HTTP Authentication for Twilio – Access Password Protected URLs

If you’ve tried to host your TwiML files at a secure URL, you already know that in the past Twilio only supported GET and POST to publicly accessible URLs.  But no longer!

New Feature: HTTP Auth with Twilio

Now Twilio supports HTTP Basic and Digest Authentication.  This allows you to password protect your TwiML URLs on your web server,
so that only you and Twilio can access them. You may provide a username
and password via the following URL format.

https://username:password@www.myserver.com/my_secure_document

Twilio will authenticate to your web server using the provided username
and password and will remain logged in for the duration of the call. It
is highly recommended that you use HTTP Authentication in conjunction
with SSL. For more information on Basic and Digest Authentication, refer to your web server documentation.

Using SSL with Twilio

If your application exposes sensitive data, or is possibly mutative to your data, then you may want to be sure that the requests that hit your web application are indeed coming from Twilio, and not a malicious third party. To allow you this level of security, Twilio cryptographically signs its requests. Here’s how it works:

  1. Turn on SSL on your server and configure your Twilio account to use HTTPS urls.
  2. Twilio assembles its request to your application, including the final URL and any POST fields (if the request is a POST).
  3. If your request is a POST, Twilio takes all the POST fields, sorts
    them by alphabetically by their name, and concatenates the parameter
    name and value to the end of the URL (with no delimiter).
  4. Twilio takes the full URL, with query string and all post
    parameters, and signs them using HMAC-SHA1 and your AuthToken as the
    key.
  5. Twilio sends this signature in an HTTP header called X-Twilio-Signature

Then, on your end, if you want to verify the authenticity of the
request, you can re-assemble the data string by going through the exact
same process. If our two hashes match, then the request was authentic.
You can then be sure that all the data used to construct the hash,
including the full URL, query string and POST parameters were all sent
to you by Twilio. Here’s how you would perform the validation on your
end:

  1. Take the full URL of the request, from the protocol (http…) through the end of the query string (everything after the ?)
  2. If the request is a POST, take all of the POST parameters and sort them alphabetically.
  3. Iterate through that sorted list of POST parameters, and append the
    variable name and value (with no delimiters) to the end of the URL
    string
  4. Sign the resulting value with HMAC-SHA1 using your AuthToken as the key (remember, your AuthToken’s case matters!).
  5. Base64 encode the hash
  6. Compare your hash to ours, submitted in the X-Twilio-Signature header. If they match, then you’re good to go.

Notes about SSL:

  • Twilio cannot currently handle self signed certificates.
  • Remember to keep your Twilio Auth Token secure.  It not only enables access to the REST API, but also to request signatures.

Please visit our documentation for SSL examples and more information on TwiML security.

Photo credit: AMagill