How authentication is handled for Twilio SMS StatusCallback URL

Question

I have started using Twilio Programmable SMS API to send messages through Twilio.

As we all know, a message status can be queued, failed or sent, delivered or undelivered, and it changes over a period of time.

As per the documentation, the API has provided an excellent facility to monitor the status of message using StatusCallback request parameter, the value of this parameter is a URL that gets called when message status changes.

I am assuming that StatusCallback URL is our custom REST API endpoint that gets called by Twilio whenever the message status changes. Am I correct? If yes, how the Twilio is authenticated to call our StatusCallback URL, how the authentication of StatusCallback URL is handled?

Answer 1

Twilio allows you to set up authentication for webhooks in a couple of ways.

First, you can set up your endpoint to require HTTP authentication. You can then set the username and password in the URL. Twilio will first send a request with no Authorization header. After your server responds with a 401 Unauthorized status code, a WWW-Authenticate header and a realm in the response, Twilio will make the same request with an Authorization header.

The other way to ensure that it was Twilio was the initiator of a request is to validate the signature that comes as the X-Twilio-Signature header of the request. The signature is made up of the URL and all the parameters of the request, signed with your account's auth token. If you can generate the same signature, then you can trust it came from Twilio. Check the documentation for how to validate the signature, it's also built into each of the official Twilio helper libraries.