Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From twilio-developer-kit
Set up and manage Twilio authentication credentials: Auth Tokens, API keys, and Access Tokens for client SDKs.
How this skill is triggered — by the user, by Claude, or both
Slash command
/twilio-developer-kit:twilio-iam-auth-setupThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Twilio supports multiple authentication methods. For most developers: use Auth Token for local prototyping, then move to API Keys in production.
Twilio supports multiple authentication methods. For most developers: use Auth Token for local prototyping, then move to API Keys in production.
| Method | Use for | Security |
|---|---|---|
| Account SID + Auth Token | Local prototyping, initial testing | Full account access — avoid in production |
| Account SID + API Key (Standard) + Secret | All production code | Recommended — revocable, no access to /Accounts or /Keys |
| Account SID + API Key (Restricted) + Secret | Fine-grained production access | Best — limit to specific resources only |
| Account SID + API Key (Main) + Secret | Account management automation | Full access like Auth Token, but revocable |
For beginners / vibe-coders: Start with Auth Token to get your first API call working, then create a Standard API Key before deploying anything. The key difference: if an API Key leaks, you revoke just that key. If your Auth Token leaks, your entire account is exposed until you rotate it.
twilio-account-setup if you don't have oneFind your Account SID and Auth Token in the Console dashboard.
Python
import os
from twilio.rest import Client
client = Client(os.environ["TWILIO_ACCOUNT_SID"], os.environ["TWILIO_AUTH_TOKEN"])
Node.js
const client = require("twilio")(
process.env.TWILIO_ACCOUNT_SID,
process.env.TWILIO_AUTH_TOKEN
);
Never commit Auth Token to version control or use in production.
Create: Console > Account > API keys & tokens > Create API key
| Key type | Access | Use case |
|---|---|---|
| Standard | All resources except /Accounts and /Keys endpoints | Default for production apps |
| Restricted | Only the specific resources you grant | Multi-tenant apps, microservices, least-privilege |
| Main | Full account access (like Auth Token) | Account management automation (Console-only creation) |
After creation, copy the API Key SID (SK...) and Secret — the secret is shown only once.
Python
client = Client(
os.environ["TWILIO_API_KEY"], # SK...
os.environ["TWILIO_API_SECRET"],
os.environ["TWILIO_ACCOUNT_SID"] # required as third argument
)
Node.js
const client = require("twilio")(
process.env.TWILIO_API_KEY,
process.env.TWILIO_API_SECRET,
{ accountSid: process.env.TWILIO_ACCOUNT_SID }
);
Restricted keys grant access only to specific Twilio API resources you define. Use them for least-privilege access in production.
Create via the v1 IAM API (not the v2010 /Keys.json endpoint — see CANNOT section):
Python
key = client.iam.v1.api_key.create(
account_sid=os.environ["TWILIO_ACCOUNT_SID"],
friendly_name="messaging-only-key",
key_type="restricted",
policy={
"allow": [
"/2010-04-01/Accounts/{AccountSid}/Messages*"
]
}
)
# Store key.sid and key.secret securely — secret shown only once
Example permission patterns:
| Permission | Grants access to |
|---|---|
/2010-04-01/Accounts/{AccountSid}/Messages* | Send and read messages |
/2010-04-01/Accounts/{AccountSid}/Calls* | Make and manage calls |
/v2/Services/*/Verifications* | Verify API only |
Docs: Restricted API keys
Make API calls without charges or sending real messages. Find at Console > Account > API keys & tokens > Test credentials.
Python
client = Client(
os.environ["TWILIO_TEST_ACCOUNT_SID"],
os.environ["TWILIO_TEST_AUTH_TOKEN"]
)
Node.js
const client = require("twilio")(
process.env.TWILIO_TEST_ACCOUNT_SID,
process.env.TWILIO_TEST_AUTH_TOKEN
);
Magic test numbers:
+15005550006 — valid, can receive messages+15005550001 — invalid number (triggers error 21211)+15005550007 — number that cannot receive SMS (triggers error 21612)Rotate your Auth Token if it's been exposed or as periodic security hygiene. Twilio uses a secondary token promotion model:
Python
# Promote secondary Auth Token to primary via API
from twilio.rest import Client
client = Client(os.environ["TWILIO_ACCOUNT_SID"], os.environ["TWILIO_AUTH_TOKEN"])
account = client.api.accounts(os.environ["TWILIO_ACCOUNT_SID"]).update(
auth_token_promotion="promote"
)
Important: Auth Token rotation invalidates all active sessions using that token. Plan the switchover to minimize downtime.
API Keys cannot be rotated — if an API Key is compromised, delete it and create a new one:
client.keys(key_sid).delete()Docs: Auth Token REST API
Short-lived JWTs for authenticating browser/mobile clients (Voice JS SDK, Conversations SDK, Video SDK). Generate server-side and pass to the client.
Python
from twilio.jwt.access_token import AccessToken
from twilio.jwt.access_token.grants import VoiceGrant
token = AccessToken(
os.environ["TWILIO_ACCOUNT_SID"],
os.environ["TWILIO_API_KEY"],
os.environ["TWILIO_API_SECRET"],
identity="user-123",
ttl=3600
)
token.add_grant(VoiceGrant(outgoing_application_sid="APxxxx"))
print(token.to_jwt())
Node.js
const { AccessToken } = require("twilio").jwt;
const { VoiceGrant } = AccessToken;
const token = new AccessToken(
process.env.TWILIO_ACCOUNT_SID,
process.env.TWILIO_API_KEY,
process.env.TWILIO_API_SECRET,
{ identity: "user-123", ttl: 3600 }
);
token.addGrant(new VoiceGrant({ outgoingApplicationSid: "APxxxx" }));
console.log(token.toJwt());
Available grant types: VoiceGrant, VideoGrant, ChatGrant (Conversations), SyncGrant
TWILIO_ACCOUNT_SID=ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Option 1: Auth Token (testing only)
TWILIO_AUTH_TOKEN=your_auth_token
# Option 2: API Key (production)
TWILIO_API_KEY=SKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TWILIO_API_SECRET=your_api_secret
# Test credentials
TWILIO_TEST_ACCOUNT_SID=ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TWILIO_TEST_AUTH_TOKEN=your_test_auth_token
/Keys.json endpoint silently ignores KeyType=restricted and Policy parameters, creating a standard key instead. Use the v1 IAM API.npx claudepluginhub twilio/ai --plugin twilio-developer-kitGuides choosing and implementing Twilio authentication: Auth Token (testing), API Key (production), OAuth2 (time-limited tokens), and Access Tokens (client SDKs). Use before production Twilio API calls.
Implements Twilio communications for SMS messaging, voice calls, WhatsApp Business API, and 2FA verification. Handles notifications, IVR systems, multi-channel auth, compliance, rate limits, and errors.
Build Twilio-powered communication features: SMS, voice calls, WhatsApp, and 2FA verification. Covers simple notifications, IVR systems, and multi-channel auth with compliance and error handling.