QStash messages can contain private data that you don’t want visible in the Upstash Console, or API responses.
QStash allows you to redact specific fields so they appear as REDACTED:<SHA256> in the dashboard and API. The original values are still used when delivering messages to your endpoint. The SHA256 hash lets you verify the two data without revealing the original data.
To redact a field, pass the redactFields option when publishing a message.
Available options:
| Option | Description |
|---|
| body | Redact the body of the message |
| headers | Redact the headers of the message |
| headers[header_name] | Redact a specific header (e.g., headers[Authorization]) |
Redaction is one-way. Once a field is redacted, the original value cannot be retrieved from the API or dashboard.
import { Client } from "@upstash/qstash";
const client = new Client({ token: "<QSTASH_TOKEN>" });
const res = await client.publishJSON({
url: "https://my-api...",
body: { hello: "world" },
redactFields: {
body: true,
header: ["Authorization"]
},
});
Schedules
You can also redact fields in schedules. Pass the redactFields option when creating a schedule, and all messages produced by that schedule will have the specified fields redacted.
Schedule get and list endpoints also apply redaction, so private data won’t appear in API responses or the dashboard.
import { Client } from "@upstash/qstash";
const client = new Client({ token: "<QSTASH_TOKEN>" });
const res = await client.schedule.create({
name: "my-schedule",
cron: "0 * * * *",
url: "https://my-api...",
body: { hello: "world" },
redactFields: {
body: true,
header: ["Authorization"]
},
});
When updating a redacted schedule via the dashboard or API, you must provide the original values for the redacted fields.If you don’t provide the original values, the redacted fields will be saved as REDACTED:<SHA256> — which is the hash value visible in the dashboard, not the original data.
