Twilio has built-in authentication mechanisms to ensure that only the traffic you want reaches your SIP Domain. When a connection is not authenticated, it will be blocked and your TwiML will not be requested.
Twilio offers two authentication methods: IP Access Control Lists and Credential Lists. You must have at least one setup for your domain and can use one or more of each authentication type for any domain.
IP Access Control Lists are sets of IPs that are allowed to reach your SIP Domain. If you or anyone sends traffic from any IP not on the list, Twilio will block that SIP traffic. You may add up to 25 IP addresses for each IP Access Control List. You must specify a full IP address; no IP wildcarding is supported. IP Access Control Lists can be applied to one or more SIP Domains
Credential Lists are sets of usernames and passwords that are allowed to reach your SIP Domain. If enabled for your SIP domain, incoming SIP requests will be challenged, and you will need to authenticate with a username and password in your Credential List.
You may add up to 1000 usernames per Credential List. For each username, you must set a password that meets the following minimum requirements:
Twilio does not store the passwords you provide for usernames as cleartext; they are MD5 hashed in accordance with the digest authentication specification. Once a password is set, Twilio does not return the password back so make sure that your passwords are stored appropriately in your system.
Credential Lists can be applied to one or more SIP Domains