Skip to contentSkip to navigationSkip to topbar
Twilio Docs
Page tools
On this page
Looking for more inspiration?Visit the

Securing your Backend Service

What is a Callback?

what-is-a-callback page anchor

A callback is a function that will be executed only after the current function has finished executing. You subscribe to a callback by configuring a URL which will process an incoming request and respond back in a certain format.

Validating Callbacks from Twilio Frontline

validating-callbacks-from-twilio-frontline page anchor

Your backend service should verify that Twilio is the service that sent a callback before responding to that request. This is important for securing sensitive data, and to protect your application and servers from abuse.

Twilio will sign all inbound requests to your application with an X-Twilio-Signature HTTP header. Twilio uses the parameters sent in the webhook (either GET or POST) and the exact URL your application supplied to Twilio to create this signature. The signature uses the HMAC-SHA1 hashing algorithm with your Twilio account's auth token as the secret key.

Your Frontline Integration Service can verify that this signature is correct using the Twilio server-side SDKs (see examples below). You will need your account's auth token, the value of the X-Twilio-Signature HTTP header Twilio passed to you, the URL Twilio sent the webhook to and all of the parameters sent by Twilio.

Validate Signature of RequestLink to code sample: Validate Signature of Request
1
// Get twilio-node from twilio.com/docs/libraries/node

2
const client = require('twilio');

3


4
// Your Auth Token from twilio.com/console

5
const authToken = process.env.TWILIO_AUTH_TOKEN;

6


7
// Store Twilio's request URL (the url of your webhook) as a variable

8
const url = 'https://mycompany.com/myapp';

9


10
// Store the application/x-www-form-urlencoded parameters from Twilio's request as a variable

11
// In practice, this MUST include all received parameters, not a

12
// hardcoded list of parameters that you receive today. New parameters

13
// may be added without notice.

14
const params = {

15
  CallSid: 'CA1234567890ABCDE',

16
  Caller: '+12349013030',

17
  Digits: '1234',

18
  From: '+12349013030',

19
  To: '+18005551212',

20
};

21


22
// Store the X-Twilio-Signature header attached to the request as a variable

23
const twilioSignature = 'Np1nax6uFoY6qpfT5l9jWwJeit0=';

24


25
// Check if the incoming signature is valid for your application URL and the incoming parameters

26
console.log(client.validateRequest(authToken, twilioSignature, url, params));

Tutorials for Validating Incoming Twilio Requests

tutorials-for-validating-incoming-twilio-requests page anchor

You can follow one of our handy tutorials for your chosen language and web application framework. Use something we don't have on this list? Let us know, and we'll try and point you in the right direction.