2

Instead of using Twilio Auth Token to validate the incoming webhook request from twilo, I want to use API key - API Key Secret combination to validate the request. I am not being able to find an option in twilio lib

pramod1792
  • 21
  • 2
  • Hi pramod1792. Can you clarify the question further more please? Auth Toke or API Keys are used for validation+authorisation when calling Twilio APIs. Your question is for incoming webhook from twilio i.e. an endpoint that you would build and own, and hence the autorisation would not be based on Twilio Keys. Or did you mean something else ? – am1704 Jul 10 '20 at 13:16
  • 1
    Hi @am1704 , yes i am trying to validate incoming request from twilio over the webhook. And there is a method in twilio client which validates the incoming request to verify that if the request is called by Twilio or not. That method validateExpressRequest() takes Auth Token as parameter. I want to use APIKey-Secret combination instead – pramod1792 Jul 10 '20 at 17:21

1 Answers1

1

I came across this and saw it was unanswered. Twilio employee here.

This is unfortunately not possible. All outgoing webhooks are signed with the PRIMARY auth token of your account.

As such, it's currently not possible validating these requests using either the secondary token or an API key.

mmenschig
  • 1,088
  • 14
  • 22
  • if I send a message from a twilio subaccount, is it possible to validate a webhook using the master account auth token? I've had issues with this and was wondering what was best practice for validating webhook requests from subaccounts since the tutorials I've seen store a single Master Auth Token in an environment variable (thus not accounting for all the subaccount auth tokens). Currently, when trying to validate a subaccount with a master auth token in a webhook, it always fails. – Jordan Lewallen Oct 18 '21 at 21:49
  • @JordanLewallen Yes, this is expected. webhooks are always signed with the primary auth token of the corresponding account. So if the request is made as part of a subaccount then the token of that subaccount will be used. – mmenschig Oct 18 '21 at 23:38
  • Thanks for clarifying - I figured out that I can use the AccountSid passed to the webhook to query for the subaccount `authtoken` using the Node helper library. Extra step but it works unless there's a better way! – Jordan Lewallen Oct 19 '21 at 00:49
  • @mmenschig: Is there any way to lobby to get this changed? It forces a really crappy security trade off. I have multiple apps, each using their own API Keys (which I agree is the best way to do handle auth like this), but now I'm going to validate webhooks (which is also a best practice) and in order to do that all my applications now need the main Auth Token which can control my account? This is not a great place to put your customers. – kbyrd Aug 23 '23 at 21:26