Feature Roundup: February

Posted on the 14th of February, 2025

Blog Image

February 2025: New Q-Flow Features

We’re excited to share a set of new capabilities in Q-Flow that amplify security, streamline event management, and give you greater control over your data. These updates—Webhook Signing Keys, Secret Rotation, Sources (Ingress Webhook Proxying), and Advanced Query—boost the ways you can tailor and protect your notification workflows. Let’s walk through each one!

1. Webhook Signing Keys

What It Is
Webhooks play a crucial role in integrating Q-Flow events with external systems. To ensure secure communication, Q-Flow utilizes webhook secrets and digital signatures to validate the authenticity and integrity of incoming webhook requests. This layer of protection guards against tampering, replay attacks, and other security vulnerabilities.

Why Validate Webhook Signatures?

  1. Compliance and Security: Confirm the webhook truly comes from Q-Flow and hasn’t been altered in transit.
  2. Protection Against Replay Attacks: Validate Qflow-TimeStamp against your own acceptable time window (e.g., 5 minutes) to block reused requests.
  3. Additional Considerations: Always compare signatures with a time-safe comparison method to avoid timing attacks, and rotate your webhook secrets regularly to maintain strong security.

Validating and rotating your webhook signatures regularly helps maintain data integrity and compliance, ensuring your Q-Flow integrations remain secure and robust.

An image showing the Q-Flow headers stipulating the Q-Flow timestamp, Request ID and Signature.
An image showing the Q-Flow headers stipulating the Q-Flow timestamp, Request ID and Signature.

How It Works:
Simply generate or configure your Signing Key in Q-Flow. For every event Q-Flow sends, the payload includes a signature you can validate on your side. If the signatures match, you know the data is authentic and unmodified.

For more information and examples to validate the signature, check out this link.

2. Rotate Signing Secrets

What It Is
Managing and rotating the secrets used to sign your webhooks is critical for maintaining robust security over time. We’ve introduced a Secret Rotation feature that allows you to periodically update and refresh your signing secrets in Q-Flow.

Why It Matters

  • Proactive Security: Changing secrets frequently minimizes the attack window for unauthorized access.
  • Less Downtime: Rotate secrets without disrupting existing workflows, ensuring business continuity.
  • Ease of Management: Quickly update secrets and keep integrations current and well-protected.
Image showing the ability to successfully view, copy and rotate your webhook signing secrets from Q-Flow.
Image showing the ability to successfully view, copy and rotate your webhook signing secrets from Q-Flow.

How It Works
Within your webhook configuration, you can now seamlessly rotate new secrets and phase out old ones. Subscribers can verify incoming requests against the new secret as soon as it’s active. This helps maintain continuous security with minimal operational overhead.Don’t worry, we’llsend both the new and incumbent keys for a period of 7 days to ensure downstream systems have enough time to leverage the new key.

3. Q-Flow Sources (Ingress Webhook Proxying)

What It Is
With Q-Flow Sources, Q-Flow can now receive events from third-party services and act as a central event gateway. By centralizing event ingestion, routing, and authentication into a single, intuitive platform, Q-Flow eliminates the chaos of managing disparate webhook streams, ensuring you never miss a critical event again.

Why It Matters

  • Centralized Control: Stream all your inbound events through Q-Flow, reducing complexity and simplifying your infrastructure.
  • Fine-Grained Filtering: Subscribe only to the events you need, helping you comply with data protection regulations and minimize payload processing.
  • Compliance & Security: Restrict which HTTP methods are allowed (e.g., only POST or PUT), define IP whitelists (IP addresses, ranges, CIDR), and leverage Basic, API Key, or JWT-based authentication to ensure only valid requests make it through.
An GIF image showing how a Source is created in Q-Flow, showing the how to create a source, adding name, description, HTTP methods, authentication and IP whitelisting.
An GIF image showing how a Source is created in Q-Flow, showing the how to create a source, adding name, description, HTTP methods, authentication and IP whitelisting.

How It Works

  1. Create a Source in Q-Flow and configure the authentication method—Basic, API Key, or JWT (RSA/HSA).
  2. Enable IP Whitelisting to permit only specific IP addresses or ranges to send you events.
  3. Select the HTTP Methods you wish to allow (e.g., POST, PUT). Any disallowed method (e.g., PATCH, DELETE) is automatically rejected.
  4. Filter or transform the inbound data before it’s delivered to your subscribers.

By funnelling traffic through a single, secure gateway, you streamline event management and gain complete control over inbound data.

An image showing how Sources work within Qala, showing Q-Flow ingesting the data from third parties and routing to the correct subscriptions, whilst applying smart retries, advanced filtering and replaying failed events.
An image showing how Sources work within Qala, showing Q-Flow ingesting the data from third parties and routing to the correct subscriptions, whilst applying smart retries, advanced filtering and replaying failed events.

4. Subscription Advanced Query (Simple SQL Syntax)

What It Is
We’re introducing Subscription Advanced Query, a powerful yet straightforward feature that uses familiar SQL syntax to filter, transform, and aggregate your event data. Rather than learning a proprietary query language, you can leverage SQL-like commands to shape your data within Q-Flow.

Why It Matters

  • Flexible & Familiar: Harness the power of SQL without complex overhead or retraining.
  • Data Shaping: Easily transform, filter, and aggregate incoming events.
  • Better Insights: Derive metrics and analytics on the fly, right in Q-Flow.
An GIF image showing the Advance Query in Q-Flow, allowing users to test out their SQL queries, ensuring the correct filtering, aggregation or transformation is being applied.
An GIF image showing the Advance Query in Q-Flow, allowing users to test out their SQL queries, ensuring the correct filtering, aggregation or transformation is being applied.

How It Works
When you create or edit a Subscription for either a Topic or Source, you can add an advanced SQL-like query that Q-Flow will apply to every incoming event. The Advance Query is also available for the Embeddable Component for your Subscribers to utilise.

Below are real-world examples showcasing how you can put this to work.

Filtering Examples

Example 1: Basic Filtering
Only retrieve events where the event type is a PURCHASE and the status is COMPLETED:

1SELECT * 
2FROM events 
3WHERE eventType = 'PURCHASE' 
4  AND data.status = 'COMPLETED';

Example 2: Skip Free Orders and Forward Only Paid Subscriptions for EUR, USD or AUD.
For instance, you might want to skip free orders and only forward paid subscriptions to your analytics system where the currency is Euros, U.S. Dollars, or Australian Dollars:

1SELECT * 
2FROM events 
3WHERE (
4    data.currency IN ('EUR', 'USD', 'AUD') 
5    AND data.amount > '0'
6);

With these rules in place, you can refine precisely which events are routed to your downstream systems, making your analytics pipeline more accurate and efficient.

Aggregation Examples

Example 1: Simple Event Count
Count how many events of each type are received.

1SELECT eventType, 
2       COUNT(*) AS totalEvents
3FROM events
4GROUP BY eventType;

Example 2: Shopify Order Aggregation
Problem: Shopify webhook events can generate multiple notifications for each order, containing product quantities, total amounts, and taxes—leading to redundant data downstream.


Solution: Aggregate orderCreated events to calculate total products, total amount, and taxed amount for each order.
Benefits: Reduces data volume, simplifies processing, and provides better analytics insights.

1WITH orderDetails AS (
2    SELECT 
3        orderId, 
4        SUM(lineItemQuantity) AS totalProducts, 
5        SUM(orderTotal)       AS totalAmount, 
6        SUM(taxedAmount)      AS taxedAmount
7    FROM events 
8

9    -- Unnest line items and tax lines for accurate aggregation
10    CROSS JOIN UNNEST(lineItems) AS lineItem(lineItemQuantity) 
11    CROSS JOIN UNNEST(taxLines)  AS taxLine(taxedAmount) 
12

13    WHERE type = 'orderCreated' 
14    GROUP BY orderId 
15) 
16

17SELECT 
18    orderId, 
19    totalProducts, 
20    totalAmount, 
21    taxedAmount 
22FROM orderDetails 
23ORDER BY orderId;
24

With this query, you consolidate multiple notifications into a single summary row per order, making downstream processing and analysis far more efficient.

Transformation Examples

Example 1: Convert Text to Uppercase
Suppose you want to standardize the format of customer names:

1SELECT  
2    orderId, 
3    UPPER(customerName) AS customerName, 
4    purchaseAmount 
5FROM events;
6

Here, names are converted to uppercase before being handed off to your internal systems, ensuring consistency across the board.

Example 2: Select Relevant Fields with Consistent Naming
You may only need certain data points for further processing. In this case, you can select specific fields while renaming them for internal consistency:

1SELECT  
2    type, 
3    id, 
4    data.currency, 
5    data.amount, 
6    data.payment_method, 
7    data.transaction_id AS transaction_ref 
8FROM events 
9WHERE (
10        data.currency IN ('EUR', 'USD', 'AUD') 
11        AND data.amount > '50' 
12        AND type IN ('payment.received', 'payment.pending')
13    ) 
14    OR data.status = 'authorized';
15

This way, you can keep your event payload lean, rename important columns (e.g., transaction_id to transaction_ref), and ensure you only forward relevant payment events.

February Feature Roundup

Q-Flow’s latest features make it simpler to safeguard your data, tune your notifications, and optimize how events move across your ecosystem. With Webhook Signing Keys and Secret Rotation, you can ensure ongoing trust and integrity. Sources (Ingress Webhook Proxying) centralize your incoming events and let you apply precise security controls. Finally, Subscription Advanced Query (powered by simple SQL syntax) gives you the flexibility to filter, transform, and aggregate event data right at the source.

We can’t wait for you to explore these new enhancements. By combining robust security measures with streamlined data handling and sophisticated querying, Q-Flow continues to give you the control you need over your notification workflows—so you can focus on building great products and experiences for your customers.

Stay tuned for more updates, and as always, your feedback helps us refine Q-Flow even further.

View our Roadmap here and feel free to suggest new ideas or upvote ideas.

An image of Karl reviewing the Qala Q-Flow Roadmap

Get started or read other related posts.

Other Relevant Links