Twilio API requests
Learn how to authenticate your requests, what content type to use for API requests, and how the Twilio APIs handle webhooks. You'll also see examples of how to make requests to the Twilio APIs.
There are several ways you can make an HTTP request to the Twilio API.
- Make a raw HTTP request either in your code (for example, by using a module like got in NodeJS) or with a tool like Postman.
- Use a Twilio Helper Library for your preferred programming language.
- Use the Twilio CLI if you prefer working in the terminal.
Environment variables
Always store your credentials in environment variables before sharing any code or deploying to production. Learn more about setting environment variables.
To authenticate requests to the Twilio APIs, Twilio supports HTTP Basic authentication. You can use the following credentials:
| Username | Password | Best practice |
|---|---|---|
| API Key | API Key Secret | This is the recommended way to authenticate with the Twilio APIs. When a key is compromised or no longer used, revoke it to prevent unauthorized access. |
| Account SID | AuthToken | Limit your use to local testing. |
Regional API credentials
Twilio API credentials are region-specific resources. If your account uses Twilio Regions, see Manage Regional API credentials.
An API key is a unique identifier that allows a client to access your Twilio account and create, read, update, or delete resources through the Twilio APIs. You can create multiple API keys for different purposes, such as for different developers or subsystems within your application. If a key is compromised or no longer used, you can revoke it to prevent unauthorized access.
You can create an API key either in the Twilio Console or using the API.
The API key types are Main, Standard, and Restricted (Public Beta, Key resource v1 only). The following table describes each type:
| Key type | Access permissions | Create in Console | Create with REST API |
|---|---|---|---|
| Main | Full access to all Twilio API resources. Equivalent to using your Account SID and Auth Token for API requests. | Yes | No |
| Standard | Access to all Twilio API resources, except for Accounts (/Accounts) or Keys (/Accounts/{SID}/Keys, /v1/Keys) resources. | Yes | Yes |
| Restricted | Customized, fine-grained access to specific Twilio API resources. Learn more about Restricted API keys. | Yes | Yes (v1 only) |
When making an API request, use your API key as the username and your API key secret as the password.
Note: In the following example, you must use a Main API key.
1curl -G https://api.twilio.com/2010-04-01/Accounts \2-u $YOUR_API_KEY:$YOUR_API_KEY_SECRET
The user remains logged in for the duration of the request. Learn more about how Twilio handles authentication.
Twilio recommends using only API keys for production applications. If a bad actor gains access to your Account SID and Auth Token, then your Twilio Account is compromised.
For local testing, you can use your Account SID as the username and your Auth token as the password. You can find your Account SID and Auth Token in the Twilio Console, under the Account Dashboard.
1curl -G https://api.twilio.com/2010-04-01/Accounts \2-u $YOUR_ACCOUNT_SID:$YOUR_AUTH_TOKEN
A Twilio helper library is a server-side SDK that helps you use Twilio's REST APIs, generate TwiML, and perform other common server-side programming tasks. All Twilio helper libraries come with a Utilities class that validates requests by passing your credentials to the library.
The Twilio APIs are RESTful and use standard HTTP methods to interact with resources. The following are the most common methods:
POST: Create or update a resource.GET: Retrieve a resource.DELETE: Delete a resource.
1// Download the helper library from https://www.twilio.com/docs/node/install2const twilio = require("twilio"); // Or, for ESM: import twilio from "twilio";34// Find your Account SID at twilio.com/console5// Provision API Keys at twilio.com/console/runtime/api-keys6// and set the environment variables. See http://twil.io/secure7const accountSid = process.env.TWILIO_ACCOUNT_SID;8const apiKey = process.env.TWILIO_API_KEY;9const apiSecret = process.env.TWILIO_API_SECRET;10const client = twilio(apiKey, apiSecret, { accountSid: accountSid });1112async function createMessage() {13const message = await client.messages.create({14body: "Hello",15from: "+14155552344",16to: "+15558675310",17});1819console.log(message.body);20}2122createMessage();
Response
Note: This shows the raw API response from Twilio. Responses from SDKs (Java, Python, etc.) may look a little different.1{2"account_sid": "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",3"api_version": "2010-04-01",4"body": "Hello",5"date_created": "Thu, 24 Aug 2023 05:01:45 +0000",6"date_sent": "Thu, 24 Aug 2023 05:01:45 +0000",7"date_updated": "Thu, 24 Aug 2023 05:01:45 +0000",8"direction": "outbound-api",9"error_code": null,10"error_message": null,11"from": "+14155552344",12"num_media": "0",13"num_segments": "1",14"price": null,15"price_unit": null,16"messaging_service_sid": "MGaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",17"sid": "SMaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",18"status": "queued",19"subresource_uris": {20"media": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Messages/SMaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Media.json"21},22"to": "+15558675310",23"uri": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Messages/SMaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.json"24}
Twilio's APIs expect the API request content type to be application/x-www-form-urlencoded or multipart/form-data. Using an unsupported content type might cause unexpected behavior or errors.
Twilio doesn't support CNAMEs for unauthenticated access to HTTP Voice recording media URLs. Use HTTPS endpoints and Transport-Layer-Security (TLS) protocols when accessing voice recordings media files from your account. For more information, see the Changelog.
Webhooks are user-defined HTTP callbacks triggered by an event in a web application. Twilio uses webhooks to let your application know when events happen, like getting an incoming call or receiving an SMS message. Webhooks are triggered asynchronously.
When a webhook event occurs, Twilio makes an HTTP request, such as POST or GET, to the URL you configured for your webhook. Twilio's request to your application includes details of the event like the body of an incoming message or an incoming phone number. Your application can then process the event and reply to Twilio with a response containing the instructions you'd like Twilio to perform.
To handle a webhook when you use Twilio, you need to build a web application that can accept HTTP requests. Check out the Twilio Helper Libraries to get up and running quickly.