When receiving a message from QStash, you should verify the signature. The QStash Python SDK provides a helper function for this.

from upstash_qstash import Receiver

receiver = Receiver({
  "current_signing_key": "YOUR_CURRENT_SIGNING_KEY",
  "next_signing_key": "YOUR_NEXT_SIGNING_KEY",
})

# ... in your request handler

signature, body = req.headers["Upstash-Signature"], req.body

is_valid = receiver.verify({
  "body": body,
  "signature": signature,
  "url": "YOUR-SITE-URL"
})