internal-key.middleware.ts
Cloudflare Worker and cron jobs are not users. They don’t have Google accounts or JWTs.
They send a secret header instead:
x-internal-key: YOUR_NOTIFICATION_WORKER_KEYThis middleware compares the header to env.NOTIFICATION_WORKER_KEY.
Used on
/internal/notifications/*routes
Security note
- Key must stay secret (only worker + server
.env). - Never expose in frontend bundles.
- Rotate key if leaked.
Wrong or missing key → 401 (same family as auth failures).
Last updated on