# Prevent blocked numbers from calling your application

You may wish to block certain numbers from contacting or spamming your application's phone number. Creating a block list and using a Function that compares the incoming number to its contents will allow you to decide whether to [Reject](/docs/voice/twiml/reject) an incoming call, or [Redirect](/docs/voice/twiml/redirect) it to your actual application.

The following examples will show a couple of approaches to this problem. To get started, use the following directions to create two new Functions that will form the base of this application: `/filter-calls` and `/welcome`.

## Create and host a Function

In order to run any of the following examples, you will first need to create a Function into which you can paste the example code. You can create a Function using the Twilio Console or the [Serverless Toolkit](/docs/labs/serverless-toolkit) as explained below:

## Console

If you prefer a UI-driven approach, creating and deploying a Function can be done entirely using the Twilio Console and the following steps:

1. Log in to the Twilio Console and navigate to the [Functions tab](https://www.twilio.com/console/functions/overview). If you need an account, you can sign up for a free Twilio account [here](https://www.twilio.com/try-twilio)!
2. Functions are contained within **Services**. Create a **[Service](/docs/serverless/functions-assets/functions/create-service)** by clicking the **[Create Service](https://www.twilio.com/console/functions/overview/services)** button and providing a name such as *test-function*.
3. Once you've been redirected to the new Service, click the **Add +** button and select **Add Function** from the dropdown.
4. This will create a new [Protected](/docs/serverless/functions-assets/visibility) Function for you with the option to rename it. The name of the file will be path it is accessed from.
5. Copy any one of the example code snippets from this page that you want to experiment with, and paste the code into your newly created Function. You can quickly switch examples by using the dropdown menu of the code rail.
6. Click **Save** to save your Function's contents.
7. Click **Deploy All** to build and deploy the Function. After a short delay, your Function will be accessible from: `https://<service-name>-<random-characters>-<optional-domain-suffix>.twil.io/<function-path>`\
   For example: `test-function-3548.twil.io/hello-world`.

## Serverless Toolkit

The [Serverless Toolkit](/docs/labs/serverless-toolkit) enables you with local development, project deployment, and other functionality via the [Twilio CLI](/docs/twilio-cli/quickstart). To get up and running with these examples using Serverless Toolkit, follow this process:

1. From the CLI, run `twilio serverless:init <your-service-name> --empty` to bootstrap your local environment.
2. Navigate into your new project directory using `cd <your-service-name>`
3. In the `/functions` directory, create a new JavaScript file that is named respective to the purpose of the Function. For example, `sms-reply.protected.js` for a [Protected](/docs/serverless/functions-assets/visibility) Function intended to handle incoming SMS.
4. Populate the file using the code example of your choice and save. **Note** A Function can only export a single handler. You will want to create separate files if you want to run and/or deploy multiple examples at once.

Once your Function(s) code is written and saved, you can test it either by running it locally (and optionally tunneling requests to it via a tool like [ngrok](https://ngrok.com/)), or by deploying the Function and executing against the deployed url(s).

### Run your Function in local development

Run `twilio serverless:start` from your CLI to start the project locally. The Function(s) in your project will be accessible from `http://localhost:3000/sms-reply`

* If you want to test a Function as a [Twilio webhook](/docs/usage/webhooks/getting-started-twilio-webhooks), run: `twilio phone-numbers:update <your Twilio phone number> --sms-url "http://localhost:3000/sms-reply"`\
  This will automatically generate an ngrok tunnel from Twilio to your locally running Function, so you can start sending texts to it. You can apply the same process but with the `voice-url` flag instead if you want to test with [Twilio Voice](/docs/voice).
* If your code does *not* connect to Twilio Voice/Messages as a webhook, you can start your dev server and start an ngrok tunnel in the same command with the `ngrok` flag. For example: `twilio serverless:start --ngrok=""`

### Deploy your Function

To deploy your Function and have access to live url(s), run `twilio serverless:deploy` from your CLI. This will deploy your Function(s) to Twilio under a development environment by default, where they can be accessed from:

`https://<service-name>-<random-characters>-dev.twil.io/<function-path>`

For example: `https://incoming-sms-examples-3421-dev.twil.io/sms-reply`

Your Function is now ready to be invoked by HTTP requests, set as the [webhook](/docs/usage/webhooks/getting-started-twilio-webhooks) of a Twilio phone number, invoked by a Twilio Studio **[Run Function Widget](/docs/studio/widget-library/run-function)**, and more!

## Block calls using a hard-coded list

To introduce the logic and TwiML involved without extra complications, this example code for `/filter-calls` includes a sample block list hard-coded into its body.

The Function compares the incoming phone number, provided as `From` when this Function is connected to your Twilio phone number as a webhook, to the contents of the block list. The resulting Boolean is then used to determine whether the result should be a rejection, or a redirect to the `/welcome` Function.

The `/welcome` Function returns a welcome message to the user and primarily serves as an example of how you can still leverage Redirect verbs even within a Serverless project such as this. You're able to use the relative URL `'/welcome'` since the same [Service](/docs/serverless/functions-assets/functions/create-service) contains both Functions.

To test this out, copy and paste both samples into their respective Functions, and add your personal phone number to the block list in [E.164](/docs/glossary/what-e164) format. Save and deploy your Service, and use the following directions to set `/filter-calls` as the **A Call Comes In** webhook handler for your Twilio phone number. The application will immediately reject your calls. If you remove your number from the block list and re-deploy, you will instead get the welcome message.

```js title="Call filter logic" description="Sample code for /filter-calls"
exports.handler = (context, event, callback) => {
  // Prepare a new Voice TwiML object that will control Twilio's response
  // to the incoming call
  const twiml = new Twilio.twiml.VoiceResponse();
  // The incoming phone number is provided by Twilio as the `From` property
  const incomingNumber = event.From;

  // This is an example of a blocklist hard-coded into the Function
  const blockList = ['+14075550100', '+18025550100'];

  const isBlocked = blockList.length > 0 && blockList.includes(incomingNumber);

  if (isBlocked) {
    twiml.reject();
  } else {
    // If the number is not blocked, redirect call to the webhook that
    // handles allowed callers
    twiml.redirect('/welcome');
  }

  return callback(null, twiml);
};
```

```js title="Welcome message" description="Sample code for /welcome"
exports.handler = (context, event, callback) => {
  const twiml = new Twilio.twiml.VoiceResponse();
  twiml.say("Hello, congratulations! You aren't blocked!");
  return callback(null, twiml);
};
```

## Set a Function as a webhook

In order for your Function to react to incoming SMS and/or voice calls, it must be set as a [webhook](/docs/usage/webhooks) for your Twilio number. There are a variety of methods to set a Function as a webhook, as detailed below:

![Setting a Function as a Messaging webhook using the webhook dropdown option.](https://docs-resources.prod.twilio.com/bf4eae4ac40fe7d47003a93bca295d5c232e0b372358e73ceff931fee3ccdc4f.png)

## Store the block list as a private Asset

To keep your block list separate from and independent of your Function's code, one recommendation is to store the list as JSON in a [private](/docs/serverless/functions-assets/visibility) [Asset](/docs/serverless/functions-assets/assets). Your Function will read and parse the contents of this file using methods provided by the [Runtime Client](/docs/serverless/functions-assets/client), and achieve the same functionality with more separation of concerns.

First, create a new private Asset named `blocklist.json`, populate it with the sample contents (and your personal number like before, to verify the blocking works), and save the Asset. Ensure that this Asset is private in order to protect its contents and to enable helper methods such as [Runtime.getAssets](/docs/serverless/functions-assets/client#getassets), which can only retrieve private Assets.

Next, update the existing `/filter-calls` Function with the highlighted changes. This new code replaces the hard-coded block list array with a synchronous read of `blocklist.json`, and a quick `JSON.parse` to convert the file contents to a usable array.

Save your changes to the Function, and deploy your updated Service. Subsequent calls to your Twilio phone number will behave exactly as before!

```json title="Block list private Asset" description="Save as blocklist.json"
["+14075550100", "+18025550100"]
```

```js title="Block incoming calls using a private Asset" description="Updates to /filter-calls"
// !mark(10,11,8,9)
exports.handler = (context, event, callback) => {
  // Prepare a new Voice TwiML object that will control Twilio's response
  // to the incoming call
  const twiml = new Twilio.twiml.VoiceResponse();
  // The incoming phone number is provided by Twilio as the `From` property
  const incomingNumber = event.From;

  // Open the contents of the private Asset containing the blocklist
  const blockListJson = Runtime.getAssets()['/blocklist.json'].open();
  // Parse the string, such as "["+14075550100", "+18025550100"]", to an array
  const blockList = JSON.parse(blockListJson);

  const isBlocked = blockList.length > 0 && blockList.includes(incomingNumber);

  if (isBlocked) {
    twiml.reject();
  } else {
    // If the number is not blocked, redirect call to the webhook that
    // handles allowed callers
    twiml.redirect('/welcome');
  }

  return callback(null, twiml);
};
```

> \[!WARNING]
>
> Ensure that you write the Asset name as `'/blocklist.json'` and not `'blocklist.json'`; the leading slash is necessary, as described in the [Runtime.getAssets documentation](/docs/serverless/functions-assets/client#getassets).