
twilio-iam-auth-setup
✓ Official★ 4,081by openai · part of openai/plugins
Set up and manage Twilio authentication credentials: Auth Tokens, API keys (Standard, Main, Restricted), Access Tokens for client-side SDKs, and credential rotation. Use this skill as a prerequisite foundation before making any Twilio API calls.
This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.
Overview
Twilio supports multiple authentication methods. For most developers: use Auth Token for local prototyping, then move to API Keys in production.
| Method | Use for | Security |
|---|---|---|
| Account SID + Auth Token | Local prototyping, initial testing | Full account access — avoid in production |
| Account SID + API Key (Standard) + Secret | All production code | Recommended — revocable, no access to /Accounts or /Keys |
| Account SID + API Key (Restricted) + Secret | Fine-grained production access | Best — limit to specific resources only |
| Account SID + API Key (Main) + Secret | Account management automation | Full access like Auth Token, but revocable |
For beginners / vibe-coders: Start with Auth Token to get your first API call working, then create a Standard API Key before deploying anything. The key difference: if an API Key leaks, you revoke just that key. If your Auth Token leaks, your entire account is exposed until you rotate it.
Key Patterns
API Keys (production)
Create: Console > Account > API keys & tokens > Create API key
| Key type | Access | Use case |
|---|---|---|
| Standard | All resources except /Accounts and /Keys endpoints | Default for production apps |
| Restricted | Only the specific resources you grant | Multi-tenant apps, microservices, least-privilege |
| Main | Full account access (like Auth Token) | Account management automation (Console-only creation) |
After creation, copy the API Key SID (SK...) and Secret — the secret is shown only once.
Python
client = Client(
os.environ["TWILIO_API_KEY"], # SK...
os.environ["TWILIO_API_SECRET"],
os.environ["TWILIO_ACCOUNT_SID"] # required as third argument
)Node.js
const client = require("twilio")(
process.env.TWILIO_API_KEY,
process.env.TWILIO_API_SECRET,
{ accountSid: process.env.TWILIO_ACCOUNT_SID }
);Restricted API Keys
Restricted keys grant access only to specific Twilio API resources you define. Use them for least-privilege access in production.
Create via the v1 IAM API (not the v2010 /Keys.json endpoint — see CANNOT section):
Python
key = client.iam.v1.api_key.create(
account_sid=os.environ["TWILIO_ACCOUNT_SID"],
friendly_name="messaging-only-key",
key_type="restricted",
policy={
"allow": [
"/2010-04-01/Accounts/{AccountSid}/Messages*"
]
}
)
# Store key.sid and key.secret securely — secret shown only onceExample permission patterns:
| Permission | Grants access to |
|---|---|
/2010-04-01/Accounts/{AccountSid}/Messages* | Send and read messages |
/2010-04-01/Accounts/{AccountSid}/Calls* | Make and manage calls |
/v2/Services/*/Verifications* | Verify API only |
Docs: Restricted API keys
Test Credentials
Make API calls without charges or sending real messages. Find at Console > Account > API keys & tokens > Test credentials.
Python
client = Client(
os.environ["TWILIO_TEST_ACCOUNT_SID"],
os.environ["TWILIO_TEST_AUTH_TOKEN"]
)Node.js
const client = require("twilio")(
process.env.TWILIO_TEST_ACCOUNT_SID,
process.env.TWILIO_TEST_AUTH_TOKEN
);Magic test numbers:
+15005550006— valid, can receive messages+15005550001— invalid number (triggers error 21211)+15005550007— number that cannot receive SMS (triggers error 21612)
Auth Token Rotation
Rotate your Auth Token if it's been exposed or as periodic security hygiene. Twilio uses a secondary token promotion model:
- Console > Account > API keys & tokens > Request a secondary Auth Token
- Update your application to use the secondary token
- Once confirmed working, promote the secondary to primary
- The old primary token is immediately invalidated
Python
# Promote secondary Auth Token to primary via API
from twilio.rest import Client
client = Client(os.environ["TWILIO_ACCOUNT_SID"], os.environ["TWILIO_AUTH_TOKEN"])
account = client.api.accounts(os.environ["TWILIO_ACCOUNT_SID"]).update(
auth_token_promotion="promote"
)Important: Auth Token rotation invalidates all active sessions using that token. Plan the switchover to minimize downtime.
API Keys cannot be rotated — if an API Key is compromised, delete it and create a new one:
- Console > Account > API keys & tokens > select key > Delete
- Or via API:
client.keys(key_sid).delete()
Docs: Auth Token REST API
Access Tokens (client-side SDKs)
Short-lived JWTs for authenticating browser/mobile clients (Voice JS SDK, Conversations SDK, Video SDK). Generate server-side and pass to the client.
Python
from twilio.jwt.access_token import AccessToken
from twilio.jwt.access_token.grants import VoiceGrant
token = AccessToken(
os.environ["TWILIO_ACCOUNT_SID"],
os.environ["TWILIO_API_KEY"],
os.environ["TWILIO_API_SECRET"],
identity="user-123",
ttl=3600
)
token.add_grant(VoiceGrant(outgoing_application_sid="APxxxx"))
print(token.to_jwt())Node.js
const { AccessToken } = require("twilio").jwt;
const { VoiceGrant } = AccessToken;
const token = new AccessToken(
process.env.TWILIO_ACCOUNT_SID,
process.env.TWILIO_API_KEY,
process.env.TWILIO_API_SECRET,
{ identity: "user-123", ttl: 3600 }
);
token.addGrant(new VoiceGrant({ outgoingApplicationSid: "APxxxx" }));
console.log(token.toJwt());Available grant types: VoiceGrant, VideoGrant, ChatGrant (Conversations), SyncGrant
Environment Variable Reference
TWILIO_ACCOUNT_SID=ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Option 1: Auth Token (testing only)
TWILIO_AUTH_TOKEN=your_auth_token
# Option 2: API Key (production)
TWILIO_API_KEY=SKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TWILIO_API_SECRET=your_api_secret
# Test credentials
TWILIO_TEST_ACCOUNT_SID=ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TWILIO_TEST_AUTH_TOKEN=your_test_auth_tokenCANNOT
- Standard keys cannot access /Accounts or /Keys endpoints — Returns error 20003 (401). Must use Auth Token or Main API Key for account management.
- No restricted key creation via v2010 API — The v2010
/Keys.jsonendpoint silently ignoresKeyType=restrictedandPolicyparameters, creating a standard key instead. Use the v1 IAM API. - Restricted keys cannot generate Access Tokens — Only Standard and Main keys can create client SDK tokens.
- No individual Access Token revocation — Tokens are valid until expiration (max 24h). To revoke early, delete the API key that issued them.
- Subaccount credentials cannot access parent or sibling resources — Each subaccount has its own Auth Token and API Keys. Use the subaccount's own credentials to access its resources — never the parent account's credentials.
- API Keys cannot be rotated — No key rotation API exists. To replace a compromised key: create a new key, update your app, then delete the old key.
- PKCV is an advanced feature for compliance-heavy industries — Public Key Client Validation adds client-certificate-style auth. Incompatible with Flex, Studio, and TaskRouter. Once enforcement is enabled, Auth Token authentication is disabled (one-way door). See PKCV docs — consider this only if your security team requires mutual TLS-equivalent authentication.
- Test credentials work with only 4 endpoints — Messages, Calls, IncomingPhoneNumbers, and Lookups. All other endpoints return 403.
- API Key Secret shown only at creation — Cannot be retrieved afterward. If lost, create a new key.
- FriendlyName max 64 characters for keys — 65+ characters returns error 70001.
- Restricted keys limited to 100 permissions per key — Exceeding this limit is rejected at creation.
- Cannot create Main API Keys via REST API — Console only
- Cannot set Access Token TTL beyond 24 hours — Maximum lifetime is 24h
- Cannot use test credentials with real numbers — Test credentials only work with test magic numbers
Next Steps
npx skills add https://github.com/openai/plugins --skill twilio-iam-auth-setupRun this in your project — your agent picks the skill up automatically.
Prerequisites
- Twilio account — see
twilio-account-setupif you don't have one - Access to the Twilio Console
Quickstart
Find your Account SID and Auth Token in the Console dashboard.
Python
import os
from twilio.rest import Client
client = Client(os.environ["TWILIO_ACCOUNT_SID"], os.environ["TWILIO_AUTH_TOKEN"])Node.js
const client = require("twilio")(
process.env.TWILIO_ACCOUNT_SID,
process.env.TWILIO_AUTH_TOKEN
);Never commit Auth Token to version control or use in production.
No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.