openai/twilio-security-api-auth
plugins/twilio-developer-kit/skills/twilio/twilio-security-api-auth/SKILL.md
Choose the right Twilio authentication method and implement it correctly. Covers Auth Token (testing only), API Keys (production standard), OAuth2 client_credentials (time-limited bearer tokens), Access Tokens (client-side SDKs), and test credentials. Use this skill before making any Twilio API calls in production.
$ install --global
skillsauthnpx skillsauth add openai/plugins twilio-security-api-authInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 9, 2026, 6:15 AM173.9s1 file scanned
SKILL.md
- name:
- twilio-security-api-auth
- description:
- >
Overview
Twilio supports four authentication methods. Choosing the wrong one is a security risk — Auth Tokens in production code are the most common credential leak.
| Method | Use for | Token lifetime | Revocable individually | |--------|---------|---------------|----------------------| | Auth Token | Local testing only | Permanent (until rotated) | No — rotation breaks ALL API keys | | API Key + Secret | Production server-side | Permanent (until deleted) | Yes | | OAuth2 Bearer Token | Production server-side (enhanced) | 1 hour | Expires automatically | | Access Token (JWT) | Client-side SDKs (Voice, Video, Chat) | Up to 24 hours | No — delete issuing API key |
Decision framework:
- Building a quick prototype? → Auth Token (but switch to API Key before deploying)
- Production server-side code? → API Key + Secret (simplest production auth) or OAuth2 (time-limited tokens)
- Browser/mobile client needs to connect? → Access Token (JWT) generated server-side
- Running tests without charges? → Test credentials with magic numbers
API Key Authentication (Production Standard)
Create: Console → Account → API keys & tokens → Create API key
| Key type | Access | Create via | |----------|--------|-----------| | Main | Full account access | Console only | | Standard | All resources except /Accounts and /Keys endpoints | Console or API | | Restricted | Specific resources only (up to 100 permissions) | Console or v1 IAM API only |
Python
import os
from twilio.rest import Client
client = Client(
os.environ["TWILIO_API_KEY"], # SKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
os.environ["TWILIO_API_SECRET"],
os.environ["TWILIO_ACCOUNT_SID"] # required as third argument
)
Node.js
const client = require("twilio")(
process.env.TWILIO_API_KEY,
process.env.TWILIO_API_SECRET,
{ accountSid: process.env.TWILIO_ACCOUNT_SID }
);
OAuth2 Authentication (Client Credentials)
Time-limited bearer tokens that expire after 1 hour. More secure than permanent API keys for server-to-server communication.
Step 1 — Create an OAuth App
Create an OAuth App in the Twilio Console to get a Client ID and Client Secret.
Step 2 — Request a Bearer Token
cURL
curl -X POST 'https://oauth.twilio.com/v2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'client_id={ClientID}' \
-d 'client_secret={ClientSecret}' \
-d 'grant_type=client_credentials'
Response:
{
"access_token": "{BearerToken}",
"token_type": "Bearer",
"expires_in": 3600
}
Step 3 — Use the Bearer Token
curl 'https://api.twilio.com/2010-04-01/Accounts/{AccountSID}/Messages.json' \
-H 'Authorization: Bearer {BearerToken}'
SDK Support
OAuth2 is supported in all Twilio SDKs:
| Language | Minimum version | |----------|----------------| | Java | 10.6.0 | | C#/.NET | 7.6.0 | | Node.js | 5.4.0 | | Python | 9.4.1 | | Ruby | 7.4.0 | | PHP | 8.5.0 | | Go | 1.25.1 |
Docs: OAuth access tokens | Segment OAuth connections
Access Tokens (Client-Side SDKs)
Short-lived JWTs for authenticating browser/mobile clients. Generate server-side, pass to the client.
Python
from twilio.jwt.access_token import AccessToken
from twilio.jwt.access_token.grants import VoiceGrant
token = AccessToken(
os.environ["TWILIO_ACCOUNT_SID"],
os.environ["TWILIO_API_KEY"],
os.environ["TWILIO_API_SECRET"],
identity="user-123",
ttl=3600
)
token.add_grant(VoiceGrant(outgoing_application_sid="APxxxx"))
print(token.to_jwt())
Grant types: VoiceGrant, VideoGrant, ChatGrant (Conversations), SyncGrant
Test Credentials
Make API calls without charges. Find at Console → Account → API keys & tokens → Test credentials.
Magic numbers: +15005550006 (valid), +15005550001 (invalid, error 21211), +15005550007 (no SMS, error 21612)
CANNOT
- Standard keys cannot access /Accounts or /Keys endpoints — Returns 20003 (401). Use Auth Token or Main key.
- Cannot create restricted keys via v2010 API — Silently creates a standard key instead. Use v1 IAM API.
- Restricted keys cannot generate Access Tokens — Only Standard and Main keys can.
- Cannot revoke individual Access Tokens — Valid until expiration (max 24h). Delete the issuing API key to revoke all.
- OAuth2 only supports
client_credentialsgrant — No refresh tokens, no authorization code flow. - OAuth2 tokens expire after 1 hour — Your application must handle token refresh.
- API Key Secret shown only at creation — Cannot be retrieved afterward.
- Auth Token rotation breaks ALL API keys — One-way door. This is why you should use API keys from day one.
- Test credentials work with only 4 endpoints — Messages, Calls, IncomingPhoneNumbers, Lookups. All others return 403.
Next Steps
- Account setup and sub-accounts:
twilio-account-setup - HIPAA account configuration:
twilio-security-compliance-hipaa - Webhook signature validation:
twilio-webhook-architecture - Credential security patterns:
twilio-security-hardening
Related Skills
openai/omniverse-usd-performance-tuning
tools
VerifiedTrustedCommunity
Top-level workflow skill for USD performance diagnosis and optimization. Use for slow loading, high memory, low FPS, or 'optimize my scene' requests; delegates auth/runtime setup to Phase 0 owners.
1,407SKILL.mdUpdated Jun 5, 2026
openai/magicpath
data-ai
VerifiedTrustedCommunity
Use when the user mentions MagicPath, designs, UI components, themes, canvas selections, or repo-to-canvas UI work; run magicpath-ai to search, inspect, install, or author components.
1,407SKILL.mdUpdated Jun 5, 2026
openai/omniverse-realtime-viewer
documentation
VerifiedTrustedCommunity
Use as the top-level router for Omniverse Realtime Viewer USD app requests and focused viewer reference documents.
1,407SKILL.mdUpdated Jun 4, 2026
openai/notion-spec-to-implementation
tools
VerifiedTrustedCommunity
Turn Notion specs into implementation plans, tasks, and progress tracking; use when implementing PRDs/feature specs and creating Notion plans + tasks from them.
1,407SKILL.mdUpdated May 6, 2026