Reputation: 914
How to use RequestValidator with API Key?
I'm trying to reconcile Twilio's advice and security best practices.
I initially wrote the app using SID and auth-token.
https://www.twilio.com/docs/usage/rest-api-best-practices says:
"we recommend the use of API Keys"
So I'm converting the python helper rest client to initialize using api key/secret
and since this is a webhook auth, following this security practice: https://www.twilio.com/docs/usage/security#validating-requests
However, this only seems to support auth_token
Does this mean there is no way to use API keys in a webhook app?
It seems silly to bother with API key secrets in app config if I'm also having to set the auth_token secret as well.
Upvotes: 3
Views: 942
Answers (1)
Reputation: 31
Twilio employee here 👋
Looks like you've spotted an inconsistency in our guidance. You are correct: if your app receives incoming webhooks from Twilio and you want to validate the signature of those incoming requests, you cannot use API keys to do so - you must use your account's Auth Token.
I just fixed the first doc you linked to so it reflects that guidance. Thank you for raising this with us and my apologies for the inconsistency in our docs!
Upvotes: 3
Related Questions
- Twilio REST API error - "Authenticate"
- Decorator for validating incoming Twilio requests
- Twilio HTTP Authentication for programmable sms status callback urls
- PHP Twilio RequestValidator returning false on all endpoints
- How to validate X-TWILIO-SIGNATURE
- Twilio - X-Twilio-Signature - Incoming request Validation
- How to get Twilio's RequestValidator to work
- Twilio Webhooks, validating the genuine twilio Request
- Twilio: How to avoid verification of number in twilio api
- Twilio RequestValidator for Python always returns false