Production Deployment

Functions are remotely orchestrated by the Dispatch platform. To ensure the origin of the requests, Dispatch uses an asymmetric signing technique where the platform will sign the executions, and your application will verify those signatures using a verification key.

Dispatch makes use of ED25519 asymmetric keys and the HTTP Messages Signatures standard to provide a high level of security.

Creating a verification key

Functions are run remotely by the Dispatch platform. Dispatch signs every request it sends to your application with an asymmetric key that must be created upfront. This step only needs to be done once. Remember to replace DISPATCH_API_KEY with the key you created in the previous step:

curl -s \
    -d '{}' \
    -H "Authorization: Bearer $DISPATCH_API_KEY" \
    -H "Content-Type: application/json" \
    https://api.dispatch.run/dispatch.v1.SigningKeyService/CreateSigningKey| \
        jq .key.asymmetricKey.publicKey

The output would look something like this:

"-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n"

Note that the value is a public key; it can be safely stored in source code or configuration without exposing your application to security risks.

Configuration

The Dispatch API key should be treated as a sensitive value, when deploying to production, it is recommended to store it in a secret store and have it exposed to the application via environment variables.

The SDK recognizes the following environment variables:

Environment VariableExample Value

DISPATCH_API_KEY

d4caSl21a5wdx5AxMjdaMeWehaIyXVnN

DISPATCH_ENDPOINT_URL

https://service.domain.com

DISPATCH_VERIFICATION_KEY

-----BEGIN PUBLIC KEY-----...

Remember to instantiate the Dispatch object with the default configuration to use environment variables instead of the values defined in the code.

Last updated

©️ Stealth Rocket, Inc. All rights reserved.