situation: Important task published. QStash delivers. Endpoint processes. But your system doesn't know it succeeded. User stuck waiting. No feedback loop.

Symptoms:

• No visibility into message delivery
• Users waiting for actions that completed
• No alerting on failures

Why this breaks: QStash is fire-and-forget by default. Without callbacks, you don't know if messages were delivered successfully. For critical flows, you need the feedback loop to update state and handle failures.

Recommended fix:

Use callbacks for critical operations:

await qstash.publishJSON({
  url: 'https://myapp.com/api/send-email',
  body: { userId: '123', template: 'welcome' },
  callback: 'https://myapp.com/api/email-callback',
  failureCallback: 'https://myapp.com/api/email-failed',
});

Handle the callback:

// app/api/email-callback/route.ts
export async function POST(req: NextRequest) {
  // Verify signature first!
  const data = await req.json();

  // data.sourceMessageId - original message
  // data.status - HTTP status code
  // data.body - response from endpoint

  await db.emailLogs.update({
    where: { messageId: data.sourceMessageId },
    data: { status: 'delivered' },
  });

  return NextResponse.json({ received: true });
}

Failure callback for alerting:

// app/api/email-failed/route.ts
export async function POST(req: NextRequest) {
  const data = await req.json();
  await alerting.notify(`Email failed: ${data.sourceMessageId}`);
  await db.emailLogs.update({
    where: { messageId: data.sourceMessageId },
    data: { status: 'failed', error: data.body },
  });
}

Cron schedules using wrong timezone

Severity: MEDIUM

Situation: Scheduled daily report at "9am". But 9am in which timezone? QStash uses UTC. Report runs at 4am local time. Users confused. Support tickets filed.

Symptoms:

• Schedules running at unexpected times
• Off-by-one-hour issues during DST
• User complaints about report timing

Why this breaks: QStash cron schedules run in UTC. If you think in local time but configure in UTC, schedules will run at unexpected times. This is especially tricky with daylight saving time changes.

Recommended fix:

QStash uses UTC:

// This runs at 9am UTC, not local time
await qstash.schedules.create({
  destination: 'https://myapp.com/api/daily-report',
  cron: '0 9 * * *',  // 9am UTC
});

Convert to UTC:

• 9am EST = 2pm UTC (winter) / 1pm UTC (summer)
• 9am PST = 5pm UTC (winter) / 4pm UTC (summer)

Document timezone in schedule name:

await qstash.schedules.create({
  destination: 'https://myapp.com/api/daily-report',
  cron: '0 14 * * *',  // 9am EST (14:00 UTC)
  body: JSON.stringify({
    timezone: 'America/New_York',
    localTime: '9:00 AM',
  }),
});

Handle DST programmatically if needed:

Update schedules when DST changes, or accept UTC timing

URL groups with dead or outdated endpoints

Severity: MEDIUM

Situation: URL group has 5 endpoints. One service deprecated months ago. Messages still fan out to it. Failures in dashboard. Wasted attempts. Slower delivery.

Symptoms:

• Failed deliveries in URL groups
• Messages to deprecated services
• Slow fan-out due to timeouts

Why this breaks: URL groups persist until explicitly updated. When services change, endpoints become stale. QStash tries to deliver to dead URLs, wastes retries, and the failure noise obscures real issues.

Recommended fix:

Audit URL groups regularly:

const groups = await qstash.urlGroups.list();
for (const group of groups) {
  console.log(`Group: ${group.name}`);
  for (const endpoint of group.endpoints) {
    // Check if endpoint is still valid
    try {
      await fetch(endpoint.url, { method: 'HEAD' });
      console.log(`  OK: ${endpoint.url}`);
    } catch {
      console.log(`  DEAD: ${endpoint.url}`);
    }
  }
}

Update groups when services change:

// Remove dead endpoint
await qstash.urlGroups.removeEndpoints({
  name: 'order-processors',
  endpoints: [{ url: 'https://old-service.myapp.com/api/process' }],
});

Automate in CI/CD:

Check URL group health as part of deployment

Validation Checks

Webhook signature verification

Severity: CRITICAL

Message: QStash webhook handlers must verify signatures using Receiver

Fix action: Add signature verification: const receiver = new Receiver({ currentSigningKey, nextSigningKey }); await receiver.verify({ signature, body, url })

Both signing keys configured

Severity: CRITICAL

Message: QStash Receiver must have both currentSigningKey and nextSigningKey for key rotation

Fix action: Configure both keys: new Receiver({ currentSigningKey: process.env.QSTASH_CURRENT_SIGNING_KEY, nextSigningKey: process.env.QSTASH_NEXT_SIGNING_KEY })

QStash token hardcoded

Severity: CRITICAL

Message: QStash token must not be hardcoded - use environment variables

Fix action: Use process.env.QSTASH_TOKEN

QStash signing keys hardcoded

Severity: CRITICAL

Message: QStash signing keys must not be hardcoded

Fix action: Use process.env.QSTASH_CURRENT_SIGNING_KEY and process.env.QSTASH_NEXT_SIGNING_KEY

Localhost URL in QStash publish

Severity: CRITICAL

Message: QStash cannot reach localhost - endpoints must be publicly accessible

Fix action: Use a public URL (e.g., your deployed domain or ngrok for testing)

HTTP URL instead of HTTPS

Severity: ERROR

Message: QStash requires HTTPS URLs for security

Fix action: Change http:// to https://

QStash publish without error handling

Severity: ERROR

Message: QStash publish calls should have error handling for rate limits and failures

Fix action: Wrap in try/catch and handle errors appropriately

Using parsed JSON for signature verification

Severity: CRITICAL

Message: Signature verification requires raw body (req.text()), not parsed JSON

Fix action: Use await req.text() to get raw body for verification

Callback endpoint without signature verification

Severity: CRITICAL

Message: Callback endpoints must also verify signatures - they receive QStash requests too

Fix action: Add Receiver signature verification to callback handlers

Schedule without destination URL

Severity: ERROR

Message: QStash schedules require a destination URL

Fix action: Add destination: 'https://your-app.com/api/endpoint' to schedule options

Collaboration

Delegation Triggers

• complex workflow|multi-step|state machine -> inngest (Need durable step functions with checkpointing)
• redis queue|worker process|job priority -> bullmq-specialist (Need traditional queue with workers)
• ai background|long running ai|model inference -> trigger-dev (Need AI-specific background processing)
• deploy|vercel|production|environment -> vercel-deployment (Need deployment configuration for QStash)
• database|persistence|state|sync -> supabase-backend (Need database for job state)
• auth|user context|session -> nextjs-supabase-auth (Need user context in message handlers)

Serverless Background Jobs

Skills: upstash-qstash, nextjs-app-router, vercel-deployment

Workflow:

1. Define API route handlers (nextjs-app-router)
2. Configure QStash integration (upstash-qstash)
3. Deploy with environment vars (vercel-deployment)

Reliable Webhooks

Skills: upstash-qstash, stripe-integration, supabase-backend

Workflow:

1. Receive webhooks from Stripe (stripe-integration)
2. Queue for reliable processing (upstash-qstash)
3. Persist state to database (supabase-backend)

Scheduled Reports

Skills: upstash-qstash, email-systems, supabase-backend

Workflow:

1. Configure cron schedule (upstash-qstash)
2. Query data for report (supabase-backend)
3. Send via email system (email-systems)

Fan-out Notifications

Skills: upstash-qstash, email-systems, slack-bot-builder

Workflow:

1. Publish to URL group (upstash-qstash)
2. Email handler receives (email-systems)
3. Slack handler receives (slack-bot-builder)

Gradual Migration to Workflows

Skills: upstash-qstash, inngest

Workflow:

1. Start with simple QStash messages (upstash-qstash)
2. Identify multi-step patterns
3. Migrate complex flows to Inngest (inngest)
4. Keep simple schedules in QStash

Related Skills

Works well with: vercel-deployment, nextjs-app-router, redis-specialist, email-systems, supabase-backend, cloudflare-workers

When to Use

• User mentions or implies: qstash
• User mentions or implies: upstash queue
• User mentions or implies: serverless cron
• User mentions or implies: scheduled http
• User mentions or implies: message queue serverless
• User mentions or implies: vercel cron
• User mentions or implies: delayed message

Limitations

• Use this skill only when the task clearly matches the scope described above.
• Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
• Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.