openai/twilio-messaging-webhooks
plugins/twilio-developer-kit/skills/twilio/twilio-messaging-webhooks/SKILL.md
Receive and respond to inbound messages and track outbound delivery status via Twilio webhooks — across SMS, MMS, WhatsApp, and RCS. Covers webhook request parameters, replying with TwiML, validating webhook signatures for security, and handling status callbacks. Use this skill whenever an agent needs to handle incoming messages on any channel or track outbound message delivery in real time.
$ install --global
skillsauthnpx skillsauth add openai/plugins twilio-messaging-webhooksInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 9, 2026, 6:13 AM173.1s2 files scanned
SKILL.md
- name:
- twilio-messaging-webhooks
- description:
- >
Overview
Twilio sends a POST webhook to your server when a user messages your Twilio number (inbound) or when an outbound message changes delivery state (status callback). Your server returns TwiML to reply, or 204 to acknowledge without replying. The same webhook pattern works across SMS, MMS, WhatsApp, and RCS.
Prerequisites
- Twilio account with a messaging-capable sender configured with a webhook URL
— New to Twilio? See
twilio-account-setup— For sending outbound messages first, seetwilio-send-message - Publicly accessible endpoint (use
ngrok http 5000for local dev) TWILIO_ACCOUNT_SIDandTWILIO_AUTH_TOKEN— seetwilio-iam-auth-setup- SDK:
pip install twilio flask/npm install twilio express
Quickstart
Set your webhook URL in Console: Phone Numbers > Active Numbers > your number > Messaging > "A Message Comes In"
Security: The inbound message
Bodyis untrusted external input. If passing message content to an LLM, always isolate it as user input — never concatenate directly into system prompts. Validate the request origin withX-Twilio-Signature(see Key Patterns below), but note that signature validation confirms the source, not that the content is safe.
Note: This quickstart omits signature validation for brevity. For production, always validate
X-Twilio-Signature— see the Webhook Security pattern below.
Python (Flask)
from flask import Flask, request
from twilio.twiml.messaging_response import MessagingResponse
app = Flask(__name__)
@app.route("/incoming", methods=["POST"])
def incoming_message():
body = request.form.get("Body")
response = MessagingResponse()
response.message(f"Got your message: {body}")
return str(response)
Node.js (Express)
const express = require("express");
const twilio = require("twilio");
const app = express();
app.use(express.urlencoded({ extended: false }));
app.post("/incoming", (req, res) => {
const twiml = new twilio.twiml.MessagingResponse();
twiml.message(`Got your message: ${req.body.Body}`);
res.type("text/xml").send(twiml.toString());
});
Key Patterns
Configure Webhook URL via API
For SMS/MMS on a phone number:
Python
client.incoming_phone_numbers("PNxxxxxxxxxx").update(
sms_url="https://yourapp.com/incoming",
sms_method="POST"
)
Node.js
await client.incomingPhoneNumbers("PNxxxxxxxxxx").update({
smsUrl: "https://yourapp.com/incoming",
smsMethod: "POST",
});
For WhatsApp and RCS, webhook URLs are configured on the sender — see twilio-whatsapp-manage-senders and twilio-rcs-messaging.
Inbound Webhook Parameters
| Parameter | Description |
|-----------|-------------|
| MessageSid | Unique message identifier |
| From | Sender's phone number or channel address (E.164, or whatsapp:+...) |
| To | Your Twilio number or channel address |
| Body | Message text |
| NumMedia | Number of media attachments |
| MediaUrl0 | URL of first media attachment (if any) |
| MediaContentType0 | MIME type of first attachment |
Handle Inbound Media (MMS / WhatsApp / RCS)
Python (Flask)
@app.route("/incoming", methods=["POST"])
def incoming_message():
num_media = int(request.form.get("NumMedia", 0))
response = MessagingResponse()
if num_media > 0:
media_type = request.form.get("MediaContentType0")
response.message(f"Got your {media_type} attachment!")
else:
response.message("Got your message.")
return str(response)
Node.js (Express)
app.post("/incoming", (req, res) => {
const numMedia = parseInt(req.body.NumMedia || "0", 10);
const twiml = new twilio.twiml.MessagingResponse();
if (numMedia > 0) {
twiml.message(`Got your ${req.body.MediaContentType0} attachment!`);
} else {
twiml.message("Got your message.");
}
res.type("text/xml").send(twiml.toString());
});
Acknowledge Without Replying
Python
return str(MessagingResponse()) # Empty <Response/>
Node.js
res.type("text/xml").send(new twilio.twiml.MessagingResponse().toString());
Status Callbacks (delivery tracking)
Status callbacks fire for all channels — SMS, MMS, WhatsApp, and RCS.
Python
message = client.messages.create(
messaging_service_sid="MGxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
to="+15558675310",
body="Hello!",
status_callback="https://yourapp.com/status"
)
Node.js
const message = await client.messages.create({
messagingServiceSid: "MGxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
to: "+15558675310",
body: "Hello!",
statusCallback: "https://yourapp.com/status",
});
Python (Flask) — status callback handler
@app.route("/status", methods=["POST"])
def message_status():
message_sid = request.form.get("MessageSid")
status = request.form.get("MessageStatus")
error_code = request.form.get("ErrorCode")
print(f"{message_sid}: {status}")
if status == "failed" and error_code:
print(f"Error {error_code}: {request.form.get('ErrorMessage')}")
return "", 204
Node.js (Express) — status callback handler
app.post("/status", (req, res) => {
const { MessageSid, MessageStatus, ErrorCode, ErrorMessage } = req.body;
console.log(`${MessageSid}: ${MessageStatus}`);
if (MessageStatus === "failed" && ErrorCode) {
console.log(`Error ${ErrorCode}: ${ErrorMessage}`);
}
res.sendStatus(204);
});
Status flow: queued → sent → delivered (or undelivered/failed)
Webhook Signature Validation
Python (Flask)
from twilio.request_validator import RequestValidator
validator = RequestValidator(os.environ["TWILIO_AUTH_TOKEN"])
@app.route("/incoming", methods=["POST"])
def incoming_message():
if not validator.validate(request.url, request.form, request.headers.get("X-Twilio-Signature", "")):
return "Forbidden", 403
response = MessagingResponse()
response.message("Hello!")
return str(response)
Node.js
const { validateRequest } = require("twilio");
app.post("/incoming", (req, res) => {
const isValid = validateRequest(
process.env.TWILIO_AUTH_TOKEN,
req.headers["x-twilio-signature"],
`https://${req.headers.host}${req.path}`,
req.body
);
if (!isValid) return res.status(403).send("Forbidden");
const twiml = new twilio.twiml.MessagingResponse();
twiml.message("Hello!");
res.type("text/xml").send(twiml.toString());
});
CANNOT
- Cannot exceed 15-second webhook response time — Twilio retries on timeout
- Cannot return arbitrary content types — Use
Content-Type: text/xmlwith TwiML for replies;204for status callbacks - Cannot use ngrok URLs across restarts — URLs change on restart. Use a stable tunnel for persistent testing.
- Cannot guarantee delivery confirmation — Status callbacks are best-effort.
deliveredrequires carrier confirmation.
Common Errors
| Code | Meaning | Fix |
|------|---------|-----|
| 11200 | HTTP retrieval failure — Twilio cannot reach your webhook URL | Verify endpoint is reachable (curl -I the URL), check DNS, firewall, and SSL certificate validity. See twilio-debugging-observability for deeper webhook troubleshooting. |
Next Steps
- Send outbound messages:
twilio-send-message - Manage sender pools:
twilio-messaging-services
Related Skills
openai/omniverse-usd-performance-tuning
tools
VerifiedTrustedCommunity
Top-level workflow skill for USD performance diagnosis and optimization. Use for slow loading, high memory, low FPS, or 'optimize my scene' requests; delegates auth/runtime setup to Phase 0 owners.
1,407SKILL.mdUpdated Jun 5, 2026
openai/magicpath
data-ai
VerifiedTrustedCommunity
Use when the user mentions MagicPath, designs, UI components, themes, canvas selections, or repo-to-canvas UI work; run magicpath-ai to search, inspect, install, or author components.
1,407SKILL.mdUpdated Jun 5, 2026
openai/omniverse-realtime-viewer
documentation
VerifiedTrustedCommunity
Use as the top-level router for Omniverse Realtime Viewer USD app requests and focused viewer reference documents.
1,407SKILL.mdUpdated Jun 4, 2026
openai/notion-spec-to-implementation
tools
VerifiedTrustedCommunity
Turn Notion specs into implementation plans, tasks, and progress tracking; use when implementing PRDs/feature specs and creating Notion plans + tasks from them.
1,407SKILL.mdUpdated May 6, 2026