# Webhooks security Ensuring secure communication between your application and Twilio is essential. There are several layers of security and validation that you can build into your web application for handling Twilio webhooks. Let's review each layer. ## HTTPS/TLS The first step to secure your web application is to ensure that you're using HTTPS for your web application's endpoint. Twilio won't connect to an HTTPS URL with a self-signed certificate. Use a certificate from a provider such as [Let's Encrypt](https://letsencrypt.org/). Twilio can use the HTTP protocol for callbacks. For example, when you work in a development environment without SSL certificates. On your Twilio project's [Settings page in the Console](/console/project/settings), the SSL Certificate Validation setting enforces validation on webhooks. > \[!WARNING] > > Do not pin Twilio certificates. Twilio rotates certificates without notice. See the list of [supported TLS ciphers for callbacks](https://help.twilio.com/hc/en-us/articles/360002288554-TwiML-Request-and-Status-Callback-URL-supported-ciphers). ## Validating signatures from Twilio Your web application should verify that Twilio is the service that sent a webhook before responding to that request. This is important for securing sensitive data, and to protect your application and servers from abuse. Twilio will sign all inbound requests to your application with an `X-Twilio-Signature` HTTP header. Twilio uses the parameters sent in the webhook (either `GET` or `POST`) and the exact URL your application supplied to Twilio to create this signature. The signature uses the HMAC-SHA1 hashing algorithm with your Twilio account's auth token as the secret key. Your application can verify that this signature is correct using the server-side Twilio SDKs (see examples below). You need your account's auth token, the value of the `X-Twilio-Signature` header that Twilio passed to you, the URL Twilio used for the webhook, and all parameters sent by Twilio. > \[!CAUTION] > > The parameters included in webhook events vary by channel and event type and are subject to change in the future. Twilio will occasionally add new parameters without advance notice. When integrating with webhooks, your implementation must be able to accept and correctly run signature validation on an evolving set of parameters. We strongly recommend using the provided signature validation library from a Twilio SDK and not implementing your own signature validation. > \[!NOTE] > > When validating the signature on a WebSocket request, note that the header parameter name will be all lowercase: `x-twilio-signature`. Validate Signature of Request (x-www-form-urlencoded body) ```js // Get twilio-node from twilio.com/docs/libraries/node const client = require('twilio'); // Your Auth Token from twilio.com/console const authToken = process.env.TWILIO_AUTH_TOKEN; // Store Twilio's request URL (the url of your webhook) as a variable const url = 'https://mycompany.com/myapp'; // Store the application/x-www-form-urlencoded parameters from Twilio's request as a variable // In practice, this MUST include all received parameters, not a // hardcoded list of parameters that you receive today. New parameters // may be added without notice. const params = { CallSid: 'CA1234567890ABCDE', Caller: '+12349013030', Digits: '1234', From: '+12349013030', To: '+18005551212', }; // Store the X-Twilio-Signature header attached to the request as a variable const twilioSignature = 'Np1nax6uFoY6qpfT5l9jWwJeit0='; // Check if the incoming signature is valid for your application URL and the incoming parameters console.log(client.validateRequest(authToken, twilioSignature, url, params)); ``` ```py import os # Download the twilio-python library from twilio.com/docs/python/install from twilio.request_validator import RequestValidator # Your Auth Token from twilio.com/user/account auth_token = os.environ['TWILIO_AUTH_TOKEN'] # Initialize the request validator validator = RequestValidator(auth_token) # Store Twilio's request URL (the url of your webhook) as a variable url = 'https://example.com/myapp' # Store the application/x-www-form-urlencoded parameters from Twilio's request as a variable # In practice, this MUST include all received parameters, not a # hardcoded list of parameters that you receive today. New parameters # may be added without notice. params = { 'CallSid': 'CA1234567890ABCDE', 'Caller': '+12349013030', 'Digits': '1234', 'From': '+12349013030', 'To': '+18005551212' } # Store the X-Twilio-Signature header attached to the request as a variable twilio_signature = 'Np1nax6uFoY6qpfT5l9jWwJeit0=' # Check if the incoming signature is valid for your application URL and the incoming parameters print(validator.validate(url, params, twilio_signature)) ``` ```cs // Download the twilio-csharp library from // https://www.twilio.com/docs/libraries/csharp#installation using System; using System.Collections.Generic; using Twilio.Security; class Example { static void Main(string[] args) { // Your Auth Token from twilio.com/console const string authToken = Environment.GetEnvironmentVariable("TWILIO_AUTH_TOKEN"); // Initialize the request validator var validator = new RequestValidator(authToken); // Store Twilio's request URL (the url of your webhook) as a variable const string url = "https://example.com/myapp"; // Store the application/x-www-form-urlencoded params from Twilio's request as a variable // In practice, this MUST include all received parameters, not a // hardcoded list of parameters that you receive today. New parameters // may be added without notice. var parameters = new Dictionary { {"CallSid", "CA1234567890ABCDE"}, {"Caller", "+12349013030"}, {"Digits", "1234"}, {"From", "+12349013030"}, {"To", "+18005551212"} }; // Store the X-Twilio-Signature header attached to the request as a variable const string twilioSignature = "Np1nax6uFoY6qpfT5l9jWwJeit0="; // Check if the incoming signature is valid for your application URL and the incoming parameters Console.WriteLine(validator.Validate(url, parameters, twilioSignature)); } } ``` ```java // Install the Java helper library from twilio.com/docs/java/install import java.util.HashMap; import java.util.Map; import com.twilio.security.RequestValidator; public class Example { // Your Auth Token from twilio.com/user/account public static final String AUTH_TOKEN = System.getenv("TWILIO_AUTH_TOKEN"); public static void main(String[] args) throws java.net.URISyntaxException { // Initialize the request validator RequestValidator validator = new RequestValidator(AUTH_TOKEN); // Store Twilio's request URL (the url of your webhook) as a variable String url = "https://example.com/myapp"; // Store the application/x-www-form-urlencoded parameters from Twilio's request as a variable // In practice, this MUST include all received parameters, not a // hardcoded list of parameters that you receive today. New parameters // may be added without notice. Map params = new HashMap<>(); params.put("CallSid", "CA1234567890ABCDE"); params.put("Caller", "+12349013030"); params.put("Digits", "1234"); params.put("From", "+12349013030"); params.put("To", "+18005551212"); // Store the X-Twilio-Signature header attached to the request as a variable String twilioSignature = "Np1nax6uFoY6qpfT5l9jWwJeit0="; // Check if the incoming signature is valid for your application URL and the incoming parameters System.out.println(validator.validate(url, params, twilioSignature)); } } ``` ```go package main import ( "fmt" "os" "github.com/twilio/twilio-go/client" ) func main() { // Your Auth Token from twilio.com/console authToken := os.Getenv("TWILIO_AUTH_TOKEN") // Initialize the request validator requestValidator := client.NewRequestValidator(authToken) // Store Twilio's request URL (the url of your webhook) as a variable url := "https://example.com/myapp" // Store the application/x-www-form-urlencoded params from Twilio's request as a variable // In practice, this MUST include all received parameters, not a // hardcoded list of parameters that you receive today. New parameters // may be added without notice. params := map[string]string{ "CallSid": "CA1234567890ABCDE", "Caller": "+12349013030", "Digits": "1234", "From": "+12349013030", "To": "+18005551212", } // Store the X-Twilio-Signature header attached to the request as a variable signature := "Np1nax6uFoY6qpfT5l9jWwJeit0=" // Check if the incoming signature is valid for your application URL and the incoming parameters fmt.Println(requestValidator.Validate(url, params, signature)) } ``` ```php 'CA1234567890ABCDE', 'Caller' => '+12349013030', 'Digits' => '1234', 'From' => '+12349013030', 'To' => '+18005551212' ); // Check if the incoming signature is valid for your application URL and the incoming parameters if ($validator->validate($signature, $url, $postVars)) { echo "Confirmed to have come from Twilio."; } else { echo "NOT VALID. It might have been spoofed!"; } ``` ```rb # Get twilio-ruby from twilio.com/docs/ruby/install require 'rubygems' # This line not needed for ruby > 1.8 require 'twilio-ruby' # Get your Auth Token from https://www.twilio.com/console auth_token = ENV['TWILIO_AUTH_TOKEN'] # Initialize the request validator validator = Twilio::Security::RequestValidator.new(auth_token) # Store Twilio's request URL (the url of your webhook) as a variable url = 'https://example.com/myapp' # Store the application/x-www-form-urlencoded params from Twilio's request as a variable # In practice, this MUST include all received parameters, not a # hardcoded list of parameters that you receive today. New parameters # may be added without notice. params = { 'CallSid' => 'CA1234567890ABCDE', 'Caller' => '+12349013030', 'Digits' => '1234', 'From' => '+12349013030', 'To' => '+18005551212' } # Store the X-Twilio-Signature header attached to the request as a variable twilio_signature = 'Np1nax6uFoY6qpfT5l9jWwJeit0=' # Check if the incoming signature is valid for your application URL and the incoming parameters puts validator.validate(url, params, twilio_signature) ``` Validate Signature of Request (application/json body) ```js // Get twilio-node from twilio.com/docs/libraries/node const client = require('twilio'); // Your Auth Token from twilio.com/console const authToken = process.env.TWILIO_AUTH_TOKEN; // Store Twilio's request URL (the url of your webhook) as a variable // including all query parameters const url = 'https://example.com/myapp?bodySHA256=5ccde7145dfb8f56479710896586cb9d5911809d83afbe34627818790db0aec9'; // Store the application/json body from Twilio's request as a variable // In practice, this MUST include all received parameters, not a // hardcoded list of parameters that you receive today. New parameters // may be added without notice. const body = "{\"CallSid\":\"CA1234567890ABCDE\",\"Caller\":\"+12349013030\"}"; // Store the X-Twilio-Signature header attached to the request as a variable const twilioSignature = 'hqeF3G9Hrnv6/R0jOhoYDD2PPUs='; // Check if the incoming signature is valid for your application URL and the incoming body console.log(client.validateRequestWithBody(authToken, twilioSignature, url, body)); ``` ```py import os # Download the twilio-python library from twilio.com/docs/python/install from twilio.request_validator import RequestValidator # Your Auth Token from twilio.com/user/account auth_token = os.environ['TWILIO_AUTH_TOKEN'] # Initialize the request validator validator = RequestValidator(auth_token) # Store Twilio's request URL (the url of your webhook) as a variable # including all query parameters url = 'https://example.com/myapp?bodySHA256=5ccde7145dfb8f56479710896586cb9d5911809d83afbe34627818790db0aec9' # Store the application/json body from Twilio's request as a variable # In practice, this MUST include all received parameters, not a # hardcoded list of parameters that you receive today. New parameters # may be added without notice. body = """{"CallSid":"CA1234567890ABCDE","Caller":"+12349013030"}""" # Store the X-Twilio-Signature header attached to the request as a variable twilio_signature = 'hqeF3G9Hrnv6/R0jOhoYDD2PPUs=' # Check if the incoming signature is valid for your application URL and the incoming body print(validator.validate(url, body, twilio_signature)) ``` ```cs // Download the twilio-csharp library from // https://www.twilio.com/docs/libraries/csharp#installation using System; using System.Collections.Generic; using Twilio.Security; class Example { static void Main(string[] args) { // Your Auth Token from twilio.com/console const string authToken = Environment.GetEnvironmentVariable("TWILIO_AUTH_TOKEN"); // Initialize the request validator var validator = new RequestValidator(authToken); // Store Twilio's request URL (the url of your webhook) as a variable // including all query parameters const string url = "https://example.com/myapp?bodySHA256=5ccde7145dfb8f56479710896586cb9d5911809d83afbe34627818790db0aec9"; // Store the application/json body from Twilio's request as a variable // In practice, this MUST include all received parameters, not a // hardcoded list of parameters that you receive today. New parameters // may be added without notice. const string body = "{\"CallSid\":\"CA1234567890ABCDE\",\"Caller\":\"+12349013030\"}"; // Store the X-Twilio-Signature header attached to the request as a variable const string twilioSignature = "hqeF3G9Hrnv6/R0jOhoYDD2PPUs="; // Check if the incoming signature is valid for your application URL and the incoming body Console.WriteLine(validator.Validate(url, body, twilioSignature)); } } ``` ```java // Install the Java helper library from twilio.com/docs/java/install import com.twilio.security.RequestValidator; public class Example { // Your Auth Token from twilio.com/user/account public static final String AUTH_TOKEN = System.getenv("TWILIO_AUTH_TOKEN"); public static void main(String[] args) throws java.net.URISyntaxException { // Initialize the request validator RequestValidator validator = new RequestValidator(AUTH_TOKEN); // Store Twilio's request URL (the url of your webhook) as a variable // including all query parameters String url = "https://example.com/myapp?bodySHA256=5ccde7145dfb8f56479710896586cb9d5911809d83afbe34627818790db0aec9"; // Store the application/json body from Twilio's request as a variable // In practice, this MUST include all received parameters, not a // hardcoded list of parameters that you receive today. New parameters // may be added without notice. String body = "{\"CallSid\":\"CA1234567890ABCDE\",\"Caller\":\"+12349013030\"}"; // Store the X-Twilio-Signature header attached to the request as a variable String twilioSignature = "hqeF3G9Hrnv6/R0jOhoYDD2PPUs="; // Check if the incoming signature is valid for your application URL and the incoming body System.out.println(validator.validate(url, body, twilioSignature)); } } ``` ```go package main import ( "fmt" "os" "github.com/twilio/twilio-go/client" ) func main() { // Your Auth Token from twilio.com/console authToken := os.Getenv("TWILIO_AUTH_TOKEN") // Initialize the request validator requestValidator := client.NewRequestValidator(authToken) // Store Twilio's request URL (the url of your webhook) as a variable // including all query parameters url := "https://example.com/myapp?bodySHA256=5ccde7145dfb8f56479710896586cb9d5911809d83afbe34627818790db0aec9" // Store the application/json body from Twilio's request as a variable // In practice, this MUST include all received parameters, not a // hardcoded list of parameters that you receive today. New parameters // may be added without notice. body := []byte("{\"CallSid\":\"CA1234567890ABCDE\",\"Caller\":\"+12349013030\"}") // Store the X-Twilio-Signature header attached to the request as a variable signature := "hqeF3G9Hrnv6/R0jOhoYDD2PPUs=" // Check if the incoming signature is valid for your application URL and the incoming parameters fmt.Println(requestValidator.ValidateBody(url, body, signature)) } ``` ```php validate($signature, $url, $body)) { echo "Confirmed to have come from Twilio."; } else { echo "NOT VALID. It might have been spoofed!"; } ``` ```rb # Get twilio-ruby from twilio.com/docs/ruby/install require 'rubygems' # This line not needed for ruby > 1.8 require 'twilio-ruby' # Get your Auth Token from https://www.twilio.com/console auth_token = ENV['TWILIO_AUTH_TOKEN'] # Initialize the request validator validator = Twilio::Security::RequestValidator.new(auth_token) # Store Twilio's request URL (the url of your webhook) as a variable url = 'https://example.com/myapp?bodySHA256=5ccde7145dfb8f56479710896586cb9d5911809d83afbe34627818790db0aec9' # Store the application/json body from Twilio's request as a variable # In practice, this MUST include all received parameters, not a # hardcoded list of parameters that you receive today. New parameters # may be added without notice. body = '{"CallSid":"CA1234567890ABCDE","Caller":"+12349013030"}' # Store the X-Twilio-Signature header attached to the request as a variable twilio_signature = 'hqeF3G9Hrnv6/R0jOhoYDD2PPUs=' # Check if the incoming signature is valid for your application URL and the incoming body puts validator.validate(url, body, twilio_signature) ``` For more information, including code samples and a description of how Twilio signs requests to your application, see [Validate Twilio requests](/docs/usage/security#validating-requests). The exact algorithm that Twilio uses to calculate the signature header (including whether or not the port number is used) is described in detail. ## Understand parameters in signature validation Twilio webhooks deliver data to your application in different ways, depending on the request's content type. To validate webhook signatures correctly, you need to know where each type of parameter originates. ### Query parameters Query parameters appear in the webhook URL after the `?` character. For example, `https://example.com/webhook?foo=1&bar=2` contains two query parameters—`foo` and `bar`. Because query parameters are already part of the full URL string, they are included when you pass the URL to your validation function. Don't extract query parameters and pass them separately to the function's `params` argument. #### URL encoding in query parameters Always use the exact URL Twilio used to make the request, including any URL-encoded characters. If you decode or re-encode the URL, signature validation fails. Query parameters must remain URL-encoded: ```text https://example.com/webhook?message=hello%20world&type=test%2Bvalue ``` In this example, `%20` (space) and `%2B` (plus sign) must stay encoded in the URL string that you pass to the validation function. ### Form parameters Form parameters are sent in the `POST` request body with the content type `application/x-www-form-urlencoded`. These parameters include webhook-specific fields such as `CallSid`, `From`, `To`, and `Body`. You must extract form parameters from the request body and pass them directly to the validation function as key-value pairs. Twilio sorts these parameters alphabetically and appends them to the URL when calculating the signature. ### JSON request bodies Twilio can also send JSON payloads with the content type `application/json`. For these requests, Twilio appends a `bodySHA256` query parameter to your webhook URL. The parameter value is a SHA-256 hash of the raw JSON request body. When validating JSON webhooks: * Don't extract individual JSON properties or treat them as form parameters. * Use your SDK's JSON-specific validation method (for example, `validateRequestWithBody`) and pass the raw request body string. The SDK performs two checks: 1. It verifies that the SHA-256 hash of the raw body matches the `bodySHA256` query parameter. 2. It validates the request signature by including the `bodySHA256` value during the calculation. ## Tutorials for validating incoming Twilio requests After you decide to add Twilio request validation to your application, follow one of our tutorials for your preferred language and framework. If you use a framework that isn't listed, let us know, and we'll point you to the appropriate resources. * [Node.js / Express](/docs/usage/tutorials/how-to-secure-your-express-app-by-validating-incoming-twilio-requests) * [C# / ASP.NET Core](/docs/usage/tutorials/how-to-secure-your-csharp-aspnet-core-app-by-validating-incoming-twilio-requests) * [C# / ASP.NET](/docs/usage/tutorials/how-to-secure-your-csharp-aspnet-app-by-validating-incoming-twilio-requests) * [C# / ASP.NET WEB API](/docs/usage/tutorials/how-to-secure-your-csharp-aspnet-web-api-app-by-validating-incoming-twilio-requests) * [Java / Servlets](/docs/usage/tutorials/how-to-secure-your-servlet-app-by-validating-incoming-twilio-requests) * [Python / Django](/docs/usage/tutorials/how-to-secure-your-django-project-by-validating-incoming-twilio-requests) * [Python / Flask](/docs/usage/tutorials/how-to-secure-your-flask-app-by-validating-incoming-twilio-requests) * [Python / Amazon Web Services Lambda](/docs/usage/security#validating-requests) * [PHP / Lumen](/docs/usage/tutorials/how-to-secure-your-lumen-app-by-validating-incoming-twilio-requests) * [Ruby / Sinatra](https://www.twilio.com/blog/secure-your-sinatra-app-validating-incoming-twilio-requests) * [Go / Gin](/docs/usage/tutorials/how-to-secure-your-gin-project-by-validating-incoming-twilio-requests) ## Webhooks and IP addresses Twilio uses a cloud architecture to provide services, and as such, doesn't have a fixed range of IP addresses that issue webhooks. When designing your network architecture, you may want to have one set of servers and a load balancer in a DMZ that receive webhook requests from Twilio. You can then proxy those requests to your private network. For more about Twilio and IP addresses, see the support article [All About Twilio IP Addresses](https://help.twilio.com/hc/en-us/articles/115015934048-All-About-Twilio-IP-Addresses). ## HTTP authentication Twilio supports HTTP Basic and Digest Authentication. This allows you to password-protect the TwiML URLs on your web server so that only you and Twilio can access them. You may provide a username and password via the following URL format. ```bash https://username:password@www.myserver.com/my_secure_document ``` To learn more about how Twilio uses HTTP authentication for webhook requests, see the [Security](/docs/usage/security#http-authentication) guide.