All articles
QStashUpstashQueueSecrets

QStash Tokens Leaked via NEXT_PUBLIC_ Prefix

QStash Tokens Leaked via NEXT_PUBLIC_ Prefix

Upstash QStash uses a bearer token for queue operations. Naming it `NEXT_PUBLIC_QSTASH_TOKEN` publishes it to every browser, and anyone can enqueue jobs — including paid ones.

May 3, 2026VibeWShield Team1 min read

Upstash QStash is a great serverless job queue. It uses a bearer token that grants publish rights to your queue topics. The generator pattern from AI tools sometimes looks like:

NEXT_PUBLIC_QSTASH_TOKEN=eyJ...

This is the worst-possible name for this value. The NEXT_PUBLIC_ prefix is Next.js's explicit opt-in to client exposure. Rename and rotate.

Detect

curl -s https://your-app.com/_next/static/chunks/*.js |   grep -oE "eyJ[A-Za-z0-9_-]{80,}"  # QStash tokens look like JWTs

Any JWT-like blob in the bundle that is NOT your Clerk/Auth0 public key is suspect.

Impact

  • Attacker publishes arbitrary events to your queue.
  • Your queued handlers act on them — expensive ones (send email, run AI prompt, charge Stripe).
  • Quota exhausted, bill inflated, possibly trust in queue handlers compromised.

Fix

  1. Rotate the token in Upstash.
  2. Rename env to QSTASH_TOKEN (server-only).
  3. Move every usage to app/api/* route handlers or server actions.
  4. Add Verify Signature on the QStash callback side so even leaked tokens can't push rogue events back to you.

Free security scan

Test your app for these vulnerabilities

VibeWShield automatically scans for everything covered in this article and more — 18 security checks in under 3 minutes.

Scan your app free