Labsco
openai logo

twilio-webhook-architecture

✓ Official4,081

by openai · part of openai/plugins

Design, secure, and operate Twilio webhook endpoints. Covers inbound event handling, status callbacks, signature validation, connection overrides for retry and timeout tuning, local development tunneling, and production hardening. Use this skill whenever an agent needs to receive HTTP callbacks from Twilio for any product -- messaging, voice, verify, or event streams.

🧩 One of 7 skills in the openai/plugins package — works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.

Overview

Twilio delivers events to your application via HTTP callbacks (webhooks). Inbound messages and calls trigger webhooks that expect a TwiML response; status callbacks and event streams push delivery and lifecycle data asynchronously. This skill covers the cross-product patterns that apply to every webhook integration.


Key Patterns

1. Webhook Types Across Products

Webhook typeTriggerExpected responseProducts
Inbound eventMessage received / call answeredTwiML (XML)Messaging, Voice
Status callbackResource state change200 or 204 (no body required)Messaging, Voice, Verify, Video
Action URLTwiML verb completes (<Gather>, <Record>)Next TwiMLVoice
Recording statusRecording processing completes200 or 204Voice
Debugger eventError or warning on account200 or 204All
Event StreamsAny subscribed event200 or 204All (via Sink)

2. Signature Validation

Twilio signs every webhook with an X-Twilio-Signature header (HMAC-SHA1 using your Auth Token). Always validate before processing.

Form-encoded requests (application/x-www-form-urlencoded):

Pass the full URL and POST body parameters to the validator.

Python

from twilio.request_validator import RequestValidator

validator = RequestValidator(os.environ["TWILIO_AUTH_TOKEN"])
is_valid = validator.validate(request.url, request.form, request.headers.get("X-Twilio-Signature", ""))

Node.js

const { validateRequest } = require("twilio");

const isValid = validateRequest(
    process.env.TWILIO_AUTH_TOKEN,
    req.headers["x-twilio-signature"],
    `https://${req.headers.host}${req.originalUrl}`,
    req.body
);

JSON requests (application/json):

Twilio appends a bodySHA256 query parameter to your URL. Use the SDK's JSON-specific validation.

Python

from twilio.request_validator import RequestValidator

validator = RequestValidator(os.environ["TWILIO_AUTH_TOKEN"])
is_valid = validator.validate_body(
    request.url,
    request.get_data(as_text=True),
    request.headers.get("X-Twilio-Signature", "")
)

Node.js

const twilio = require("twilio");

// Use express.raw() or a verify callback to preserve the raw body
const isValid = twilio.validateRequestWithBody(
    process.env.TWILIO_AUTH_TOKEN,
    req.headers["x-twilio-signature"],
    `https://${req.headers.host}${req.originalUrl}`,
    req.rawBody  // must be the exact bytes Twilio sent, not JSON.stringify(req.body)
);

Critical: Use the SDK validator. Do not implement your own -- Twilio may add parameters without notice, and the exact algorithm (including port handling) has edge cases the SDK handles.

3. Status Callback Handling

Status callbacks are asynchronous POST requests Twilio sends when a resource changes state. They do not expect TwiML -- return 200 or 204.

Messaging status flow: queued -> sent -> delivered (or undelivered / failed)

When using Messaging Services, the flow starts with accepted -> queued -> ...

Voice status events: initiated, ringing, answered, completed

Subscribe to specific events via StatusCallbackEvent parameter.

Status callbacks are signed with X-Twilio-Signature like all Twilio webhooks. Validate before acting on the payload -- an unvalidated endpoint lets anyone forge delivery status and drive downstream logic.

Python (Flask) -- messaging status handler

@app.route("/status", methods=["POST"])
def message_status():
    sig = request.headers.get("X-Twilio-Signature", "")
    if not validator.validate(request.url, request.form, sig):
        return "Forbidden", 403
    sid = request.form.get("MessageSid")
    status = request.form.get("MessageStatus")
    error_code = request.form.get("ErrorCode")
    if status in ("failed", "undelivered") and error_code:
        print(f"Delivery failed {sid}: error {error_code}")
    return "", 204

Node.js (Express) -- voice status handler

app.post("/call-status", (req, res) => {
    const valid = twilio.validateRequest(
        process.env.TWILIO_AUTH_TOKEN,
        req.headers["x-twilio-signature"],
        `https://${req.headers.host}${req.originalUrl}`,
        req.body
    );
    if (!valid) return res.status(403).send("Forbidden");
    const { CallSid, CallStatus, Duration } = req.body;
    console.log(`${CallSid}: ${CallStatus} (${Duration}s)`);
    res.sendStatus(204);
});

Attach status callbacks when creating resources:

# Messaging
message = client.messages.create(
    to="+15558675310", from_="+15017122661", body="Hello!",
    status_callback="https://yourapp.com/status"
)

# Voice
call = client.calls.create(
    to="+15558675310", from_="+15017122661",
    url="https://yourapp.com/voice",
    status_callback="https://yourapp.com/call-status",
    status_callback_event=["initiated", "ringing", "answered", "completed"],
    status_callback_method="POST"
)

4. Connection Overrides (Retry and Timeout Tuning)

Append URL fragments to any webhook URL to override default connection behavior. Fragments are not included in signature computation.

Format: https://yourapp.com/webhook#key=value&key=value

ParameterKeyDefaultRangeDescription
Connect Timeoutct5000ms100-10000TCP connection timeout
Read Timeoutrt15000ms100-15000Time to wait for first response byte
Total Timett15000ms100-15000Total time for all retries
Retry Countrc10-5Number of retry attempts
Retry Policyrpct4xx, 5xx, ct, rt, allWhat triggers a retry
Edge Locationeashburnashburn, dublin, frankfurt, sao-paulo, singapore, sydney, tokyo, umatillaEgress edge

Examples:

# Retry up to 3 times on connection or read timeout
https://yourapp.com/sms#rc=3&rp=ct,rt

# Fast failover: 1s connect timeout, 2 retries
https://yourapp.com/voice#ct=1000&rc=2

# Rotate edge locations on retry
https://yourapp.com/status#e=ashburn,dublin&rc=1

Twilio adds an I-Twilio-Idempotency-Token header on retries for deduplication.

Limitations: Connection overrides are not available on Twilio Conversations or Frontline webhooks. Voice webhooks have a hard 15-second ceiling regardless of override values.

5. Configure Webhook URLs via API

Python

# Phone number -- messaging
client.incoming_phone_numbers("PNxxxxxxxxxx").update(
    sms_url="https://yourapp.com/sms",
    sms_method="POST",
    sms_fallback_url="https://yourapp.com/sms-fallback",
    sms_fallback_method="POST"
)

# Phone number -- voice
client.incoming_phone_numbers("PNxxxxxxxxxx").update(
    voice_url="https://yourapp.com/voice",
    voice_method="POST",
    voice_fallback_url="https://yourapp.com/voice-fallback",
    voice_fallback_method="POST",
    status_callback="https://yourapp.com/call-status",
    status_callback_method="POST"
)

Node.js

// Phone number -- messaging
await client.incomingPhoneNumbers("PNxxxxxxxxxx").update({
    smsUrl: "https://yourapp.com/sms",
    smsMethod: "POST",
    smsFallbackUrl: "https://yourapp.com/sms-fallback",
    smsFallbackMethod: "POST",
});

// Phone number -- voice
await client.incomingPhoneNumbers("PNxxxxxxxxxx").update({
    voiceUrl: "https://yourapp.com/voice",
    voiceMethod: "POST",
    voiceFallbackUrl: "https://yourapp.com/voice-fallback",
    voiceFallbackMethod: "POST",
    statusCallback: "https://yourapp.com/call-status",
    statusCallbackMethod: "POST",
});

6. Local Development with Tunnels

Twilio cannot reach localhost. Use a tunnel to expose your local server.

ngrok (recommended for development):

ngrok http 5000
# Copy the HTTPS URL, e.g. https://abc123.ngrok-free.app

Then set the ngrok URL as your webhook in Console or via API.

Twilio CLI:

# Install and use the CLI webhook plugin
twilio phone-numbers:update +15017122661 \
  --sms-url="https://abc123.ngrok-free.app/sms"

ngrok caveats:

  • Free tier URLs change on restart -- update Twilio config each time
  • Free tier sessions expire after hours -- use a stable host for anything beyond quick tests
  • For persistent local dev, use ngrok with a custom domain (paid) or deploy to a cloud host

7. Event Streams (Webhook Sink)

For high-volume or cross-product event delivery, use Event Streams instead of per-resource status callbacks. Event Streams deliver events to a Sink (webhook, Kinesis, or Segment). The Twilio SDK does not wrap Event Streams -- use requests / fetch directly.

Python -- create a webhook sink and subscribe to error events

import os, requests

account_sid = os.environ["TWILIO_ACCOUNT_SID"]
auth_token = os.environ["TWILIO_AUTH_TOKEN"]

# Create a webhook sink
sink = requests.post(
    "https://events.twilio.com/v1/Sinks",
    auth=(account_sid, auth_token),
    data={
        "Description": "Error log sink",
        "SinkType": "webhook",
        "SinkConfiguration": '{"destination": "https://yourapp.com/events", "method": "POST"}'
    }
).json()

# Subscribe to error log events
requests.post(
    "https://events.twilio.com/v1/Subscriptions",
    auth=(account_sid, auth_token),
    data={
        "Description": "Error log subscription",
        "SinkSid": sink["sid"],
        "Types": '[{"type": "com.twilio.error-logs.error.logged"}]'
    }
)

Sink types: webhook, kinesis, segment. Subscriptions filter which event types route to which sinks.

8. HTTP Authentication for Webhook URLs

Twilio supports HTTP Basic and Digest authentication. Embed credentials in the URL:

https://username:password@yourapp.com/sms

This provides an additional layer of protection beyond signature validation. Note: these credentials are visible in Console webhook configuration and may appear in server access logs -- rotate them independently of your Auth Token.


Common Webhook Parameters

Inbound SMS

ParameterDescription
MessageSidUnique message identifier
AccountSidYour Twilio account SID
FromSender phone number (E.164)
ToYour Twilio number
BodyMessage text
NumMediaNumber of media attachments
MediaUrl0..NURL of each media attachment
MediaContentType0..NMIME type of each attachment

Inbound Voice Call

ParameterDescription
CallSidUnique call identifier
AccountSidYour Twilio account SID
FromCaller phone number (E.164)
ToYour Twilio number
CallStatusqueued, ringing, in-progress, completed, busy, failed, no-answer, canceled
Directioninbound
ForwardedFromNumber that forwarded the call (if applicable)

Message Status Callback

ParameterDescription
MessageSidUnique message identifier
MessageStatusaccepted, queued, sending, sent, delivered, undelivered, failed, read
ErrorCodeTwilio error code (present on failed/undelivered)
ErrorMessageHuman-readable error description

Debugger Event Callback

ParameterDescription
SidDebugger event identifier
AccountSidAccount that generated the event
LevelError or Warning
TimestampISO 8601 time of occurrence
PayloadJSON with resource_sid, error_code, more_info, webhook (request/response details)

CANNOT

  • Cannot exceed 15-second voice webhook response time — Twilio hangs up or falls back. Messaging webhooks retry on timeout.
  • Cannot use HTTP in production — HTTPS required. No self-signed certificates. Do not pin Twilio certificates — they rotate without notice.
  • Cannot allowlist Twilio by IP — Webhooks come from dynamic IPs. Use signature validation instead.
  • Cannot guarantee status callback delivery or order — Best-effort. Implement idempotency using MessageSid + MessageStatus or CallSid + CallStatus as composite keys.
  • Cannot redirect without losing POST parameters — HTTP 301/302 redirects cause Twilio to follow with GET, dropping Digits, RecordingUrl, etc.
  • Cannot use connection overrides on Conversations or Frontline webhooks — Not supported for these products

Next Steps

  • Receive inbound SMS: twilio-messaging-webhooks
  • Voice call handling: twilio-voice-twiml
  • Scale webhook handling: twilio-reliability-patterns
  • Debug webhook failures: twilio-debugging-observability
  • Secure credentials: twilio-iam-auth-setup