Skip to content


At Dispatch, security is a top priority. We are committed to respect and implement security best practices and ensure your data is safe. We believe that a strong security stance is the only way to merit the trust of our users.

Secured communication between applications and Dispatch

The communication between the application endpoints and Dispatch is encrypted via TLS. On top of this TLS layer, we leverage two keys to secure the communication:

  • Authentication key: The authentication key, exposed to the application through the environment variable DISPATCH_API_KEY is used to authenticate the request your applications will send to Dispatch. Note that we do not store any of the API keys.

  • Verficiation key: The verification key, exposed to the application through the environment variable DISPATCH_VERIFICATION_KEY is used by your application to verify requests from Dispatch.

Dispatch uses the HTTP Message Signature standard to sign run requests. The signature covers the request method, the URL host and path, the Content-Type header, and the request body and uses a asymetric ED25519 key pair. Since your applications only verify those requests, you only have access to the public key. The Dispatch scheduler is the only entity with the permissions to access the private key.

Data encryption at rest

All the data stored by Dispatch (i.e function execution states) are fully encrypted at rest. Dispatch does not store anything on cloud disk and exclusively make use of blob storage (AWS S3) or hosted database services (i.e AWS RDS) to store data. Data in the blog storage is encrypted server-side using SSE-S3 keys.

Security practices

We are working toward our SOC2 Type II compliance. In the meantime, we believe in transparency and we are happy to answer any security questions you might have. Reach out to us at