All Docs
FeaturesAgentOS WorkUpdated March 11, 2026

Security Advisory: Inngest Webhook Endpoint Authorization

Security Advisory: Inngest Webhook Endpoint Authorization

Severity: High
Affected versions: All versions prior to v1.0.10
Fixed in: v1.0.10 (configuration change required — no code update needed)

Summary

The Inngest client (src/inngest/client.ts) does not explicitly set INNGEST_SIGNING_KEY or INNGEST_EVENT_KEY in code — it depends on Inngest SDK v3's automatic environment variable detection. If these variables are absent from the production environment, the /api/inngest webhook endpoint will accept unsigned, unauthenticated requests from any source.

This means any party who can reach your /api/inngest endpoint over the network can invoke your background functions without authorization.

Affected Components

FileRole
src/inngest/client.tsInngest client instantiation — relies on env var auto-detection
src/instrumentation.tsChecks for INNGEST_SIGNING_KEY for auto-sync only; does not enforce webhook security
/api/inngestThe webhook handler endpoint exposed to Inngest's servers

Root Cause

Inngest SDK v3 automatically reads INNGEST_SIGNING_KEY and INNGEST_EVENT_KEY from the environment when the client is initialized. This is a valid pattern, but it creates a silent failure mode: if the variables are not configured, the SDK initializes without signature verification rather than throwing an error.

src/instrumentation.ts does validate the presence of INNGEST_SIGNING_KEY at startup, but only to gate the auto-sync feature — it does not block the webhook endpoint from operating without signature verification.

How to Fix

No code changes are required. You only need to ensure the following environment variables are configured in your production (and non-production) deployments:

# Required for Inngest webhook signature verification
INNGEST_SIGNING_KEY=signkey-prod-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# Required for authenticating outbound event sends to Inngest
INNGEST_EVENT_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

You can obtain both values from the Inngest dashboard under Settings → API Keys.

Steps

  1. Log in to your Inngest dashboard.
  2. Navigate to Settings → API Keys.
  3. Copy the Signing Key and Event Key for your production environment.
  4. Add both as environment variables to your hosting platform (e.g. Vercel, Railway, AWS, etc.).
  5. Redeploy your application so the new environment variables are picked up.
  6. Verify in the Inngest dashboard that your deployment shows signature verification as active.

Verification

After deployment, you can confirm the fix is in place by:

  • Checking that the Inngest dashboard marks your deployment as verified/signed.
  • Sending a test request to /api/inngest without a valid signature — it should return a 401 or 403 response.
  • Reviewing application startup logs: if INNGEST_SIGNING_KEY is detected, no warning will be emitted by src/instrumentation.ts.

Timeline

  • Identified: v1.0.10 release cycle
  • Disclosed: v1.0.10 release notes
  • Remediation: Set INNGEST_SIGNING_KEY and INNGEST_EVENT_KEY in production — no SDK or code update required

References